iPhone Botnet Analysis

Published: 2009-12-21
Last Updated: 2009-12-21 19:38:29 UTC
by Marcus Sachs (Version: 1)
3 comment(s)

SRI's Malware Threat Center has published an excellent analysis of the iPhone botnet that we covered in a diary a few weeks ago.  Here is the abstract:

We present an analysis of the iKee.B (duh) Apple iPhone bot client, captured on 25 November 2009.  The bot client was released throughout several countries in Europe, with the initial purpose of coordinating its infected iPhones via a Lithuanian botnet server.   This report details the logic and function of iKee's scripts, its configuration files, and its two binary executables, which we have reverse engineered to an approximation of their C source code implementation.    The iKee bot is one of the latest offerings in smartphone malware, in this case targeting jailbroken iPhones.  While its implementation is simple in comparison to the latest generation of PC-based malware, its implications demonstrate the potential extension of crimeware to this valuable new frontier of handheld consumer devices.

Thanks to Phil Porras and the MTC team for all of their great work!

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: botnet ikee iPhone
3 comment(s)


BotNet of phones can be used for all kinds of malicious activities.

From reporting back to the bot herder locations (thanks GPS) and statics related to the networks in the area, collective targeting of an organization and guiding bots via social networks such as places/yelp/maps, etc. , unknown to the user, with specific tools or to improve the attack on a target. Bots can now move in the physical world far less constrained then laptops. If you can herd some bots into a particular area you can attack a building, block, mall, chain store, etc. It enhances the organic nature of bot behavior. It introduces new risk to consider. A infected Phone can get in your organization and operate undetected.

Another thing that comes to mind is historical, first there was wardailing, then wardriving now warwalking. Phones are great tools and targets during PenTest, make sure they are in your get out of jail free agreements.
My how we have grown.
Anyone know why this was called previously called a worm and is now called a botnet? I hear people who are smarter than me call botnets worms all the time... for example the Conficker "worm". I thought the difference between a botnet and a worm is that the worm doesn't have a command and control channel. Am I missing something?
The difference is that it can be both, but people don't always understand that.

A "worm" describes how the infection spreads - it is an independent program (not a virus that attaches to another program or a Trojan that claims to be one thing but is actually something else) that spreads itself over a network.

A "botnet" describes what it does - it, through various means, accepts commands from a remote location and is part of a group of similarly infected devices.

So, Edge, it can be both a worm and (part of) a botnet, depending on whether you look at its method of spreading or its primary function.

Diary Archives