Sunday, November 8, 2009

Interview with ikee (iPhone Virus Creator) - ikee virus removal details enclosed










I'm posting below the full unedited log of a chat that took place between ikee and myself this morning, Please ignore any spelling or grammatical errors - This chat took place over IRC (Internet Relay Chat) where it is commonplace to use non-English words (that's my excuse and I'm sticking to it).
There may be some acronyms you are unfamiliar with, please use Google to find the meanings of them if needed.

ikee has become well known over the past few days for his spreading of an iPhone virus, that may or may not stop anytime soon, due to its self replication.
The cause of the virus has been discussed in my last post: The truth about the ikee iPhone "virus".

I've uploaded the source code that was obtained for the ikee virus to: http://code.google.com/p/ikee-virus/ (it's in the subversion repository).
EDIT: I've decided that it's in the best interest of the iPhone community that I remove the source code for now. Whilst I'm a firm believer of Open Source, I don't think that this will benefit anyone at the moment, mostly because many users have not had the opportunity to see about the current issue. Sorry if I've inconvenienced any of the media outlets that have contacted me (or the users looking for source code) - JD.

Follow up: The ikee virus - Preventing future attacks

[09:02] <JD> Hi ikee :-) Thanks for joining me
[09:02] <ikee> nps
[09:03] <JD> Now, as you're well aware, you wrote a virus that is infecting many iPhones in Australia. I guess the real question to start with is why?
[09:04] <ikee> First i was curious to how far something like this would actually spread, i think what most people were unaware of is the fact it IS a worm and every phone that got infected with it was spreading it (I initially only infected 3 phones when I woke up i checked google and found out a fair few people were hit with it)
[09:05] <ikee> Secondly i was quite amazed by the number of people who didn't RTFM and change their default passwords.
[09:07] <JD> How far did you expect it to spread, exactly?
[09:08] <ikee> Well i didn't think that many people would have not changed their passwords I was expecting to see maybe 10~ or so people, at first I was not even going to add the replicate/worm code but it was a learning experience and i got a tad carried away :)
[09:11] <JD> Are you aware that it has even started to replicate itself overseas?
[09:13] <ikee> I heard a few stories about it, that would have been sheer luck, the code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra's IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT'd) then a random 20 IP ranges. I'm guessing a few phones hit a range that another vulnerable phone was on.
[09:14] <ikee> (From another country)
[09:15] <JD> Well that was my next question: Why does it only seem to be hitting Optus here and Overseas (I was presuming from screenshots I've seen)... So you're saying the Optus network is more vulnerable due to it not using NAT?
[09:17] <ikee> I don't think it was an Optus fault (Being an Optus user I quite like the fact i can access my iPhone services from the outside world), I think it was mainly the fault of people being to lazy to change their passwords (It only takes a couple of seconds guys) and I hope this taught a few people that.
[09:18] <JD> So do you know exactly how many people are currently infected with the "ikee virus"?
[09:20] <ikee> I can only confirm how many my phone infected alone, which was 100+ phones. I think most of them fixed it (AND I'M HOPING THEY CHANGED THEIR PASSWORDS.)
[09:21] <JD> So your major defense seems to be that people left themselves vulnerable, Do you steal stuff from people's houses if they leave the backdoor open?
[09:24] <ikee> I'll answer your question with two questions, Have you ever used unprotected Wifi? and Technically I did not steal anything, have you ever littered on someone else's property? (Smokers will definitely associate ;))
[09:25] <JD> Ok, I suppose I can personally admit to both of them, but it seems alot more to me like vandalism than littering, which isn't something I would do
[09:27] <ikee> Personally I would class littering as vandalism (They definitely don't want your rubbish there). I admit I probably pissed of a few people, but it was all in good fun (well ok for me anyway)
[09:30] <JD> So that explains why you decided to use Rick Astley. In my research, I've been reading about a similar virus (it seems) that contains a picture of an 'asian child' - I havn't seen screenshots of this, but that's how it is described. Are you also responsible for the "Asian Child virus"?
[09:32] <ikee> Ahh that was a quirk of my bad coding, the 'virus' itself has 4 variations and the first variation would resend its LockBackground.jpg to the victim. I did not comprehend that the infector might have not rebooted their phone after changing the LockBackground to something else (Causing them to send their changed lockbackground instead of Mr Astley)
[09:36] <JD> So it's the same virus, but now containing a picture of someone's loved one?
[09:37] <ikee> Yeah, that was definitely not the intended effect.
[09:39] <JD> Are you aware of the possible legal consequences of this (the ikee virus)? Are you concerned?
[09:40] <ikee> I'd like to think I'm aware, and also I highly doubt I'm in any real trouble (So no not concerned)
[09:43] <JD> James01 on Whirlpool asks: at least one person has reported being affected without a jailbreak รข€“ seems unlikely given the nature of the phone and what I have garned about the "virus" - is this possible, or are the reports unreliable/mistaken?
[09:44] <ikee> It only affects jailbroken phones, so people probably just got a little confused
[09:45] <JD> vanquish777 on Whirlpool says: What I want to know is, how did I get infected when I had SSH toggled off
[09:46] <ikee> You didn't :), My guess is you had it on and when the 'virus' hit, it disabled sshd so when you checked it afterwards it appeared to be off
[09:47] <JD> Which reminds me, many people have said they are no longer able to disable SSH, is this intended to make sure you can do more damage to users?
[09:50] <ikee> This was a hard bit for me to do, until i hit this the virus was not destructive at all. My first intention was to change the root/mobile password to random strings, then embed the strings into the LockBackground. Unfortunately passwd uses a tty (and not stdin) for its new password:request (similar to ssh logins, which is why you might find sshpass in /bin/, i had to port it) so to stop the phone getting infected over and over again (and
[09:50] <ikee> someone else catching on and having mischief with peoples phones) I removed SSHD (cydia reinstall will rememdy the problem)
[09:51] <ikee> (Cydia reinstall of SSH not reinstall Cydia itself)
[09:53] <JD> So you're saying that the only harm this virus causes is the removal of the SSH Daemon, which effectively, disables the initial problem?
[09:53] <ikee> Well that and the pretty background yes :)
[09:54] <JD> You mentioned that there are four versions/variants, what are the differences between them?
[09:55] <ikee> Variants A-C were quite similar and the ones most people have bought up. Variant D is fair bit different, it stores its files in a completely different place and hides itself a lot more (No random plists in LaunchDaemons)
[09:56] <JD> So you're saying that the newest variant is more hidden, is it more malicious?
[09:57] <ikee> It is a lot more hidden, a think most phones tend to be more secured now so it should die pretty fast. It is a little more malicious it tampers with some Cydia files.
[10:01] <JD> Do Android users risk being infected? I'm guessing that the virus would only log in as root:alpine (the default root username and password for the iPhone OS IIRC)
[10:02] <ikee> AFAIK no unless a user decided to use the same passwords, Although there is a weird quirk I read about dropbear in Android allowing any password (A bug with libcrypt I believe) but I could be very wrong.
[10:03] <ikee> But even if an android phone was attacked the platform differences would not allow the code to be run :)
[10:04] <JD> Just out of curiousity, what do you call what i've named the "ikee virus"?
[10:05] <ikee> Its in a folder called POC-iWorm (Proof Of Concept) but I never named it (ikee virus works!)
[10:09] <JD> You yesterday agreed to send me the source code (and removal instructions), what variant will it contain?
[10:10] <ikee> C/D whatever version you want :)
[10:11] <JD> How about all four? I'll obviously be placing them online - probably Google Code or similar
[10:13] <ikee> A-C was updated so I don't have the first 2, I forked D from C. (I don't know if its so wise posting the code online, nefarious people that otherwise would not have had the chance could modify it to be quite destructive)
[10:14] <JD> Perhaps, But it has become quite clear that there's a load of people that are unsecure, and if anyone wants to do anything bad enough, they are already going to know how.
[10:15] <JD> I guess i'm hoping that the jailbreak software will soon have a "enter new root password" prompt for those users that are un-aware.
[10:15] <ikee> I'll leave the choice up to you :)
[10:15] <ikee> I'd love to see that
[10:16] <ikee> or even a random password generated and displayed for the user to write down
[10:17] <JD> Yes, it would be very good. I had an iPod Touch a while ago, which I "jailbroke" - admittedly I didn't change the default password. I guess i'm just glad it's not me.
[10:17] <JD> Do you plan on making any further variants? If so, why?
[10:18] <ikee> No, I think the point has been made
[10:18] <JD> Have you developed anything PRODUCTIVE in the iPhone world?
[10:21] <ikee> I'm not too sure what others would class productive. I do not own a MAC or run OSX (Using a linux cross compile toolchain) so it makes it abit of a challenge to develop any applications utilising the UI (I have tho -.-). I think the best program ive developed for it for me was a remote debugging library that sends debug information over the network (Using MCAST)
[10:23] <JD> Do you have anything further to add (I'm having a mental blank on questions to ask right now)
[10:26] <ikee> I hope I did not piss off many people, this was a very simple problem and has an even simplier solution. I thought it was quite funny and I hope others did too :)
[10:27] <JD> You mentioned infecting only three iPhones to being with, when did that happen?
[10:28] <ikee> Around 4am November 6th (Yeah I have no life)
[10:31] <JD> To confirm, other than replicating itself, adding the picture of Rick Astley, and removing the SSH Daemon, are we likely to find anything else it does?
[10:32] <ikee> Nothing, and if you're releasing the source code people will be able to see that :)
[10:33] <JD> Can you please explain to me, how an infected user would remove the different versions correctly?
[10:33] <JD> by correctly, I mean completely.
[10:33] <ikee> Sure, variants A-C store files in these directories
[10:34] <ikee> /bin/poc-bbot
[10:34] <ikee> /bin/sshpass
[10:34] <ikee> /var/log/youcanbeclosertogod.jpg
[10:34] <ikee> /var/mobile/LockBackground.jpg
[10:35] <ikee> /System/Library/LaunchDaemons/com.ikey.bbot.plist
[10:35] <ikee> /var/lock/bbot.lock
[10:35] <ikee> using an rm (in SSH or mobile-terminal on those files will remove it)
[10:36] <ikee> then reboot the phone, change your password and reinstall SSH
[10:36] <ikee> For variant D its abit different
[10:36] <ikee> The locations are
[10:37] <ikee> /usr/libexec/cydia/startup
[10:37] <ikee> /usr/libexec/cydia/startup.so
[10:37] <ikee> /usr/libexec/cydia/startup-helper
[10:37] <ikee> /System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
[10:38] <ikee> Of course cydia used these files previously so you may need to reinstall it after deleting this files
[10:38] <ikee> *these
[10:38] <JD> So the D variant overwrites system files?
[10:39] <ikee> Overwrits cydia's files
[10:39] <ikee> *Overwrites
[10:39] <JD> Sorry, I'm not an expert at the iPhone OS :P
[10:39] <ikee> Neither :P
[10:40] <JD> So none of your versions do contain any password changing commands?
[10:40] <JD> I mean, so when I provide uninstall instructions, I can tell them to use alpine as the password ?
[10:41] <ikee> None of the code changes passwords
[10:42] <JD> Thanks for your time ikee, and I really hope you do get into developing things that are productive sometime soon.
[10:42] <ikee> me too :) and no problems
[10:42] <JD> Perhaps on the Android platform (Yes, I know, I'm a fanboy)
[10:42] <ikee> I just downloaded the x86 iso, so maybe :P
[10:43] <JD> I'll ask you more about that after I end this logging session, Cheers :)
[10:43] <ikee> Ciaoo
End of #Interview_Room buffer    Sun Nov 08 10:43:58 2009


Above: The "Asian Child" that got caught in the misfire

45 comments:

  1. Interviewing obviously isn't something I do often, Please be kind :-)

    ReplyDelete
  2. I thought you did quite well JD.
    Very interesting read, saved me asking him myself.

    ReplyDelete
  3. Gah, I just got hit :), glad to see there was info on how to get rid of it :)

    ReplyDelete
  4. After reading this, I'm now quite convinced JD is ikee. Writing style and all.

    ReplyDelete
  5. Shit, its supposed to be
    /var/mobile/Library/LockBackground.jpg
    not

    [10:34] >ikee< /var/mobile/LockBackground.jpg

    ReplyDelete
  6. @thomasbeckh I highly doubt that :)

    ReplyDelete
  7. I guess that with freedom comes responsibility.

    Obviously, not all of Apple's "control freakery" is malign, and by removing it all, a jailbreaker ends up "throwing out the baby with the bathwater"

    We always seem to get caught out in various traps and snares when we fail to distinguish our wants from our needs.

    By this I mean that we want that unauthorised app, home screen or full control of our possession so badly that we neglect the fine print: we fail to appreciate that we need to take vital actions on the consequences of our decisions, the possible consequences of what we desire, even if they are very simple steps as in this case.

    I now see the often-used phrase "beware what you wish for" in a clearer light with this pretty harmless (so far) issue.

    ReplyDelete
  8. Optus User.. I'm guessing I was one of those early ones to get hit - possibly "one of the 3".. Here's my story...

    I woke up on Friday morning around 5am and noticed that my Lockscreen-BG was different (it was an image containing a few footballs and a few trophy's, I'm guessing it was one of the other strains that forwards the BG-image from other iPhones from what I've read above). I thought it was strange but didn't think anything bad of it at first - thought I'd installed an app that caused the Lockscreen-BG change.

    I began deleting a few apps that I thought may have caused it, but nothing. Tried changing the BG but that didn't work either. It was only today when I was on a call that I realised what it was, and as I went to end the call, I saw for the first time since the BG change, an image of good'old Rick Astley on my phone..

    I must say, I am quite ticked off about it however I do appreciate the fact that it's easily removed and (from what I can understand) not malicious at all and nothing more then a big prank..

    ReplyDelete
  9. LOL. That child is NOT asian!!!

    ReplyDelete
  10. Ryan H: That's what I thought, I've used the term asian child since that's what I blogged it as, and heard it was, before I had seen a screenshot.

    ReplyDelete
  11. i tried to delete them all... still there grrr

    ReplyDelete
  12. fgints, you will need to login as root (your password WILL be alpine :P) to be able to delete the files.

    I've written another article in this series: The ikee virus - Preventing future attacks... which explains how we can prevent similar virus' from spreading on iPhones in the future.

    ReplyDelete
  13. You can find a step by step posting here on How to remove ikee virus and a FAQ - http://www.machackpc.com/iphone/3g/iphone-virus-ikee-protect-your-iphone/

    ReplyDelete
  14. the google code page gives a 403 forbidden error! Please post the source somewhere else so we can please see it! I'm dying to look through it! Thanks!!!! :D

    ReplyDelete
  15. Hi Xander, I just suspended the Google code account. read edits for a reason why.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. JD: Damn! i was really looking forward to getting to see the source code, i hope you would at least release some time in the future after this all blows over for some of us to see (for non-destructive reasons of course) :P

    ReplyDelete
  18. This comment has been removed by a blog administrator.

    ReplyDelete
  19. Someone needs to breath in.. slowly.

    ReplyDelete
  20. To the people giving shit to ike_x... Shut the fuck up. Imagine if someone far worse devoloped this code and instead of just using it to change your wallpaper they used it to steal all your bank details. Contacts. Sms.

    Even credit card details. I think that you should think yourself lucky that this is all the has happened.

    ReplyDelete
  21. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA @ Wayne

    ReplyDelete
  22. Wow @ Wayne and also @Anon
    You guys have no respect for the software industry (esp. wayne - "nerd c***"). It's people like Ikee who bring you things like this because you abuse the people who make software. You're probably one of the people who downloads software like the jailbreaking utility and doesn't even think of donating to their hard work when it makes your life easier and cheaper.

    What Ikee has done is a kick in the nuts for you two guys, and from what I can read, you deserve it :)

    ReplyDelete
  23. lol calm down it's only a prank... & remember to login as root b4 trying delete files... type "login root" & then "alpine"... it looks as though your not typing anything.... & lol it isn't that hard to remove take a chill pill... over all the guy did something good, he alerted many people to the fact that they are leaving all their information out in the open... if someone wanted to the could take info from ur iPhone.... Just remember to change your password type "login root"... "alpine"... "passwd".. & then ur new passwd (wont look like your typing anything)

    ReplyDelete
  24. so you'd all approve of a criminal walking into your homes where your babies were sleeping and valuables lying around - whilst you were unaware. JUST because he wanted you to know your door was unlocked? pfft F*ck that. you'd all chuck a spastic and take his head off with the closest sharp object. so dont have a go at me coz im pissed that my privacys been invaded.

    ReplyDelete
  25. You should really let people see the code that's been released (a few people did manage to mirror it but I haven't found them yet). It's nothing that's not out there already in terms of other worms, but this was written in C. Something I haven't seen in a long while.

    ReplyDelete
  26. Its true true that mobile is the reason for behind some disease .I am agree with you .We should try to reduce usage of mobile phone.I will try to do it and also say to my friend circle also.Thanks fore this serious and useful information.
    r4

    ReplyDelete
  27. Who can Download the Source Code Ikee ? Google Code is Down

    ReplyDelete
  28. Just removed rick from my phone, must agree though could have been much worse... Nice work!

    ReplyDelete
  29. i have been hit with the worm and i tried to get rid of it by downloading the mobileterminal app and changed the password but the wallpaper still stays. any ideas why?

    ReplyDelete
  30. Hello JD, first off, great interview, got the important info across. When I was trying to go to the Google Code, it said I did not have permission to view that code. I know many people in my area that have their iPhone jailbroken, and I know for a fact do not know how to change the root password. What I am wondering, is if you could please send me the source code, that would be awesome. My email is pyrokarmafilms@gmail.com

    Thanks
    -Troy

    ReplyDelete
  31. I want to make a test anti-virus program for Strain D, so could you give me a neutered (Non-Contagious) version for my iPod Touch to make & test the anti-virus? TY. Send it to darkpoke09@gmail.com, or post it.

    TY,
    ~Omnipotent

    PS: Could you also give me a non-neutered to make modifications to the antivirus (if necessary).
    PPS: How do you install the virus?

    ReplyDelete
  32. I got hit. But please tell, does your all your caller photo change too? Or only the wallpaper? Mine changes the caller wallpaper too. And after deleting all the files, it's still there. Even when i change the wallpaper, it changes all my caller wallpaper too.

    ReplyDelete
  33. i tried everything, i even logged in onto root and used the password i had changed before using a guide from cydia.
    for 2 of the commands:

    /var/log/youcanbeclosertogod.jpg

    /var/lock/bbot.lock

    i got permission denied. others i got no such file or directory exists.

    can u pls help im not a ricky austley fan! and its really annoying.

    maybe if you could have a more user -friendly guide like the one i used to change my password for cydia

    http://cydia.saurik.com/password.html

    thanks in advance for the help!

    ReplyDelete
  34. Please, see yourself in the mirror. Fancy replacing my wife screen with the iKee face I see everytime. If the originator doesn't find himself a nuisance, I would have put a picture of my grandma in front of his iphone 3GS and lock with intensive security algorithium. You will get to see my grandma every darn morning with bread and butter. Even dinner and supper everyday, every hour and every minutes. I am surprised the news interview the offender and agree with his invention.

    I would have given the originator a heavy fine for infringing the glitch access without prior notice.

    ReplyDelete
  35. hello, my names Lachlan, my email address is lachlan_burgess@live.com , can you please reply there? uhh, both variants have not worked for my I tried SSH and MobileTerminal and using the rm command. please help are there any other variants?

    ReplyDelete
  36. i got it too :) in lithuania :D so it's spreading all around :D

    ReplyDelete
  37. I can confirm I've been hit by this virus as well in Brazil. Thing is, i did NOT have the default alpine passwords, i got no pictures whatsoever, and my phone battery is draining like hell so people be aware someone is modifying this virus and spreading around.

    ReplyDelete
  38. I got hit too, but it wasn't fair as I wanted to change the passwd immediately after jailbreaking but couldn't get mobileterminal to run (the cydia version doesn't work with iOS4). I agree Cydia should prompt users to change both root and mobile passwds on first run!

    ReplyDelete
  39. Why is apple so popularwhen Apple are so restrictive? Hurry up and grow android

    ReplyDelete
  40. I am confused on getting rid of that virus i am new to jailbreaking my ipod and never delt with any of cydias apps ands cannot connect to ipod touches directories as i am adivsed to install cydia through that because this message came up 'Server Unexpectedly Closed Network Connection' my worries are about deleting the virus and installing cydia can i please get some help

    ReplyDelete
  41. I got hit by one of the A-C variants in Iran! luckily I bumped into your post in a forum and your link to the interview here. Just wanted to thank you for being so helpful blogging this. Removed the files, reinstalled OpenSSH, changed the password immediately and it worked! Actually, couldn't thank you enough!
    /Peace

    ReplyDelete
  42. Thank you , I got hit by variants A-C in India. Your post helped in fixing the issue, so wanted thank you. Was very skeptical about bricking, since i was removing using root permissions but i am able to ssh now.. thanks again

    ReplyDelete