We have created a video on how the iPhone/Eeki worm targeting iPhones works.
You can see it here:
As you can see in the video, this malware first checks it is not already running on the device. To do so, it checks whether the following file exists:
/var/lock/bbot.lock
This may help you know if you are infected; if the information is in your device, it means the worm is there.
Next, it changes the device host and stops the SSH daemon.
It then tries to spread on the subnet the phone is connected to and tries to create a random IP range. It tries pre-established ranges corresponding to certain companies’ IP addresses:
Once the IP address is created, it remotely accesses the jailbroken iPhone device, establishing an SSH connection and using the default root key, included in all iPhoneOS devices (1G, 2G and 3G Iphone and ipod touch devices). If access is denied, it tries to create a random IP again and repeats the process until it obtains a valid IP from a vulnerable victim.
Once the victim is found with the previous credentials, it obtains a remote session and copies itself to the affected phone, adding:
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/System/Library/LaunchDaemons/com.ikey.bbot.plist
to run on restart.
It stops the SSH service that has caused the infection. Finally, it copies a photo of Rick Astley and uses the image as the device wallpaper.
Â
“Thanks to Gorka RamÃrez and Francisco Berenguer for the information and the videoâ€.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
12 comments
Comments are closed.