Get Out of Jail, Not so Free

Nearly two years ago the first attempt at creating iPhone malware was seen.  That was an attack against jailbroken iPhones.  This month, although the shenanigans are still targeting jailbroken iPhones, things got a bit more complicated.

Last week saw someone in the Netherlands attempting to extort iPhone owners.  The attacker scanned his mobile phone carrier’s network looking for jailbroken iPhones. Once he located a phone running the secure shell service(SSH) he attempted to login using the default root user account password.  instead of quietly taking a look at or copying the user’s SMS messages and emails,  he decided to be a nice guy and replace their wallpaper with a demand for €5(approximately $7) in order to secure their iPhone.  His PayPal account was shut down and he quickly put up instructions for changing the password on his site.

Then this very week also saw the release of a worm by an Australian malware author using the handle ‘ikee’.  It exploits the same root password vulnerability as that used by the Netherlands attacker.  The worm family is now called OSX/RRoll.  It’s notable for replacing your wallpaper with an image of Rick Astley and a message from the author.  After changing the background image, OSX/RRoll.A-B will delete the binary of the SSH daemon(service) and terminate its process.  This serves the dual purpose of closing the hole that allowed infection and also preventing reinfection by the worm or other attackers.

Background image displayed while the iPhone is locked. (Simulated)

Background image displayed during a phone call. (Simulated)

Potential Legal Issues

The malware author gave an interview earlier in the week where he explains that there are four variants in the wild.  While he was willing to share the source code with his interviewer he expressed concern with its public release:

[10:13] <ikee> [...](I don’t know if its so wise posting the code online, nefarious people that otherwise would not have had the chance could modify it to be quite destructive)

Fortunately the interviewer shortly removed public access to the Google Code project.

The concern by ikee is certainly good to see and shows that perhaps he views malware creation as a bad idea.  What is odd, is that he doesn’t think he will run into any trouble with the authorities.  Unlike our friend from the Netherlands.

From ikee’s interview:

[09:39] <JD> Are you aware of the possible legal consequences of this (the [OSX/RRoll worm])? Are you concerned?
[09:40] <ikee> I’d like to think I’m aware, and also I highly doubt I’m in any real trouble (So no not concerned)

It seems Australia actually has a number of laws concerning High Tech Crime and ikee may eventually have a conversation with the Australian Federal Police. But who knows as I am not a lawyer.

Prevention

OSX/RRoll.A-B only targets jailbroken iPhones that run on the networks of three mobile carriers in Australia.  If you’ve installed the SSH service on your iPhone but neglected to change your root password from the well known default, you’re likely to be at risk from attackers.

Users can reduce their risk by:

• Changing the default root password.
• Not installing/uninstalling the SSH package if you don’t use it.
• Modifying your phone’s firmware can sometimes result in having software installed by default or with default settings.

Future threats

The source code for both versions of OSX/RRoll was available from a Google Code project for a little while earlier this week.  Once you have working source code for a worm, it can be straightforward to add more malicious actions.

As with the first attempt at iPhone malware which exploited an installer application for jailbroken iPhones, OSX/RRoll.B  exploits the Cydia Installer application.  Where previously the Installer application dealt only in free applications developed with the unofficial iPhone SDK, the Cydia application also provides the ability to buy applications through a Cydia Store. With the possibility of making money(application sales) and possibly lax security(unchanged default root passwords) attackers may see an opportunity in targeting  applications like Cydia.