Currently, the worm doesn't appear to be all that malicious - it simply changes the phone's background image to a photo of singer Rick Astley, the man whose song "Never Gonna Give You Up" has become a well-known internet meme called "rickrolling," a joke where users are tricked into clicking links that redirect them to Astley's YouTube video.

Despite the relatively innocuous nature of this particular attack, it may be the precursor to future attacks of a more malicious nature. But how dangerous will these attacks be to the iPhone-owning population as a whole? Is there really a need for concern?

According to the hacker, 21-year-old Ashley Towns, a student living in New South Wales, Australia, iKee was created to highlight the iPhone's poor security. Apparently unrepentant about his creation, Towns has made no attempt to hide his identity, posting on internet forums and on his Twitter page about his hack. He even cheekily tweets a response to a post on security firm's Sophos blog where the writer had sought out the hacker's identity via Google searches: "You know man if you wanted my number you could have asked." And he wasn't kidding - Towns has been happily responding to media requests via his Twitter account. For example, he told ABC News that he had personally infected 100 iPhones with the worm. From those phones, he explained, the worm will then try to spread to other devices.

Perhaps the reason for his transparency has to do with the relatively harmless nature of the attack. The worm just changes the iPhone wallpaper on the affected devices. However, as the Sophos' post points out, "accessing someone else's computing device and changing their data without permission is an offence in many countries."

While that may be true, it's clear that Towns feels as if he's almost doing a public service by exposing a security vulnerability that many jailbroken iPhones face.

More Hacks Expected?

While this particular worm appears to be localized to Australia, it could have spread to other countries and eventually, worldwide. It also comes directly on the heels of another similar attack on jailbroken devices. Only last week, a Dutch hacker broke into jailbroken iPhones and then displayed a message on the comprised devices demanding a ransom of 5 Euros. This attack was also made possible through the same vulnerability that the iKee worm uses.

Graham Cluley of Sophos predicts that other hackers will be tempted to write their own code now that they've seen what's possible. In addition, some hackers may be more malicious with their creations than what we've seen so far.

But Who is Really Being Affected?

However, even if the attacks escalate, the fact of the matter is that the potential victims are a minor subset of Apple iPhone users. To begin with, they're relatively tech-savvy to have managed to jailbreak their phones to begin with - a process which involves using downloadable software tools that unlock Apple's control mechanisms on the device. While not overly complex, most mainstream iPhone users won't bother to take this action, content with the iTunes App Store and its 100,000 or so available applications.

And then there is the fact that the attacks don't even affect all jailbroken iPhone owners - they only affect those who have also installed a program called SSH on their devices. The program allows users to access the iPhone's filesystem with the username of "root" and password of "alpine." Since few SSH users had bothered to change this root password, that left their phones open to attack.

Still, how many people are we talking about here? And what sort of iPhone user are they? Although exact numbers of jailbreakers are unknown, mobile analytics firm Pinch Media recently revealed data showing there are at least 4 million of these jailbroken devices in the iPhone ecosystem. It's not known how many of these users have also installed SSH.

For the most part, it's likely that those who have done so are knowledgeable enough to prevent future attacks on their devices even if they had become a victim of one of these recent hacks. At the very least, they're now aware of the issue and can follow the straightforward instructions available on the web that explain how to change the root password so it's no longer the default.

More Dangerous than the iPhone Worm: Dishonest Developers

Despite all the media hoopla over this "first iPhone worm," it's not something that most iPhone owners will have to worry about. What's more concerning are the claims that a supposedly legitimate iPhone development firm has been collecting personally identifiable information from the users of its App Store-approved iPhone games which have been installed over 20 million times. According to a suit filed in the U.S. District Court in Northern California, the firm, Storm8, has been using a backdoor method which allowed them to collect the phone numbers of anyone who had installed their applications. This wouldn't be the first time that an iPhone developer has done this, either. Apple actually provides an easy way for developers to tap into this information, if they so desire.

If anything, this is the real threat that the media should be focused on, not the iPhone worm.

Says Sophos' Senior Technology Consultant Graham Cluely in a blog post, "The bogus warnings look near identical to previous fake anti-virus software attacks that we have seen in the past - with a scrolling green progress bar and a list of alleged threats found on your computer displayed in a dramatic red colour scrolling up."

Phishers are designing site pop ups that mimic system anti-virus warnings in order to lure users into giving up personal information and in some cases, downloading malware. According to the Anti-Phishing Working Group more than 9000 scareware packages have been in circulation since late 2008.

For a list of some of these potential issues, check out ReadWriteWeb's Top Online Security Threats for 2009 or visit the US Computer Emergency Readiness Team site for industry updates.

According to ESET's report, the attackers created slide decks which would contain a link to a malware-laden website and would then lure unsuspecting victims to Slideshare using traditional social engineering tactics. The presentations themselves should have raised a red flag for careful users, we think, but we have no way of knowing how successful they were at this time.

One of the presentations found included just one slide with a single link. The slideshow was purportedly offering a cracked download of ESET's own NOD32 scanner, an antivirus software program. To lend credibility to the download, the attackers added in the SourceForge logo (as if the open-source application directory SourceForge was a place to find cracked warez!) Of course, when the user clicked the link, they wouldn't end up on SourceForge, but on a spoofed site that looked very similar. A window would then pop up prompting the user to download a .EXE file. Since the user already thought they were accessing a link for a software installation program, they would click the link and let their computer be infected with the malware.

Of course you may scoff at these victims since they were trying to get "something for nothing" - in this case, a free anti-virus program when really they were being given a free virus instead. However, while you may not have fallen for this particular scam, it's only one example of how the SlideShare platform could be used for nefarious purposes such as this. It's not far-fetched to imagine that in the future attackers could create even harder-to-detect malware-infused slideshows. We foresee them copying a legitimate slideshow from the site and then including an extra page with their malicious link. News like this is all the more reason to run a good anti-virus program on your PC.

SlideShare Responds Quickly

In SlideShare's defense, they took action quickly against this threat. As soon as it was brought to their attention by way of the ESET blog post, SlideShare CoFounder Amit Ranjan responded in the comments saying:

"I just wanted to let readers know that the offending user account has been removed. Thanks a ton for bringing this to our notice. Spam slideshows are a problem for us. And as this example shows, they can be turned malicious as well. In case anyone comes across any other user account from where this is happening, please email us, and we shall take immediate action. As a company we are committed to stop all such malpractices."

However, the rogue account which had been used to spread the malware had joined the SlideShare community in June 2009 and had uploaded as many as 2473 presentations before they were banned this week.

Social Sites Need to Think About Security

The more popular the site becomes, the more likely it will be used to spread malware, so perhaps SlideShare should be somewhat flattered that they've reached this level of notoriety. They've now joined the ranks of many other social networking sites who have seen regular malware threats invade their platforms. Facebook, for instance, has come under attack multiple times in the past, the most memorable of which was the Koobface trojan which leaped outside of Facebook to spread to other social networking sites. It continues to evolve, even infecting Twitter as recently as last month. But Facebook isn't the only example by any means of social sites under attack. Unfortunately, any website or social community where users are allowed to post content could become victim to threats such as this.

What's odd, though, is how many sites seem to think of security as an afterthought. Case in point, it was only on Monday of this week that we saw Twitter start filtering malicious links from being posted. These are the sort of features that really should have been included from the get-go. In SlideShare's case, they may eventually have to go the same route as Twitter and partner with a malware-scanning service like Google's Safe Browsing API to make sure their hosted content isn't dangerous to their users. In fact, they may want to start looking into that right now.

"Whatever you do," suggests Bennett, "don't visit StalkDaily.com. Even without registering or logging on to the site it somehow infects your Twitter profile." Curt Monash over on Network World, however, suggests you can get infected without visiting the site; clicking on the GangsterBoy Twitter account could be enough to cause the infection.

1. In your browser, clear your cache and empty all of your cookies. (This can be found in your settings.)
2. Log out of TweetDeck or any external applications you are using.
3. On Twitter.com, change your password.
4. Log back in. It should be okay. If so, log back into TweetDeck et al.
5. Go back and delete any tweets sent by you recommending StalkDaily. This is important.

Monash, who has been furiously sending messages to the @spam team to remove the seemingly malicious Gangsterboy account offers a suggestion from @pilot: disable scripts via NoScript in FireFox.

According to Bennett's latest tweet, there have not been any new instances of it in quite a while.

Update:

Twitter's Spam account has issued an update stating that it is aware of StalkDaily, is working to shut it down and recommends doing a password reset if you're locked out of your account as it may have reset your password for safety reasons.

While earlier variations of the Conficker worm prevented infected machines from accessing the servers of most antivirus companies, this new variant also blocks access to sites that offer tools for removing the worm like BitDefenders bdtools.net.

Oddly, the Conficker worm now also includes an instruction that tells the worm to remove itself on May 3 (the hackers clearly like deadlines), though after that, it will keep a port open on these machines that will allow the hackers to get back into these computers at any time.

The Big Picture: Spyware, Spambots, Pop-Ups

According to both Trend Micro and Symantec, Conficker, after downloading its update, also downloads a variant of the well-known Waledac malware. Waledac is one of the world's most active spambots.

Security researchers are still trying to understand the connection between Waledac and Conficker's new E variant (only a small number of antivirus products can currently detect this version of Waledac, by the way). Some, however, speculate that this connection could mean that Conficker was created by the same group of hackers that created Waledac and its predecessor, the infamous Storm botnet.

Business Model?

According to Kaspersky Labs' Alex Gostev, Waledac will download a rogue antivirus application onto infected machines, as well as an email-worm that can steal data and send spam. The fake antivirus software will ask users to pay $49.95 for "Spyware Protect 2009," which, of course, is anything but an antispyware product.

Protect Yourself (and others)

Of course, if your Windows machine is up to date and if you have kept your antivirus software up to date then chances are very good that you are well protected against Conficker.

If you want to learn more about Conficker and how to protect yourself, have a look at this list of resources we put together last month. If you want to see if you are infected, head over to this site from the University of Bonn.

What's interesting about this new attack vector is the fact that the worm is customizing the relevancy of its message by using geo-awareness... and this isn't the first time the worm has done so. Although an IP lookup isn't going to yield pinpoint accuracy, it will usually get the city name correct and for now, that may be good enough. But if we know malware writers, then we know that it's only a matter of time before they attempt to exploit the new geo-aware services, too, in order to deliver even more precisely targeted messages.

Are Mobile-Based Geo-Aware Exploits Next?

For truly accurate geo-aware targeting, attacks would have to come across the mobile front where people carry pocket-sized GPS units integrated into their handhelds. Mobile computing is on the rise and where the people go, so go the hackers.

In a relatively short period of time, we've seen the rise of mobile social networks like Brightkite, Loopt and others; Google's new location-based tracking service Latitude made its debut; and more recently, Yahoo's Fire Eagle technology arrived on Facebook and in Firefox. With any one of these services, a user's exact location could be plotted. Armed with that info, what could a malware author do? Send you news stories about the restaurant where you're dining? Text you drink specials when you're at a bar? Who knows! But combine that level of accuracy with mobile-ready malware-laden web sites and we could have a real threat on our hands.

Mobile Malware is Still Quiet... for Now

However, this is all just speculation at this point. Today's mobile malware incidents are few and far between. Still, the treasure troves of personal information stored on our smartphones make them appealing targets to malware writers. No matter how tight the security of these modern devices is, eventually, hackers can find their way in.

According to Andrew Storms, director of information technology at nCircle Network Security, bigger phone-based threats are just around the corner. "No one should be surprised if we see the first major threat of the migration of botnets from traditional computing devices to mobile platforms," Storms says. "Some smartphones already have more memory and higher processing power than laptops from just a few years ago. A constantly moving and adapting mobile botnet presents a compelling business proposition for hackers and an interesting real-world case study in chaos theory."

Patrik Runald, Chief Security Advisor at F-Secure, agrees. "At some point, the criminals now developing PC malware will start focusing on mobile devices," Runald said. "It's not a question of if, but when and how. I'm keeping a close eye on the iPhone -- it may be the tipping point that sets the mobile malware field afire."

Frankly, we're surprised it isn't here already. Are modern smartphones really that much more secure or do they still not yet exist in large enough numbers to make them worth attacking?

Image credit: kmevans

Once a computer has become infected with the Kooface worm, it spams the friends belonging to the owner of the computer by leaving comments on their profiles. Those comments appear to come from the infected user, saying things like "Are you sure this is your first acting experience?", "is it u there?", "impressive. i'm sure it's you on this video", "How can anyone get so busted by a spy camera?" and "You're the whole show! i'm admired with you." Save for that last one, whose bad English will likely raise a flag that all is not what it seems, the other comments appeal to people's vanity. They wonder: is that really a video of me? and then click through on the link provided.

The link actually takes them to an off-site page which pretends to offer a video download from "YuoTube," but then stalls saying that you'll need a new version of Adobe's Flash Player installed in order to continue. Of course, if you click the button to proceed with the install, you're infected. Infected users are then directed to even more contaminated web sites when they try to use search engines, which puts them at risk of identity theft, among other things. "Search terms are directed to find-www.net," said McAfee's Craig Schmugar, and that "enables ad hijacking and click fraud."

Social Networks Will Be the New Breeding Ground for Viruses

Koobface may not be the first bit of malware to hit the social networks, but it has become so widespread that it now accounts for one percent of ScanSafe's blocked malware, said ScanSafe senior security researcher Mary Landesman. (Facebook will not disclose how many members are infected.)

What's frightening about the spread of this Trojan is not the worm itself - it's really nothing new in terms of malware - but the way its being spread. Over the years people have learned to be suspicious of unknown links and attachments in their emails, so the virus writers turned to hit us where we're more vulnerable: on our social networks. Here, many people still have a feeling of comfort and security. They don't always have their guard up.

According to Graham Cluley, senior technology consultant at Sophos, "a key factor which helps social-networking spam and malware succeed is that people are more prepared to click on a link or message if they believe it is from someone they know. The average person is used to receiving unsolicited e-mails in their regular inbox, but believe messages have more credence when they arrive via Facebook. The message is clear -- people need to beware."

Cluley also warns that the situation is going to get worse next year. There will be more attacks and they will become more sophisticated. "It will probably take a long time before the general public begins to learn that hackers and scammers are using the system for their own ends."

How To Protect Yourself From Koobface

Besides doing the obvious - running an up-to-date antivirus, security patches, and firewalls - you should be on the look out for the following:

You should also keep an eye on Facebook's security page (http://www.facebook.com/security) which warns of the latest threats.