iPhone Viruses: Ikee.b Worm

By the time iOS 2 appeared iPhone could perform pretty amazing things. But it also turned out that the jailbreaking kills the phone’s defense pretty much. The whole security architecture including code signing and many other things become vulnerable. But you can use any antivirus app to keep your iPhone safe.Rooting also makes field suitable for attacks wider by adding software. I also adds different utilities like shell that can install things which are launched under root user.

By switching code signing off you will also disable the strong form of Data Execution Prevention (DEP). Return Oriented Programming or ROP are responsible for DEP disabling on jailbroken iPhones. After DEP is disabled shellcode can be written and executed. And the last one, the jailbreak apps aren’t sandboxed. That’s why we can be sure that jailbreaking process turns off device’s security and not just code signing. If you’re not aware how the iPhone viruses work read this article to get more general info.

That’s why it’s now wonder that jailbroken devices were a target for various virus attacks. The Ikee worm and its Ikee.A, Ikee.B, Ikee.C and Ikee.D variations (also named Dutch ransom, iPhone/Privacy.A, or Duh/Ikee.B) was crawling into one’s iPhone through SSH. To do that on a device which has an SSH server and default root password on it is a 5 minutes work for a schoolboy. The Ikee worm evolutionized through four stages:

  • Ikee.a
  • Ikee.b
  • Ikee.c
  • Ikee.d

As the Ikee.b is most developed version of a worm and it has the most functions, we’ll make and in-depth analysis of this virus version.

Ikee.B Virus

Here will be presented the analysis of Ikee.b virus that targeted iPhone users in Europe and Australia back in Novermber 2009. Just a short time after Ikee.a “party” the modified version of the virus started its action. Originally developed by a Dutch hacker it was uploaded by SSH to unsecured devices with default password. The hacker just scanned T-Mobile’s Dutch IP range for those SSH-vulnerable devices and infected them. The devices got hacked and displayed such messages:

Ikee.B iPhone worm

The guy demanded $5 from the victim for making the device safe again. However, soon after the launch he got caught and forced to return the money to cheated owners.

The new Ikee.b malware was designed identically to Ikee.a but included one significant distinction – command and control (C&C) logic that helped to manage all the iPhones infected by a bot master. That actually turned infected iPhones into parts of a botnet. Besides the fact that  Ikee.b bot has ability to self-propagate, it can introduce a C&C checkin service that enables the botmaster to upload and execute shell commands on all infected iPhone bot clients. Bots are programmed to send requests to Lithuanian C&C server with 5 minute intervals to get the new control commands (scripts for iPhone shell) allowing bot to grow more clever and appeal to the other servers around the world.

Ikee.B Code Research

To find out how viruse’s code looks like and its reverse engineering two methods of analysis were used – manual and automated analysis. IDA Pro was used for to analyze the two binary apps written for iPhone’s ARM. A IDA Pro plugin called Desquirr was utilized to properly recognize the start and end of the functions compiled for ARM processor. As the basic version of decompiler wasn’t enough to fulfill all the analysis purposes, its functionality was extended. Below is the image that describes the Ikee.b working scheme.

Ikee.B Code Research

The process starts with a remote attacker (remotely infected iPhone) that detects a potential victim – other iPhone with active internet connection, SSH connection enabled and default password. Once such device is detected, attacker connects to the victim remotely and extracts the install files to directory

/private/var/mobile/home

That’s it, Ikee.b is now ready to be installed. The installation process is performed with help of inst shell script that creates a Ikee directory on the infected device. The script also installs com.apple.ksyslog.plist and com.apple.period preference files. It also can archive all the SMS messages from the iPhone and send them to servers in Lithuania, but this function was disabled for internet version of the  virus. It changes the default root password as well.

Ikee.B Propagation and Botnet Control Logic

The propagation of  Ikee.B is implemented this way: the virus scans specific Internet IP addresses for SSH services (port 22/TCP), and performs attempts to connect to services that respond as root, using the password ‘alpine’. The Ikee.B’s scanning and infection logic can be found in a binary application named sshd, which is configured to RunAtLoad, with KeepAliveenabled, via the com.apple.ksyslog preference file. As soon as the vulnerable iPhone with SSH enabled is found,  sshd will upload a copy and unpack of iKee.b’s a package consisting of 6 files to the victim’s iPhone. After that it runs the inst script.

Ikee.B’s clients are programmed to communicated with dedicated botnet server which IP address is 92.61.38.16. Ikee.b connects there to allow the bot master to send new script logic to infected iPhones. The script can be customized for specific bot client depending on  individual client ID. Botnet installation script installs with the com.apple.period.plist preferences. The file programs the infected device to run the syslog shell script once in 5 minutes.

For more info check the SRI INTERNATIONAL Analysis

iKee.B / iKee.d Sourcecode Download:

By following the link below you can download the source codes of both Ikee.b and Ikee.d viruses. The only reason we have uploaded those archives for – is to give you the opportunity to protect your phones by digging into the worm’s code and understanding how it maintains. Please note that the archive is password protected. Contact me on Google+ to get the password.

Download (only for educational and security purposes)

If you feel or know that your iPhone is infected with evil Ikee.b worm – check this article to find out how to delete it.