Tag Archives: Virus

[iPhone] Virus Worm Spreading on Jailbroken iPhones

Apple must be pleased about this news. They haven’t become tired in telling the people that jailbreaking the iPhone seriously compromises user security.

And now a worm developed by Ashley Towns from down under is nothing else but attacking jailbroken iPhones whose Secure Shell has not been disabled or where the default root password (“alpine”) is in place.

Luckily the first version of the worm was almost imperfect as it just changed the background wallpaper to a photograph of Rock Astley – yes rickrolled again. Anyway ITBusinessEdge now reports that a second version of the worm has been seen in the wild. This new version of the worm gives no indication that it has successfully compromised your jesus phone. Beware guys.

Now, will we get virus scanners for our jailbroken iPhones? Will it be necessary to run firewalls?

It seems like irony, but it seriously looks like that all the probs Microsoft’s operating systems have had for years with viruses and worms – just because Windows is the most widespread desktop operating system – are now coming to the iPhone.

via IT BusinessEdge.com

[Virus] First Mac Zombies in iBotnet

In their latest “Virus Bulletin” Symantec employees report that obviously the first Mac OS based botnet has appeared. They call it the iBotnet. Two trojan malwares could be identified as:

  • OSX.Iservice
  • OSX.Iservice.B


The trojans aim at gaining the user password or the root password – depending on what configuration you’re running. By default the “root” account is disabled on OS X and therefore user rights are getting leveled in certain situations. When having gained the user or root password the system is compromised and gets added to the botnet.


Both these files are getting distributed currently via peer2peer networks like bittorrent. The trojans are included in illegal copies of

  • iWork09 and
  • Adobe Photoshop CS 4


It is estimated that some thousand Macs are already infected.


There is strong revealing that the botnet already has been used for Distributed-Denial-of-Service (DDoS) attacks using a PHP script.


From analyzing the trojans the Symantec guys reason that there might also be other versions already in the wild, since it seems to be a kinda flexible and expandable technique. Our recommendation: get yourself a virus scanner for your Mac, asap.

[Virus] Virus.Win32.Gpcode.ak reported in the wild


Yes viruses are spread around the world every day. There is nothing new to this. But the GPCODE virus that now has been reported in the wild is different. It encrypts files on your harddisk and permanently deletes the old files. In the end you would need to contact the virus author to be the decryption key to gain to your files access.

You think we are kidding? Nop. We’re not. Kaspersky – one of the leading companies in the Anti-Virus business filed an appeal to all cryptographers around the world to fight the encryption of this virus. The worst thing is: the virus authors use an RSA 1024bit key to encrypt your data. RSA 1024 bit is still quite secure these days (see Wikipedia for cracked RSA’s here). There have been successful attempts to brute force factors only for RSA 640bits. Kaspersky estimates we need 15million computers in distributed computing to hack that key… erm… yes 15million…

What you can do

Positive news is that this virus seems to appear infrequently. We have not yet found a copy of that virus on our own researches in the underground networks. This means currently the threat probability is medium. Anyway staying clean is not too complicated:

  • have a premium anti-virus scanner installed (see our sponsors)
  • update your virus signatures frequently (means once per day is minimum)
  • backup your data frequently on external devices


If you are attacked by that virus and already have it on your system, you will see a messagebox saying:

Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: [removed]@yahoo.com

=== BEGIN ===
[key removed]
=== END ===

there is not too much you can do currently. Kaspersky recommends not turning of or rebooting the computer. Instead contact Kaspersky under stopgpcode@kaspersky.com using a second computer. Please provide detailed information how you obtained this virus (means: which torrent site etc.).

Infected file formats

These are the suffixes (extensions) of files that will be affected by GPCODE:

7z abk abd acad
arh arj ace arx
asm bz bz2 bak
bcb c cc cdb
cdw cdr cer cgi
chm cnt cpp css
csv db db1 db2
db3 db4 dba dbb
dbc dbd dbe dbf
dbt dbm dbo dbq
dbt dbx Djvu doc
dok dpr dwg dxf
ebd eml eni ert
fax flb frm frt
frx frg gtd gz
gzip gfa gfr gfd
h inc igs iges
jar jad Java jpg
jpeg Jfif jpe js
jsp hpp htm html
key kwm Ldif lst
lsp lzh lzw ldr
man mdb mht mmf
mns mnb mnu mo
msb msg mxl old
p12 pak pas pdf
pem pfx php php3
php4 pl prf pgp
prx pst pw pwa
pwl pwm pm3 pm4
pm5 pm6 rar rmr
rnd rtf Safe sar
sig sql tar tbb
tbk tdf tgz tbb
txt uue vb vcf
wab xls xml