Virus on iPhone
My iPhone appears to have been infected by a virus and seems to have been part of a botnet.
How can I remove the malware and prevent this in the future?
Thanks for any pointers. Details below.
--
My unjailbroken iPhone 3GS running iOS 4.0 and later 4.1 exhibited some suspicious behavior which I noticed because I started to get text messages from my cellular provider for three months in a row notifying me that my contract's volume limit had been exceeded and my transfer rates would be capped. My browsing activity is restrained and a traffic increase was surprising.
After resetting Usage stats on the iPhone, I noticed that outgoing traffic was 10X the volume of incoming traffic. High rates of traffic (ca. 6MB per hour outgoing) seemed to be occurring even when the phone was not in use. After watching this for a few days I felt something was fishy.
To eliminate legitimate communication as a traffic source, I then did: (a) in "Fetch New Data" I disabled Push and set fetch to "manually", (b) I disabled all e-mail accounts, (c) I turned notifications off, (d) I turned WiFi off, (e) reset all usage stats, (f) restarted the phone.
Now, with no apps running and no push/pull activity permitted, the phone should have been silent. Instead, starting about 15 seconds after reboot, the phone started sending data. The rate was not constant, but within seconds of entering the stat screen you'd see about 250kB sent and about 10kB received. The send rate averaged ca. 6 MB / hour, but activity was intermittent. All this data was sent over the cellular connection, so the carrier cutoff was not surprising.
Next I went into Airplane mode to disable the cellular collection and reactivated WiFi. With the help of a friend I connected the phone to a router which intercepted and suppressed outgoing traffic. The router was able to log only IP addresses, but no content. Within a 5 minute period of logging, we discovered a range of connection attempts to various hosts, some of them potentially legitimate and some suspicious. The legitimate addresses were all Apple push servers, like 17.149.37.110:5223 nwk-st-courier037-05.push.apple.com. Not sure why the phone would contact them if push and notifications are off, but whatever.
Then there were three blocks of suspicious IP addresses the phone contacted within the monitored ca. five minute period around 2010/09/24 13:18:06:
(A) 195.50.164.138:80
Via dnstools.com this turns out to be an IP managed by ARCOR / Vodafone D2 GmbH in Germany. A Google search on the IP provides a few listings, including a few in forum posts about viruses and trojans. Via dedicatedornot.com there is an indication that the IP belongs / belonged to fotolog.com, apparently a rather popular photo sharing community. I have never used the web site or heard about it, so this seems suspicious.
(B) 184.73.255.2:80 ec2-184-73-255-2.compute-1.amazonaws.com
184.73.254.162:80 ec2-184-73-254-162.compute-1.amazonaws.com
This seems to be a server in Amazon's cloud service. No idea what the service is.
(C) 74.125.77.101:80 ew-in-f101.1e100.net
74.125.77.100:80 ew-in-f100.1e100.net
74.125.77.102:80 ew-in-f102.1e100.net
These addresses belong to Google. Put them in a browser and the Google main search page comes up. Why would an iPhone running no apps contact the Google main search page?
Just to clarify: the iPhone is NOT and never was jailbroken and all apps I use were downloaded from the Apple app store. Maybe this means nothing and there is a perfectly valid explanation for why my iPhone would contact these web sites even though no apps were running and all communication settings were turned off. Nevertheless, it would be quite nice to know what had happened.
How can I remove the malware and prevent this in the future?
Thanks for any pointers. Details below.
--
My unjailbroken iPhone 3GS running iOS 4.0 and later 4.1 exhibited some suspicious behavior which I noticed because I started to get text messages from my cellular provider for three months in a row notifying me that my contract's volume limit had been exceeded and my transfer rates would be capped. My browsing activity is restrained and a traffic increase was surprising.
After resetting Usage stats on the iPhone, I noticed that outgoing traffic was 10X the volume of incoming traffic. High rates of traffic (ca. 6MB per hour outgoing) seemed to be occurring even when the phone was not in use. After watching this for a few days I felt something was fishy.
To eliminate legitimate communication as a traffic source, I then did: (a) in "Fetch New Data" I disabled Push and set fetch to "manually", (b) I disabled all e-mail accounts, (c) I turned notifications off, (d) I turned WiFi off, (e) reset all usage stats, (f) restarted the phone.
Now, with no apps running and no push/pull activity permitted, the phone should have been silent. Instead, starting about 15 seconds after reboot, the phone started sending data. The rate was not constant, but within seconds of entering the stat screen you'd see about 250kB sent and about 10kB received. The send rate averaged ca. 6 MB / hour, but activity was intermittent. All this data was sent over the cellular connection, so the carrier cutoff was not surprising.
Next I went into Airplane mode to disable the cellular collection and reactivated WiFi. With the help of a friend I connected the phone to a router which intercepted and suppressed outgoing traffic. The router was able to log only IP addresses, but no content. Within a 5 minute period of logging, we discovered a range of connection attempts to various hosts, some of them potentially legitimate and some suspicious. The legitimate addresses were all Apple push servers, like 17.149.37.110:5223 nwk-st-courier037-05.push.apple.com. Not sure why the phone would contact them if push and notifications are off, but whatever.
Then there were three blocks of suspicious IP addresses the phone contacted within the monitored ca. five minute period around 2010/09/24 13:18:06:
(A) 195.50.164.138:80
Via dnstools.com this turns out to be an IP managed by ARCOR / Vodafone D2 GmbH in Germany. A Google search on the IP provides a few listings, including a few in forum posts about viruses and trojans. Via dedicatedornot.com there is an indication that the IP belongs / belonged to fotolog.com, apparently a rather popular photo sharing community. I have never used the web site or heard about it, so this seems suspicious.
(B) 184.73.255.2:80 ec2-184-73-255-2.compute-1.amazonaws.com
184.73.254.162:80 ec2-184-73-254-162.compute-1.amazonaws.com
This seems to be a server in Amazon's cloud service. No idea what the service is.
(C) 74.125.77.101:80 ew-in-f101.1e100.net
74.125.77.100:80 ew-in-f100.1e100.net
74.125.77.102:80 ew-in-f102.1e100.net
These addresses belong to Google. Put them in a browser and the Google main search page comes up. Why would an iPhone running no apps contact the Google main search page?
Just to clarify: the iPhone is NOT and never was jailbroken and all apps I use were downloaded from the Apple app store. Maybe this means nothing and there is a perfectly valid explanation for why my iPhone would contact these web sites even though no apps were running and all communication settings were turned off. Nevertheless, it would be quite nice to know what had happened.
iPhone 3GS, iOS 4
