8000 iPhone and Android devices hacked to form a botnet
by Sebastian Anthony Mar 11th 2010 at 8:00AM
It was only a matter of time. First, jailbroken iPhones were humorously Rickrolled by a worm, and now both iPhones and Android phones have been exploited to form a botnet that is over 9,000 devices strong!Fortunately, like the Rickroll, the botnet was a benign experiment by two researchers at TippingPoint Digital Vaccine Labs; a proof of concept, just to see how easy it would be. No one was harmed in the process, and the jailbroken devices were ultimately left unscathed. Those that downloaded the app -- WeatherFist (seriously, that's one awful name) -- probably don't even know that they were exploited!
Considering that the proposed botnet relied on jailbroken devices and unmoderated app stores, the security community has been left wondering why the two researchers at TippingPoint created it. After all, if you're not going to exploit something in a strange and peculiar way, why bother to exploit it at all? You don't hack a device purely because you can.
It's quite clear, however, that you should exercise care when downloading content from third-party app stores onto your jailbroken devices. If a malicious botnet does emerge, a) you might rack up a large data transfer bill, and b) most people store sensitive information on their phones!
[via Sophos' Graham Cluely]
Chromatic is one of the best time-wasters I've recently come across. It's all about the gameplay -- no Flash graphics here. You play a "circle" (it doesn't really have a name in the game). You move around with the arrow keys, and you change colors with Z, X, and C.
You can either be red, blue, or yellow, and you can switch at any time during the game. Each color has different capabilities -- yellow can double-jump, while red has a longer dash (which is like a forward sprint, activated by double-pressing DOWN).
Each ...
Reader Comments (Page 1 of 1)
Marty K. said 8:21AM on 3-11-2010
Sheesh.
It seems as if not a month can go by before I have to adjust Mr. Anthony's opinion for him. :)
"After all, if you're not going to exploit something in a strange and peculiar way, why bother to exploit it at all? You don't hack a device purely because you can."
Umm... yes you do. That's the essence of hacking. In today's world, it's mostly all about the money, but "white hat" hackers do what they do for the enjoyment/challenge/"thrill" of it.
Reply
Sebastian Anthony said 9:11AM on 3-11-2010
These guys work for a security firm... they're not merely 'white hat' hackers.
As in, they created a botnet in the hope that it would help the security community in some way.
TheOneAndOnlyJH said 10:50AM on 3-11-2010
I actually think it is kind of important. There are a ton or people who jailbreak their iPhones, and there are some people who look elsewhere than the Android Marketplace for some of their apps.
Perhaps the intent was to show that the OS should have more security built in to account for these exploits or be able to prevent them. Apple? Well good luck. They like their iron grip too much to add improvements for anything that won't make them money in the App Store. Google may consider a built in firewall though, and I know I'd like that myself.
The main point I understand from this is that smartphones are getting smarter, and they will start needing defensive mechanisms themselves (antivirus, anti-malware, firewalls). No longer is a moderated app store the answer. The future of smartphones can only lead to more of a handheld PC experience, with apps being sourced from the whole internet rather than just a single marketplace. If a company starts working on security software now, they'll be ahead of the game when smartphones fall in the scopes of malware distributers.
Marty K. said 11:11AM on 3-11-2010
Sebastian, even if they work for a security company (which hire hackers), and they created a botnet to raise awareness of this vulnerability as you now claim, then they obviouslt didn't do it "purely because they can."
JH, I cringe at the thought of having security software slow down my 3GS. No offense, but that is a very Windows-centric point of view. Mac OS X has been around for several years, with nary a virus outbreak. Linux systems have been around for 15+ years, and malware is even more rare than on OS X. Security holes exist, but as long as they are quickly identified and patched, this is a nonissue, but which is something that Apple needs to address with their iPhone.
I think the real solution is to design a system that has multiple barriers to infection/hijacking, with frequent security updates to plug any/all holes. Chrom/ium OS, for example, sounds like it would be obscenely secure, without the need for security software. It starts with the secure, open-source Linux kernel and then adds several security layers on top of that, including the ability to restore an infected/compromised system to a clean state with just a reboot.
Sebastian Anthony said 12:17PM on 3-11-2010
Awareness is good, but if two viruses use the same method to infect a machine, but one Rickrolls you while the other phones home (a la botnet), have we learnt anything?
I get your point, I just think their time might have been better spent offering up potential changes to make things more secure... rather than just sticking their finger in the wound and waggling it about.
I really hope mobile phones don't need security software on them, but yes... it is probably going that way...
Marty K. said 5:36AM on 3-12-2010
I'm going to have to disagree with you as to the extent of the effectiveness of awareness. I think awareness is crucial to prevent the old "security through obscurity" maneuver from proprietary software developers. This reminds me exactly of how Windows exploits become public through security experts in the hopes that blogs like this one will pick up on them, with the ultimate goal being notoriety for the exploit, which in turn forces the developer to fix it.
Phones don't need security software, they need innovative new security models. If you'd agree with me that smartphones are miniature computers, then their OSes are miniature operating systems. It therefore stands to reason that, since non-Windows desktop operating systems have been around for years that they'd be rife with malware. But they're not.
I'd therefore argue that non-Windows-based smartphone operating systems will not need specialized, third-party security software, since they desktop brethren do not.
A lot of people point to desktop market share. Windows has 90% of the desktop market, so it's gonna have the most malware, and so it'll be the same for smartphones. If that were true, Blackberry and iPhone would have been crawling with malware and hijacks. Also, if we want to compare desktop malware market share with smartphones and argue that the lead OS on a platform is most susceptible to malware attacks, then Mac, which has about 5% of the market, should also get around 5% of the malware, Linux should get around 1%. But that hasn't happened. Unless I'm gravely mistaken, both platforms have close to 0% of the malware "market share."
(I know I just responded to arguments that you didn't make, but hey, I was in an analytical mood).
We need a new security model. Check out this page for an overview of Chromium OS's security: http://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview
Reply
Sebastian Anthony said 10:40AM on 3-12-2010
Hehe, I don't think Mac OS X is any less exploitable than Windows Vista or 7. XP is older, but then it should be compared against Mac OS 9 or something :)
As you say, the larger shares attract the majority of the malware. I expect it's much more biased than simply 'an OS with 5% market share attracts 5% of the malware makers'. It's more about investing time -- look at games. Much less than 5% of all games are for Macs.
But there are certainly ways to make an OS less exposed, which I'm sure mobile phone manufacturers are aware of -- they just haven't tightened things up yet, because of the lack of malware for their respective platforms. Let's hope it comes soon...