iWorm – a truly social virus

The iPhone worm is a thing of beauty. Not so much because of the technology involved, which is simple – although, since when has simplicity not been a good thing? – but because of the superb social engineering involved. Its designers demonstrated a perfect understanding of their target user population and came up with an elegant exploit of their psychology.

To recap: an iPhone, underneath the shiny stuff, is basically a little BSD Unix machine. Apple applies a lot of its own security and restrictions-management stuff to it, but this can be circumvented if you want to use software without getting Apple’s approval for it – this is the process known as “jailbreaking”. One of the most common things people do with the gadget after removing the Apple restrictionware is to install SSH, so they can log into a remote server and administer it from the phone.

Unfortunately, installing SSH also makes it possible to log into the phone from a remote machine, if you know the root password and the current IP address. So, before you do this, you absolutely must change the root password from the default (“alpine”) to a strong passphrase. Otherwise, as soon as SSH is available, anyone on the Internet can get access to the phone with root-level privileges – i.e. they can do anything they like.

The worm generated random IP addresses and tried to log in through SSH using the default iPhone password, and if it succeeded, it replaced the home screen with a picture of Rick Astley. Haha. They could also have made hundreds of hours of international phone calls on your bill, scarfed your bank details, grabbed the log of who you called and who called you and carried out some sort of evil social-graph analysis…but they didn’t. For now.

What gets me about this is that they obviously had an image in mind of the target user as someone who was clueful enough to install unofficial software on an iPhone, or who at least wanted badly enough to be seen as technically competent that they got someone else to do it, but who was sufficiently incompetent not to realise that they needed to set a real password or that they were connecting a full-blown unix box to the Internet without any security precautions whatsoever. (Given that having a server to ssh into implies you know that you can log into remote machines over the Internet if you know the password, I wonder how many of the victims had actually used the SSH client on the phone?)

As well as a practical implementation of the Dunning-Kruger effect, it’s a genuinely social hack in that it identified and targeted a specific social group – annoying moneyed wannabe-geek hipster prats. It was a wanker-seeking missile. It is sheer brilliance, and I’m not at all surprised it was invented by Australians.

Update: As pointed out in comments, why would you need the daemon half of the ssh package? Apparently, some of the jailbreaking methods use it. The virus’s creator specifically mentions the fact that so many iPhones had an active ssh service when he tested the scanning element of it in the comments to the source code of the virus.


  1. Why on earth would an ssh install for a cellphone run the daemon part of the package by default? I don’t even have it going on my laptop, and IIRC most installs explicity ask if you want it…

    • yorksranter

      well, this is the question, innit? didn’t make sense to me either, but then the exploit is crafted to find people who wouldn’t ask that question.

      Apparently some of the canned jailbreak techniques amount to getting the ssh daemon onto the phone, logging in with the default pwd, and then doing everything else via ssh. if this is available as a script that you just upload to the thing and run, I can see why clueless users might get into trouble.

      if you read the original article, someone quoted points out that current jailbreaks don’t use ssh, but then the target profile isn’t “system administrator who keeps everything obsessively up to date” is it?




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: