[updated]
A new, malicious worm, dubbed the "Duh" worm, has hit jailbroken phones, grabbing personal information, including banking codes. But there are apparently a couple of ways to protect yourself.
U.K.–based security firm Sophos, which confirmed Duh’s existence says you're likely to know when you've been hacked. Chester Wisniewski, a senior security advisory with Sophos, notes that “Duh’s” accessing information rapidly drains the iPhone’s battery. “And anyone playing by Apple’s rules is, of course, safe.” He recommends any and all jailbroken iPhone users to restore their devices to their purely Apple state, also adding the most current Apple firmware through iTunes, thus protecting the iPhone from possible intrusion.
But Paul Ducklin, also of Sophos, says you don't necessarily have to play by the rules to stay safe. There's a way to clean up an infected iPhone without leaving your jailbroken state. From his blog today:
To disinfect your iPhone, you should login as root with the password ohshit and remove at least the following files: /private/var/mobile/home/sshd /private/var/mobile/home/cydia.tgz /private/var/mobile/home/inst /private/var/mobile/home/syslog /private/var/mobile/home/duh However, since the directory /private/var/mobile/home does not exist on regular, uninfected iPhones, you may as well remove the entire directory and any subdirectories. Remove the file /etc/rel while you are about it.
Over the past few weeks, before the Duh worm hit, there had been reports of a seemingly benign worm infiltrating iPhone users who have jailbroken their devices. That older, benign worm was Australian-born and was aptly named the “rickrolling” Ikee worm, because it simply changed the background image on the device to a picture of Rick Astley, the 80s pop star. That worm was the first known worm to affect iPhone users to date.
Both Ikee and Duh affect phones that use the SSH (security shell) Unix utility application, a feature that lets users connect to their iPhone remotely through an encrypted Internet channel. The worms slither into iPhones through the SSH application due to the fact that many users have not changed the default password, thereby making them vulnerable targets.
However, Duh (or “Ikee.B") is much more malicious than Ikee. Using the same technique as the “rickrolling” Ikee worm, it preys on this same vulnerability, only to those who have not changed the defaulted password, which is universally “alpine.” If users have not changed this password to a personalized password, the Duh worm will automatically change the password to their created password “ohshit,” and hack into the owners’ information, including possibly online banking codes. This personal information then gets sent to the central server (which has been tracked to Lithuania, although the hackers appear to be Dutch) and copycatted, then modified to the original Aussie Ikee worm’s code.
“Data theft like this is a sign of what practical future worms will be like on the mobile platforms,” warns Sophos' Wisniewski.
[Image credit: www.techshout.com]