It took three weeks for someone to again take advantage of the vulnerability that leaves the owners of jailbroken iPhones exposed to attacks, and this time the attack is executed with decidedly malicious intent.
According to Sophos’ Chester Wisniewski, the attacker(s) uses OpenSSH to access the iPhone (or iPod) and change the default root password, then installs two scripts. The first one executes the worm upon the booting up of the device, and the other one makes it report back to a Lithuanian server. It lets it know that the device has been infected and waits for further commands from the bot master.
The worm spreads and attacks IP ranges of various ISP’s in Europe and Australia. It spreads more quickly when users connect it to their local wireless networks, and the battery gets drained very quickly because the worm is furiously working and searching for new devices to infect.
Paul Ducklin (also from Sophos) says that “the password is changed by rewriting its hashed value in /etc/master.passwd, not by running the passwd command with the new password in plaintext. This shields the value of the new password, so that the cybercrooks know what it is, but you don’t.”
He also discovered that the new root password is “ohshit”, so if you try it and manage to access your iPhone, it has been infected with this worm. To all those who use a jailbroken device (infected or not), he advises to change the default root and account passwords and to deactivate SSH.