A source who's seen the worm in the wild tells Macworld that, after compromising the phone, the worm goes on to replace the phone's copy of the SSH remote login software, changes the root password (so you can't stop the worm without wiping the phone), skims your SMS database, checks in with its Lithuania-based overlords via the network, and then starts running a piece of software that searches for other vulnerable phones on both the local network and known IP address ranges of specific Internet Service Providers (mostly European). Somebody should have told the worm that nobody likes overachievers.
Our source also told us that though the worm seems to include code for uploading the SMS database to the worm's creators, it wasn't active in the version he saw. However, the worm can also download further files over the network, meaning it could potentially add other attack capabilities.
For users, the main visible symptom seems to be intense battery drain as a result of the constantly-running ssh-attacking process that the worm starts. Apparently, the reduction in battery life has been so severe that it's even caused some infected users to wipe and restore their handsets without even realizing that the worm was installed.
Security firm Intego is reporting that the worm also changes routing information on the phone so that customers of a particular Dutch bank trying to access their accounts will be redirected to a fake site, where they will be prompted to enter their login credentials--which will then be transmitted to the worm's creators. Intego also suggests that the aforementioned SMS upload capability is active in some versions of the worm.
This is probably the nastiest iPhone threat we've seen so far. If you have jailbroken your phone or are even thinking about jailbreaking your phone, it is imperative that you change your root password--we've even got a tutorial to show you just how to do that. And, as before, those who haven't jailbroken their phone are immune from this new exploit.
No comments:
Post a Comment