Sunday, November 15, 2009

Android 2.0 becomes Open Source!

In a surprisingly quick move, The source code for the Eclair branch of Android (Android 2.0) has become available in the GIT repository today.
It comes considerably soon after Android 2.0 arrived on the Motorola Droid when it was recently released to market.


There are several pitfalls, including the fact that the only build configuration added so far, is optimised for the Android 2.0 SDK, rather than existing phones.
And as with the Android 1.6 source code, it expects a version of Java that is equal to 1.5 (not greater than), which leaves many developers with the requirement of modifying the file build/core/main.mk to remove the Java checks before being able to build the Android 2.0 binaries.
We're just hoping that it manages to be much faster than the build that was released with the Android 2.0 Service Development Kit

Within hours of the release, We've already seen the code ported to the oldest Android handset of them all - The T-mobile G1

Monday, November 9, 2009

The ikee virus - Preventing future attacks

My blog has recently had a lot of attention, due to my chats with "ikee", the Author of a major iPhone worm, that replicates itself on many phones, presumably until either all phones are secure, or, all phones contain the ikee virus.
If you're new here, Please see my previous blog posts: The truth about the ikee iPhone "virus" and Interview with ikee - iPhone Virus Creator - Virus removal details enclosed.
There is obviously one major flaw with the ikee virus: It is unable to gain access to iPhones that are behind a NAT.

I was originally going to post this, but i'd completely forgotten about it, due to the overwhelm of visitors and all the hype surrounding the iPhone virus.

I'm asking all of the people who are use jailbreak software, to contact the developers of the software they use, and request that the developers prompt users for a new password. This is important and is possibly the only way that this will stop hackers like ikee (and even that Dutch kid asking for $5 in return for unlocking) from doing what they are doing.
Adding a password prompt is too easy for developers, and as for why they havn't already - I have absolutely no idea.

Why the password prompt? Well the following two points may be where the problem was laying, and the reason the developers have not included some sort of automatic password changing tool as yet.
  1. If a developer changes the password for all users of the software to the same password, then it still leaves all the users of that particular software vulnerable to an attack
  2. If a developer changes the password to a random string, and displays it to the user to write down, the user will probably forget it
It's quite clear that a prompt for a password during the initial jailbreak is the only real solution to this problem, although I would also recommend that the developers stop distributing the SSH Daemon, and allow users to download it [the SSH Daemon] if and when required.

I'd encourage iPhone jailbreak application developers to send me an email (jd do.jeltel a@t gmail do.t com) and let me know what they've done to secure their users iPhones, the sooner we gain control over the situation, the better.

I'm getting many emails reporting variations to the ikee virus, this is explained in my interview with ikee, and is not a new version of the ikee virus.

Sunday, November 8, 2009

Interview with ikee (iPhone Virus Creator) - ikee virus removal details enclosed










I'm posting below the full unedited log of a chat that took place between ikee and myself this morning, Please ignore any spelling or grammatical errors - This chat took place over IRC (Internet Relay Chat) where it is commonplace to use non-English words (that's my excuse and I'm sticking to it).
There may be some acronyms you are unfamiliar with, please use Google to find the meanings of them if needed.

ikee has become well known over the past few days for his spreading of an iPhone virus, that may or may not stop anytime soon, due to its self replication.
The cause of the virus has been discussed in my last post: The truth about the ikee iPhone "virus".

I've uploaded the source code that was obtained for the ikee virus to: http://code.google.com/p/ikee-virus/ (it's in the subversion repository).
EDIT: I've decided that it's in the best interest of the iPhone community that I remove the source code for now. Whilst I'm a firm believer of Open Source, I don't think that this will benefit anyone at the moment, mostly because many users have not had the opportunity to see about the current issue. Sorry if I've inconvenienced any of the media outlets that have contacted me (or the users looking for source code) - JD.

Follow up: The ikee virus - Preventing future attacks

[09:02] <JD> Hi ikee :-) Thanks for joining me
[09:02] <ikee> nps
[09:03] <JD> Now, as you're well aware, you wrote a virus that is infecting many iPhones in Australia. I guess the real question to start with is why?
[09:04] <ikee> First i was curious to how far something like this would actually spread, i think what most people were unaware of is the fact it IS a worm and every phone that got infected with it was spreading it (I initially only infected 3 phones when I woke up i checked google and found out a fair few people were hit with it)
[09:05] <ikee> Secondly i was quite amazed by the number of people who didn't RTFM and change their default passwords.
[09:07] <JD> How far did you expect it to spread, exactly?
[09:08] <ikee> Well i didn't think that many people would have not changed their passwords I was expecting to see maybe 10~ or so people, at first I was not even going to add the replicate/worm code but it was a learning experience and i got a tad carried away :)
[09:11] <JD> Are you aware that it has even started to replicate itself overseas?
[09:13] <ikee> I heard a few stories about it, that would have been sheer luck, the code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra's IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT'd) then a random 20 IP ranges. I'm guessing a few phones hit a range that another vulnerable phone was on.
[09:14] <ikee> (From another country)
[09:15] <JD> Well that was my next question: Why does it only seem to be hitting Optus here and Overseas (I was presuming from screenshots I've seen)... So you're saying the Optus network is more vulnerable due to it not using NAT?
[09:17] <ikee> I don't think it was an Optus fault (Being an Optus user I quite like the fact i can access my iPhone services from the outside world), I think it was mainly the fault of people being to lazy to change their passwords (It only takes a couple of seconds guys) and I hope this taught a few people that.
[09:18] <JD> So do you know exactly how many people are currently infected with the "ikee virus"?
[09:20] <ikee> I can only confirm how many my phone infected alone, which was 100+ phones. I think most of them fixed it (AND I'M HOPING THEY CHANGED THEIR PASSWORDS.)
[09:21] <JD> So your major defense seems to be that people left themselves vulnerable, Do you steal stuff from people's houses if they leave the backdoor open?
[09:24] <ikee> I'll answer your question with two questions, Have you ever used unprotected Wifi? and Technically I did not steal anything, have you ever littered on someone else's property? (Smokers will definitely associate ;))
[09:25] <JD> Ok, I suppose I can personally admit to both of them, but it seems alot more to me like vandalism than littering, which isn't something I would do
[09:27] <ikee> Personally I would class littering as vandalism (They definitely don't want your rubbish there). I admit I probably pissed of a few people, but it was all in good fun (well ok for me anyway)
[09:30] <JD> So that explains why you decided to use Rick Astley. In my research, I've been reading about a similar virus (it seems) that contains a picture of an 'asian child' - I havn't seen screenshots of this, but that's how it is described. Are you also responsible for the "Asian Child virus"?
[09:32] <ikee> Ahh that was a quirk of my bad coding, the 'virus' itself has 4 variations and the first variation would resend its LockBackground.jpg to the victim. I did not comprehend that the infector might have not rebooted their phone after changing the LockBackground to something else (Causing them to send their changed lockbackground instead of Mr Astley)
[09:36] <JD> So it's the same virus, but now containing a picture of someone's loved one?
[09:37] <ikee> Yeah, that was definitely not the intended effect.
[09:39] <JD> Are you aware of the possible legal consequences of this (the ikee virus)? Are you concerned?
[09:40] <ikee> I'd like to think I'm aware, and also I highly doubt I'm in any real trouble (So no not concerned)
[09:43] <JD> James01 on Whirlpool asks: at least one person has reported being affected without a jailbreak รข€“ seems unlikely given the nature of the phone and what I have garned about the "virus" - is this possible, or are the reports unreliable/mistaken?
[09:44] <ikee> It only affects jailbroken phones, so people probably just got a little confused
[09:45] <JD> vanquish777 on Whirlpool says: What I want to know is, how did I get infected when I had SSH toggled off
[09:46] <ikee> You didn't :), My guess is you had it on and when the 'virus' hit, it disabled sshd so when you checked it afterwards it appeared to be off
[09:47] <JD> Which reminds me, many people have said they are no longer able to disable SSH, is this intended to make sure you can do more damage to users?
[09:50] <ikee> This was a hard bit for me to do, until i hit this the virus was not destructive at all. My first intention was to change the root/mobile password to random strings, then embed the strings into the LockBackground. Unfortunately passwd uses a tty (and not stdin) for its new password:request (similar to ssh logins, which is why you might find sshpass in /bin/, i had to port it) so to stop the phone getting infected over and over again (and
[09:50] <ikee> someone else catching on and having mischief with peoples phones) I removed SSHD (cydia reinstall will rememdy the problem)
[09:51] <ikee> (Cydia reinstall of SSH not reinstall Cydia itself)
[09:53] <JD> So you're saying that the only harm this virus causes is the removal of the SSH Daemon, which effectively, disables the initial problem?
[09:53] <ikee> Well that and the pretty background yes :)
[09:54] <JD> You mentioned that there are four versions/variants, what are the differences between them?
[09:55] <ikee> Variants A-C were quite similar and the ones most people have bought up. Variant D is fair bit different, it stores its files in a completely different place and hides itself a lot more (No random plists in LaunchDaemons)
[09:56] <JD> So you're saying that the newest variant is more hidden, is it more malicious?
[09:57] <ikee> It is a lot more hidden, a think most phones tend to be more secured now so it should die pretty fast. It is a little more malicious it tampers with some Cydia files.
[10:01] <JD> Do Android users risk being infected? I'm guessing that the virus would only log in as root:alpine (the default root username and password for the iPhone OS IIRC)
[10:02] <ikee> AFAIK no unless a user decided to use the same passwords, Although there is a weird quirk I read about dropbear in Android allowing any password (A bug with libcrypt I believe) but I could be very wrong.
[10:03] <ikee> But even if an android phone was attacked the platform differences would not allow the code to be run :)
[10:04] <JD> Just out of curiousity, what do you call what i've named the "ikee virus"?
[10:05] <ikee> Its in a folder called POC-iWorm (Proof Of Concept) but I never named it (ikee virus works!)
[10:09] <JD> You yesterday agreed to send me the source code (and removal instructions), what variant will it contain?
[10:10] <ikee> C/D whatever version you want :)
[10:11] <JD> How about all four? I'll obviously be placing them online - probably Google Code or similar
[10:13] <ikee> A-C was updated so I don't have the first 2, I forked D from C. (I don't know if its so wise posting the code online, nefarious people that otherwise would not have had the chance could modify it to be quite destructive)
[10:14] <JD> Perhaps, But it has become quite clear that there's a load of people that are unsecure, and if anyone wants to do anything bad enough, they are already going to know how.
[10:15] <JD> I guess i'm hoping that the jailbreak software will soon have a "enter new root password" prompt for those users that are un-aware.
[10:15] <ikee> I'll leave the choice up to you :)
[10:15] <ikee> I'd love to see that
[10:16] <ikee> or even a random password generated and displayed for the user to write down
[10:17] <JD> Yes, it would be very good. I had an iPod Touch a while ago, which I "jailbroke" - admittedly I didn't change the default password. I guess i'm just glad it's not me.
[10:17] <JD> Do you plan on making any further variants? If so, why?
[10:18] <ikee> No, I think the point has been made
[10:18] <JD> Have you developed anything PRODUCTIVE in the iPhone world?
[10:21] <ikee> I'm not too sure what others would class productive. I do not own a MAC or run OSX (Using a linux cross compile toolchain) so it makes it abit of a challenge to develop any applications utilising the UI (I have tho -.-). I think the best program ive developed for it for me was a remote debugging library that sends debug information over the network (Using MCAST)
[10:23] <JD> Do you have anything further to add (I'm having a mental blank on questions to ask right now)
[10:26] <ikee> I hope I did not piss off many people, this was a very simple problem and has an even simplier solution. I thought it was quite funny and I hope others did too :)
[10:27] <JD> You mentioned infecting only three iPhones to being with, when did that happen?
[10:28] <ikee> Around 4am November 6th (Yeah I have no life)
[10:31] <JD> To confirm, other than replicating itself, adding the picture of Rick Astley, and removing the SSH Daemon, are we likely to find anything else it does?
[10:32] <ikee> Nothing, and if you're releasing the source code people will be able to see that :)
[10:33] <JD> Can you please explain to me, how an infected user would remove the different versions correctly?
[10:33] <JD> by correctly, I mean completely.
[10:33] <ikee> Sure, variants A-C store files in these directories
[10:34] <ikee> /bin/poc-bbot
[10:34] <ikee> /bin/sshpass
[10:34] <ikee> /var/log/youcanbeclosertogod.jpg
[10:34] <ikee> /var/mobile/LockBackground.jpg
[10:35] <ikee> /System/Library/LaunchDaemons/com.ikey.bbot.plist
[10:35] <ikee> /var/lock/bbot.lock
[10:35] <ikee> using an rm (in SSH or mobile-terminal on those files will remove it)
[10:36] <ikee> then reboot the phone, change your password and reinstall SSH
[10:36] <ikee> For variant D its abit different
[10:36] <ikee> The locations are
[10:37] <ikee> /usr/libexec/cydia/startup
[10:37] <ikee> /usr/libexec/cydia/startup.so
[10:37] <ikee> /usr/libexec/cydia/startup-helper
[10:37] <ikee> /System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
[10:38] <ikee> Of course cydia used these files previously so you may need to reinstall it after deleting this files
[10:38] <ikee> *these
[10:38] <JD> So the D variant overwrites system files?
[10:39] <ikee> Overwrits cydia's files
[10:39] <ikee> *Overwrites
[10:39] <JD> Sorry, I'm not an expert at the iPhone OS :P
[10:39] <ikee> Neither :P
[10:40] <JD> So none of your versions do contain any password changing commands?
[10:40] <JD> I mean, so when I provide uninstall instructions, I can tell them to use alpine as the password ?
[10:41] <ikee> None of the code changes passwords
[10:42] <JD> Thanks for your time ikee, and I really hope you do get into developing things that are productive sometime soon.
[10:42] <ikee> me too :) and no problems
[10:42] <JD> Perhaps on the Android platform (Yes, I know, I'm a fanboy)
[10:42] <ikee> I just downloaded the x86 iso, so maybe :P
[10:43] <JD> I'll ask you more about that after I end this logging session, Cheers :)
[10:43] <ikee> Ciaoo
End of #Interview_Room buffer    Sun Nov 08 10:43:58 2009


Above: The "Asian Child" that got caught in the misfire

The truth about the ikee iPhone "virus"

Many people have awoken to find themselves with a new wallpaper containing a picture of Rick Astley who has in recent years, become very popular on the internet in a bait and switch game, known as RickRolling. RickRolling is a game in which users all over the world provide each other with links to a video of Rick Astley's "Never Gonna Give You Up" during a general conversation, generally pretending as if the link was related to the current topic of conversation.

The wallpaper of Rick Astley that appears on the iPhone virus says "ikee is never going to give you up".

Right now, it's hitting many iPhones across Australia, and possibly the world, as every single second goes by.

What's the deal?
The virus, which has come to be known as the "ikee virus" has quickly spread, as can be seen on many websites and forums, and has quickly become one of Australia's most well known smart-phone virus'.
A quote from the author indicated that they were very surprised by the amount of users that are infected with the "ikee virus", (and I quote) "it[the ikee virus] wasn't meant ot[to] get this big".

As for users that are infected, there are two common denominator - They all have hacked iPhones (known to the hacking community as "JailBroken", and they all use an SSH Daemon, allowing users to connect to their phone's remotely, and attempt to login.
The problem doesn't lie within either the JailBreak, or the SSH Daemon, it is a combination of both AND leaving the default root password for the iPhone as alpine.

Over the next few days, I'll be doing an interview with ikee - The author of this virus, and i'll be providing full instructions on how to remove it - and obtaining the full source code for the virus.

Users that have already "JailBroken" their iPhones, should immediately change the root account password, even if they have not installed an SSH Daemon.

Note: This only affects jailbroken iPhones, not standard ones.



Above: The default background screen extracted from the ikee virus





Above: The iPhone lock screen after infected with the ikee virus


Submitted by thegolfcud40 of smart-mobile.com






Above: The iPhone call screen after infected with the ikee virus


Submitted by Batman of whirlpool.net.au

Tuesday, November 3, 2009

Bigpond Chat closes - users re-unite on URChat

Sometime in October 2009, It was announced that Bigpond Chat would be closed at the end of the month, on the 31st of October, 2009. I seem to have missed this announcement even though I'm a regular Bigpond Chat participant because I was on holidays in Melbourne, Victoria.
While a closure of Bigpond Chat been expected for some time (I'll explain that soon), my initial thoughts of Bigpond Chat closing were due to one of the loyal Bigpond IRCops (IRC Operator) indicating on Facebook that they were moving to another network.


So - is Bigpond Chat really closing?
I returned to Bigpond Chat when I had arrived back home in Sydney to find so much FUD (Fear, Uncertainty and Doubt) among the users, as many were unsure about the prospects of being able to communicate with each other. I'd noticed the closure message in the MoTD (Message of The Day) during my initial connection to Bigpond Chat that day, which confirmed my thoughts about Bigpond Chat closing.
I instantly started receiving messages asking me where I would be moving to, if Bigpond Chat was really closing, and questions about why people had been posting links in private messages to other chat networks.
I looked at some of the links people were posting to other IRC networks, some of them being new or inexperienced networks, and others that had been around for a while. I decided not to make the move to any of them, and instead to just move one of the channels I ran on Bigpond over to URChat, a network I co-own and administrate.


The new Sydney room
Initially I started just telling a few users that I've known online for quite some time that I would be moving to URChat. I later decided to ask in the official Bigpond Chat help room whether it would be possible for me to display a link in the Sydney Room on Bigpond Chat, to the new Sydney Room that I had created over at URChat. I was met with a very welcome "why not?, go for it!" from a Bigpond Chat IRCop, so I created a link in the topic, which the users would see on-join, and I also set up an automated message that would display mid-conversation to all of the users in the Sydney Room.


We immediately started to have people showing up at the new Sydney Room on the URChat IRC Network, and grew a small userbase very quickly. I'd been keeping an eye on the size of the other networks to see which one(s) had picked up the majority of Bigpond Chat users. My mind was instantly drawn to a single network (known as ESSX) that had done the same thing that the Sydney Room had done - creating an identical room on another network.
The demographics of the two rooms (Sydney and 40s) were certainly very different, but the size of both networks were very similar.
URChat and ESSX decided to trial a link, to improve users experiences on both the URChat and ESSX networks. The link had immediately created some hostility between the other networks, perhaps in fear of the idea that the URChat/ESSX partnership would become the primary location for the Bigpond Chat users.
For matters I don't think need discussing here, we (URChat) decided to de-link the two networks as the network link wasn't working as originally intended. Immediately after the-delink, the 40s rooom decided to move over to URChat, this left ESSX with a very small userbase, most of whom later decided to also continue to URChat, this had caused URChat to become the dominant location for Bigpond Chat users, and led to the creation of many other Bigpond Chat chatrooms.


The end is near - final moments of Bigpond Chat
The 31st of October, 2009: All the users on Bigpond Chat have been forced into an exit room called #Exit.31Oct2009, The network operators have all had their access removed - with the exception of the chatmaster, The channel operators have also all had their access removed.
IRCops have been removed (except for the chatmaster).
Everyone expects that Bigpond Chat will close late in the evening, Boy were they wrong.
At 1:23AM AEDST Bigpond Chat's Victorian server is forcibly shut down, disconnecting about 18 users.
There are 14 messages sent to the exit channel immediately after, by: Scarlet, Sinister, BobbaFett, MudStuFFin, tipsy, MrTheToad, hotaussieguy31, JD, and BluFudge-net.
At 1:24AM AEDST Bigpond Chat's Queensland Server is also disconnected from the internet, causing the many remaining users to receive only the following message:
[01:41] * Disconnected
I must say that I was rather disappointed with the end of Bigpond Chat, there was no final Goodbye, Thank-you, or any other messages from Bigpond Chat staff, very unlike what was seen when MSN Chat closed down their IRCX Network on October 16, 2006.
By this time, it had become rather clear, that there were only two IRC Networks that were likely to take over the role of Bigpond Chat; URChat and Induced. Both networks are well known, and have been around for many years, unlike many of the IRC Networks initially in the competition for Bigpond Chat users.


Where did everybody go?
It's now several days after the Bigpond Chat Network has closed, It has since become quite clear that the majority of the Bigpond Chat users (and Bigpond Chat staff) ended up moving to URChat. URChat added an additional IRC server on the day that Bigpond Chat came to an end, in anticipation of supporting Bigpond Chat's rooms, staff, hosts, and users.
I'm not going to give reasons as to why URChat is the best, as I think it would seem very biased, but I have quickly learnt that at the end of the day, users follow users, not links. With so much competition of the playing field, the users need to be happy where they go.


What is IRC?
Internet Relay Chat - known as just 'IRC' to many, is a protocol that is nearly as old as myself. IRC began in Finland in sometime around the middle of 1988, so it's not surprising that large companies such as Bigpond are starting to end the use of IRC. Bigpond Chat has been using the IRC protocol on ConferenceRoom servers located accross Australia for over a decade.


How many servers did Bigpond Chat have, and what were they?
Bigpond Chat ran on Microsof Windows servers, using Webmasters ConferenceRoom software, the official Bigpond Chat server list is as follows:


  • Victorian Server: vic-chat.bigpond.com
  • Queensland Server: qld-chat.bigpond.com
  • New South Wales Server: nsw-chat.bigpond.com (has been offline for approximately a year)
  • Western Australia: wa-chat.bigpond.com (has been offline for many years)


Note: The location defined where the server was situated - You could connect to any of the servers above from almost anywhere in the world