Apple must be pleased about this news. They haven’t become tired in telling the people that jailbreaking the iPhone seriously compromises user security.
And now a worm developed by Ashley Towns from down under is nothing else but attacking jailbroken iPhones whose Secure Shell has not been disabled or where the default root password (“alpine”) is in place.
Luckily the first version of the worm was almost imperfect as it just changed the background wallpaper to a photograph of Rock Astley – yes rickrolled again. Anyway ITBusinessEdge now reports that a second version of the worm has been seen in the wild. This new version of the worm gives no indication that it has successfully compromised your jesus phone. Beware guys.
Now, will we get virus scanners for our jailbroken iPhones? Will it be necessary to run firewalls?
It seems like irony, but it seriously looks like that all the probs Microsoft’s operating systems have had for years with viruses and worms – just because Windows is the most widespread desktop operating system – are now coming to the iPhone.
In their latest “Virus Bulletin” Symantec employees report that obviously the first Mac OS based botnet has appeared. They call it the iBotnet. Two trojan malwares could be identified as:
The trojans aim at gaining the user password or the root password – depending on what configuration you’re running. By default the “root” account is disabled on OS X and therefore user rights are getting leveled in certain situations. When having gained the user or root password the system is compromised and gets added to the botnet.
Both these files are getting distributed currently via peer2peer networks like bittorrent. The trojans are included in illegal copies of
Adobe Photoshop CS 4
It is estimated that some thousand Macs are already infected.
There is strong revealing that the botnet already has been used for Distributed-Denial-of-Service (DDoS) attacks using a PHP script.
From analyzing the trojans the Symantec guys reason that there might also be other versions already in the wild, since it seems to be a kinda flexible and expandable technique. Our recommendation: get yourself a virus scanner for your Mac, asap.
Yes viruses are spread around the world every day. There is nothing new to this. But the GPCODE virus that now has been reported in the wild is different. It encrypts files on your harddisk and permanently deletes the old files. In the end you would need to contact the virus author to be the decryption key to gain to your files access.
You think we are kidding? Nop. We’re not. Kaspersky – one of the leading companies in the Anti-Virus business filed an appeal to all cryptographers around the world to fight the encryption of this virus. The worst thing is: the virus authors use an RSA 1024bit key to encrypt your data. RSA 1024 bit is still quite secure these days (see Wikipedia for cracked RSA’s here). There have been successful attempts to brute force factors only for RSA 640bits. Kaspersky estimates we need 15million computers in distributed computing to hack that key… erm… yes 15million…
What you can do
Positive news is that this virus seems to appear infrequently. We have not yet found a copy of that virus on our own researches in the underground networks. This means currently the threat probability is medium. Anyway staying clean is not too complicated:
have a premium anti-virus scanner installed (see our sponsors)
update your virus signatures frequently (means once per day is minimum)
backup your data frequently on external devices
If you are attacked by that virus and already have it on your system, you will see a messagebox saying:
Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: [removed]@yahoo.com
=== BEGIN ===
=== END ===
there is not too much you can do currently. Kaspersky recommends not turning of or rebooting the computer. Instead contact Kaspersky under email@example.com using a second computer. Please provide detailed information how you obtained this virus (means: which torrent site etc.).
Infected file formats
These are the suffixes (extensions) of files that will be affected by GPCODE: