Apple comments on iPhone virus, security firm warns against jailbreaking

Apple has responded to the currently circulating iPhone worm that is enabling hackers to steal information from users with jailbroken iPhones, spokesperson Natalie Harrison said: "The worm affects only a very specific set of iPhone users who have jailbroken their iPhones and hacked it with unauthorized software.”

"As we've said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably," she notes, as reported by The Loop.

Anti-virus vendor, Intego today published its own statement on the matter: “We would like to stress that users who jailbreak their iPhones are exposing themselves to known vulnerabilities that are being exploited by code that is circulating in the wild. If users install ssh, they should change the default password, which is widely known. While the number of iPhones attacked may be minimal, the amount of personal data that can be compromised, and the ability of this new worm to create a botnet, strongly suggests that iPhone users should stick with their stock configurations and not jailbreak their devices.”

Intego calls the new malware iBotnet.A, describing it as “by far the most sophisticated iPhone malware yet: it is not only a worm, capable of spreading across a network, but also hijacks iPhones or iPod touches for use in a botnet.”

This worm starts by searching its local network, as well as a number of IP address ranges, for available devices to infect. The address ranges it scans include those of ISPs in the Netherlands, Portugal, Hungary, Australia, and if an appropriately unprotected iPhone is found, the worm can copy itself to these devices.

When active on an iPhone, the iBotnet worm changes the root password for the device (from “alpine” to “ohshit”), in order to prevent users from later changing that password themselves. It then connects to a server in Lithuania, from which it downloads new files and data, and to which it sends data recovered from the infected iPhone.

The worm sends both network information about the iPhone and SMSs to the remote server. It is capable of downloading data, including executables that it uses to run and carry out its actions, as well as new files, providing botnet capabilities to infected devices.

The worm also gives each infected iPhone a unique identifier; this to be able to reconnect easily to any iPhones on which valuable information is found, but also to ensure that only infected iPhones can connect to the server. Finally, it changes an entry in the iPhones /etc/hosts file for a Dutch bank web site, to lead Dutch users who connect to this bank site to a bogus site, presumable to harvest user names and passwords.