Threat Encyclopedia

IOS_IKEE.A

Publish date: October 08, 2012

ANALYSIS BY

Karl Dominguez

     MODIFIED BY

     Karl Dominguez


PLATFORM:

iOS

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:

  • Threat Type:Worm

  • Destructiveness:No

  • Encrypted: No

  • In the wild: Yes

OVERVIEW

Infection Channel:

Copies itself into specific IP addresses; Copies itself into other iPhone devices connected to local networks


This worm infects jailbroken iPhones that has Secure Shell (SSH) installed and the password still configured to the default value, alpine. It replaces all default passwords saved to ohshit. As a result, affected users will not be able to log into the device because of this change.

It by scanning the network for specific IP addresses of telecommunication providers in Europe and Australia and dropping a copy of itself.

It also targets other iPhone devices connected to the local network. It also generates target IP addresses by randomly creating subnet masks based on the current time. This worm also targets other iPhone devices connected to the local network.

It gathers information, such as the infected iPhone device's name, version, and network interface information, and sends the data to its command and control (C&C) server. This worm is found to be capable of stealing SMS messages. It can also execute arbitrary shell script commands from a remote user received from its C&C servers.

This worm may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user.

TECHNICAL DETAILS

File Size:

Varies

File Type:

Other

Memory Resident:

No

Initial Samples Received Date:

21 Nov 2009

Payload:

Steals information; Executes scripts received from its C&C server

Arrival Details

This worm may be unknowingly downloaded by a user while visiting malicious websites.

It may be manually installed by a user.

Installation

This worm drops the following files:

  • File name: /private/var/mobile/home/cydia.tgz
    Description: This is the main malware archive which contains the files INST, DUH, SYSLOG, curl_7.19.4-6_iphoneos-arm.deb,com.apple.period.plist, and com.apple.ksyslog.plist
  • File name: /private/var/mobile/home/.tmp
    Description: This is the file where /private/var/mobile/home/syslog stores received raw data from its command and control (C&C) server
  • File name: /private/var/mobile/home/sshd
    Description: Trend Micro detects this malicious executable as IOS_IKEE.A. It scans for IP addresses into which it will propagate to. It propagates by logging into the target iPhone via SSH using the default password, "alpine". It creates the folder, /private/var/mobile/home/, where it copies the malware package, CYDIA.TGZ. It then executes /private/var/mobile/home/inst to install the malware package.
  • File name: /private/var/mobile/home/duh
    Description: This is the malicious binary file used by this malware to issue HTTP GET commands. This is executed by /private/var/mobile/home/syslog to receive data from its C&C server.
  • File name: /private/var/mobile/home/inst
    Description: Trend Micro detects this malicious script as IOS_IKEE.A. It generates an ID for the infected iPhone which can be used as an identifier when this script connects to its C&C server. The generated ID is saved in /etc/rel. It then copies com.apple.ksyslog.plist to /System/Library/LaunchDaemons/com.apple.ksyslog.plist so that this script executes every time the infected device is turned on. In addition, it installs legitimate Debian packages necessary for its routines. It also changes the default SSH password, alpine that is saved in /etc/master.passwd to ohshit. This file is responsible for gathering all SMS messages and information about the infected device. SMS messages are saved in /private/var/mobile/home/{ID}/sms.txt while phone information are saved into /private/var/mobile/home/{ID}/info. It then archives the folder, /private/var/mobile/home/{ID}, and connects to its C&C server, {BLOCKED}.{BLOCKED}.38.16/xml/a.php?name={ID} to send the .TGZ file in base64 format.
  • File name: /private/var/mobile/home/heh
    Description: This file is where /private/var/mobile/home/syslog saves shell scripts to be executed.
  • File name: /private/var/mobile/home/syslog
    Description: Trend Micro detects this malicious script as IOS_IKEE.A. This file runs /private/var/mobile/home/duh and saves the C&C server replies to /private/var/mobile/home/.tmp. It parses the .TMP file for scripts then saves the result in /private/var/mobile/home/heh and executes this file as a shell script.
  • File name: /System/Library/LaunchDaemons/com.apple.ksyslog.plist
    Description: This daemon (a software that runs in the background) executes /private/var/mobile/home/sshd every time the infected iPhone device is started and keeps it running.
  • File name: /System/Library/LaunchDaemons/com.apple.period.plist
    Description: This daemon executes /private/var/mobile/home/syslog every 300 seconds.
  • File name: /System/Library/LaunchDaemons/com.apple.periodic.plist
    Description: This daemon file executes /private/var/mobile/home/syslog every 2000 seconds.
  • File name: /private/var/mobile/home/adv-cmds_119-5_iphoneos-arm.deb
    Description: This legitimate Debian package needed by this worm to execute its commands.
  • File name: /private/var/mobile/home/sqlite3_3.5.9-9_iphoneos-arm.deb
    Description: This is a legitimate Debian package file for an SQL database.
  • File name: /private/var/mobile/home/curl_7.19.4-6_iphoneos-arm.deb
    Description: This is a legitimate Debian package for Curl that is used to download and install adv-cmds_119-5_iphoneos-arm.deb and sqlite3_3.5.9-9_iphoneos-arm.deb from saurik.com.
  • File name: /private/var/mobile/home/{ID}/sms.txt
    Description: This file contains the stolen text messages.
  • File name: /private/var/mobile/home/{ID}/info
    Description: This file is where stolen data, such as the infected iPhone's name, version, and network interface information, is saved.
  • File name: /private/var/mobile/home/{ID}.tgz
    Description: This is an archive file containing files inside /private/var/mobile/home/{ID}/ that is sent to the C&C by /private/var/mobile/home/inst in base64 format.
  • File name: /etc/rel
    Description: This file contains the generated ID

It creates the following folders:

  • /private/var/mobile/home
  • /private/var/mobile/home/{ID}

Other Details

This worm does the following:

  • Infects jailbroken iPhone devices with Secure Shell (SSH) installed and the password still configured to the default value, alpine. This worm replaces all alpine passwords saved in /etc/master.passwd to ohshit. As a result, affected users will not be able to log into the device because of this change.
  • Drops the following copy of itself into the affected device as /private/var/mobile/home/cydia.tgz
  • Spreads by scanning the network for specific IP addresses of telecommunication providers in Europe and Australia and dropping a copy of itself. This worm also targets other iPhone devices connected to the local network. It also generates target IP addresses by randomly creating subnet masks based on the current time.
    • Local Network: 192.168.0.0 - 192.168.3.255
    • T-Mobile Netherlands: 94.157.100.0 - 94.157.255.255
    • T-Mobile Netherlands: 94.157.0.0.0 - 120.157.99.255
    • T-Mobile Netherlands: 188.88.100.0 - 188.88.160.255
    • Vodafone Portugal: 87.103.52.255 - 87.103.66.255
    • Vodafone Portugal: 77.54.160.0 - 77.54.190.255
    • Optus Australia: 114.72.0.0 - 114.75.255.255
    • Mobilkom Austria: 92.248.90.0 - 92.248.120.255
    • Pannon GSM Telecommunications Inc. Hungary: 84.224.60.0 - 84.224.80.255
    • Pannon GSM Telecommunications Inc. Hungary: 84.224.0.0 - 84.224.63.255
    • Kabelsignal AG Austria: 81.217.74.0 - 81.217.74.255
    • UPC Austria: 77.248.140.0 - 77.248.146.255
    • UPC Austria: 80.57.116.0 - 80.57.131.255
  • Gathers information, such as the infected iPhone device's name, version, and network interface information, and sends the data to its C&C server. This worm is found to be capable of stealing SMS messages. It can also execute arbitrary shell script commands from a remote user received from the following C&C servers:
    • {BLOCKED}.38.16/xml/a.php?name={ID} (send data)
    • {BLOCKED}.38.16/xml/p.php?id={ID} (receive data)
    {ID} is a number generated by this worm for each iPhone device it infects.

SOLUTION

Minimum Scan Engine:

8.900

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Scan your computer with your Trend Micro product to delete files detected as IOS_IKEE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.

Featured Stories

Connect with us on