A couple of weeks ago, the first iPhone worm appeared, spreading on jailbroken devices with the SSH application installed (vulnerability being the fact that many users haven’t changed the default root password). As far as worms go, this one was quite benign, merely “rickrolling” users; i.e., changing the background image on the device to an image of Rick Astley.
Now, according to early reports of strange activity by Dutch ISP XS4ALL, and later confirmed by Sophos, there’s a new worm in the wild, and this one is far more malicious.
The new worm is called “Duh” or “Ikee.B”, and it uses the exact same vulnerability as the first one. The fix is thus identical – change the root password in the SSH application to something other than the default, which is “alpine”.
Failing to do so might result in very serious consequences. According to Sophos, Ikee.B is “designed to connect to a server in Lithuania and to follow orders from remote hackers.” It can find vulnerable iPhones on a wide range of IP addresses, including IPs in several different countries, for example the Netherlands, Portugal, Australia (Australia), Austria, and Hungary. Furthermore, it changes the root password on the iPhone to “ohshit” (as discovered by Paul Ducklin, head of technology in Sophos Asia Pacific.)
Users who haven’t jailbroken their iPhone or haven’t installed the SSH application are not affected by this vulnerability.