New Worm Targets Jailbroken iPhones

November 24, 2009

MacNewsWorld reported yesterday reported a new worm targeting jailbroken iPhones. The worm has been dubbed ‘Duh’ and unlike previous exploits, this version is malicious, establishing a command-and-control botnet that is capable of sending data back to a central server.

The default root (SSH) password is also changed, in an apparent attempt to make it more difficult to re-secure an infected iPhone. According to Paul Ducklin from Sophos, the password is changed to ‘ohshit’ & is done by rewriting it’s hashed value in the master password file.

Please note that this worm only appears to affect jailbroken iPhones – iPhone running Apple’s official OS are unaffected. Unfortunately, since jailbreaking an iPhone is considered a warranty violation, Apple has made little effort to allow for 3rd party anti-virus vendors to develop software to prevent such attacks, claiming jailbroken iPhones are already running ‘unauthorized software’ and as such are used at the owners risk.

Detailed instructions for changing the default root (SSH) password can be found at the JustAnotheriPhone blog. Using the free MobileTerminal iPhone application is the simplest & most straightforward option.

While changing the root password will certainly increase protection against the ‘Duh’ worm and any future attacks, currently, the only 100% secure iPhone is one that has not been jailbroken. If you are using an iPhone in an enterprise or other environment where data security is an issue, running a jailbroken iPhone is strongly discouraged.

To restore the Apple-authorized OS to an iPhone, simply connect the iPhone to iTunes & click the ‘Restore to Defaults’ button. This will erase all data on the phone & return it to factory settings. This support article from Apple describes the backup & restore process in detail.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: