By Philip Elmer-DeWitt
November 23, 2009

Security experts report that a malicious worm is tunneling its way through Dutch iPhones

This may be one of those “I told you so” moments that gives comfort to people on both sides of the Apple-Microsoft divide: Those who claim that Apple’s (AAPL) products are no more immune to malware attacks than Microsoft’s (MSFT), and those who insist that Apple’s operating systems are nearly impenetrable, as long as you play by the rules.

According to the Dutch security firm XS4ALL, a software worm has been spreading through the Netherlands that can seize control of iPhones without their owners’ knowledge and hand it over to a server in Lithuania.

“This worm is doing really bad things,” XS4ALL’s Scott McIntyre told

Only a few hundred iPhones have been infected so far, according to the BBC. But if the worm gets into large Wi-Fi networks, thousands could be at risk.

This is the third reported iPhone malware incident in as many weeks and by far the most dangerous.

In early November, a Dutch hacker seized control of jailbroken iPhones and posted a message offering to make them secure again for 5 euros. A week later, an unemployed programmer in Australia released a worm that changed the iPhone’s background image to a picture of pop singer Rick Astley, a sly reference to Rickrolling, one of the Internet’s most popular pranks (some 21 million fooled).

The new worm targets customers who use their iPhone to do online banking at ING through T-Mobile. To be at risk, the phones must be jailbroken — something Apple advises strongly against — have SSH (secure shell) installed, and have left the original password (“alpine”) unchanged.

“As we’ve said before, the vast majority of customers do not jailbreak their iPhones, and for good reason,” an Apple spokesperson told The Loop‘s Jim Dalrymple. “These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably.”

Infected phones can be returned to their original condition by restoring the current Apple-supplied firmware through iTunes.

UPDATE: Sophos reports that the worm is using IP address for command and control of jailbroken iPhones. Mobile operators you may want to block or at least monitor activity trying to communicate with this IP address.

See also:

[Follow Philip Elmer-DeWitt on Twitter @philiped]

You May Like