The Mac Security Blog

We reported yesterday about a worm that affects jailbroken iPhones, stealing personal data, directing users to phishing sites, and creating a botnet. Intego’s security specialists have analyzed the code of the iBotnet worm and have found striking similarities with the ikee worm, which we discussed on November 9. What this means is that the newer worm, iBotnet, has used some of the code that was published on-line after the ikee worm was discovered.

The creator of the ikee worm thought that his malware was a mere prank, and could alert iPhone users who jailbreak their phones to the security risks they run. However, his releasing the code publicly had the effect that we expected: malware writers – the malicious ones – took advantage of his work to create new, more dangerous malware.

At the risk of repeating ourselves, we’d like to reiterate what we said yesterday: users who jailbreak their iPhones are exposing themselves to known vulnerabilities that are being exploited by code that is circulating in the wild. If users install ssh, they should change the default password, which is widely known.

Apple agrees with us. In a statement published on The Loop, an Apple spokesperson said, “As we’ve said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably.”

Intego feels that we have not seen the end of malware attacking jailbroken iPhones. They’re an easy target, and effective code is widely available. So think very carefully before you jailbreak your iPhone, and take the necessary security precautions: change your root password!

Malware: iPhone/iBotnet.A
Discovered: November 21, 2009
Risk: Medium

Description: For the third time this month, malware targeting the iPhone has surfaced. The first such malware changed wallpaper on iPhones, and the second harvested personal data from iPhones. This new malware, that Intego calls iBotnet.A, is by far the most sophisticated iPhone malware yet: it is not only a worm, capable of spreading across a network, but also hijacks iPhones or iPod touches for use in a botnet.

It is important to note that standard, non-jailbroken iPhones or iPod touches are not at risk; it is extremely dangerous to jailbreak an iPhone because of the vulnerabilities that this process creates. (Estimates suggest that 6-8% of iPhones are jailbroken.) Jailbroken iPhones at risk are those where ssh is installed, and where the default password has not been changed.

This worm starts by searching its local network, as well as a number of IP address ranges, for available devices to infect. The address ranges it scans include those of ISPs in the Netherlands, Portugal, Hungary, Australia, and if an appropriately unprotected iPhone is found, the worm can copy itself to these devices.

When active on an iPhone, the iBotnet worm changes the root password for the device (from “alpine” to “ohshit”), in order to prevent users from later changing that password themselves. It then connects to a server in Lithuania, from which it downloads new files and data, and to which it sends data recovered from the infected iPhone. The worm sends both network information about the iPhone and SMSs to the remote server. It is capable of downloading data, including executables that it uses to run and carry out its actions, as well as new files, providing botnet capabilities to infected devices. (A botnet is a network of infected computers or devices that can be controlled by hackers to attack other computers, serve malware, send spam, serve pages or images, and much more.)

The worm also gives each infected iPhone a unique identifier; this to be able to reconnect easily to any iPhones on which valuable information is found, but also to ensure that only infected iPhones can connect to the server. Finally, it changes an entry in the iPhones /etc/hosts file for a Dutch bank web site, to lead Dutch users who connect to this bank site to a bogus site, presumable to harvest user names and passwords.

Means of protection: Intego VirusBarrier X5 detects and eradicates this malware, which it identifies it as iPhone/iBotnet.A, on iPhones that it can scan from Macs with VirusBarrier X5 installed, with its virus definitions dated November 22, 2009 or later. The only other way to remove this malware is to totally wipe and restore the iPhone using iTunes.

We would like to stress that users who jailbreak their iPhones are exposing themselves to known vulnerabilities that are being exploited by code that is circulating in the wild. If users install ssh, they should change the default password, which is widely known. While the number of iPhones attacked may be minimal, the amount of personal data that can be compromised, and the ability of this new worm to create a botnet, strongly suggests that iPhone users should stick with their stock configurations and not jailbreak their devices.

Intego thanks Scott McIntyre, Chief Security Officer of the Dutch ISP XS4ALL, for his help in isolating and analyzing this worm.

The Firefox web browser is appreciated by many users for the large number of add-ons that are available. These plug-ins are easily installed, and add functionality: for example, you can add an ad-banner filter, tools to block javascript, web developer tools and much more. But add-ons can be security risks, and may also affect the stability of the program.

A new feature, called Component Directory Lockdown, will be added to Firefox 3.6. This feature will help prevent crashes, and will prevent rogue add-ons from being installed.

Both of these are excellent reasons to make this change. Web browsers are often at the mercy of add-ons and plug-ins; for example, Apple made changes to its Safari web browser to prevent crashes caused by plug-ins, especially Flash Player.

As users try to extend the functionality of their browsers, there will need to be more tools that protect them and their software from incompatibility and security risks, and this move by the Mozilla Foundation is a good step forward.

Just after issuing a mammoth security update for Mac OS X, Apple has released an update to its Safari web browser, which contains a number of security fixes. With a range of fixes, this update corrects some WebKit issues and others, and there are fixes for both Mac and Windows versions of Safari.

Users can download the latest version of Safari here, or update automatically using Software Update. More information about this security update is available here.

Exploit: iPhone/Privacy.A
Discovered: November 10, 2009
Risk: Low

Description: Following the recent discovery of a worm that changes wallpaper on iPhones, Intego has spotted another piece of malware that attacks iPhones, one that is far more dangerous than the ikee worm. This hacker tool, which Intego identifies as iPhone/Privacy.A, takes advantage of the same vulnerability in the iPhone as the ikee worm, allowing hackers to connect to any jailbroken iPhone or iPod touch (iPhones or iPod touches hacked to allow installation of software other than through iTunes) whose owners have not changed the root password.

It is important to note that standard, non-jailbroken iPhones are not at risk; it is extremely dangerous to jailbreak an iPhone because of the vulnerabilities that this process creates. (Estimates suggest that 6-8% of iPhones are jailbroken.)

When connecting to a jailbroken iPhone, this tool allows a hacker to silently copy a treasure trove of user data from a compromised iPhone: e-mail, contacts, SMSs, calendars, photos, music files, videos, as well as any data recorded by any iPhone app. Unlike the ikee worm, which signals its presence by changing the iPhone’s wallpaper, this hacker tool gives no indication that it has invaded an iPhone.

Hackers using this tool, written in Python, will install it on a computer – Mac, PC, Unix or Linux – then let it work. It scans the network accessible to it, and when it finds a jailbroken iPhone, breaks into it, then steals data and records it.

This hacker tool could easily be installed, for example, on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network. Or, a hacker could sit in an Internet café and let his computer scan all iPhones that come within the range of the wifi network in search of data. Hackers could even install this tool on their own iPhones, or other smartphones, and use it to scan for jailbroken phones as they go about their daily business.

Means of protection: Intego VirusBarrier X5 detects and eradicates this program on Macs, and identifies it as iPhone/Privacy.A. While it is not possible to protect the iPhone from this hacker tool – it does not install anything on an iPhone – VirusBarrier X5 can ensure that Macs, especially in businesses, are protected from this hacker tool being installed.

We would like to stress that users who jailbreak their iPhones are exposing themselves to known vulnerabilities that are being exploited by code that is circulating in the wild. While the number of iPhones attacked may be minimal, the amount of personal data that can be compromised strongly suggests that iPhone users should stick with their stock configuration and not jailbreak their devices.

Microsoft has issued updates for the two versions of Office that it supports for Mac OS X, both of which contain both general fixes and security patches. The Microsoft Office 2008 for Mac 12.2.3 Update and Microsoft Office 2004 for Mac 11.5.6 Update fix “vulnerabilities in Office … that an attacker can use to overwrite the contents of your computer’s memory with malicious code.” More specifically, “The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user.” In addition, there is a “vulnerability that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Downloads are available here for Office 2008 and here for Office 2004. They are 350 MB and 16.6 MB respectively. (Obviously the Office 2008 update is much more than just a security update.)