iPhone Lure Used in Hacker Exploit

The iPhone hype makes it a natural target -- by scammers looking to sell Apple's first cell phone for a huge markup, and also by hackers looking to add to their bot networks.

Within hours of the iPhone's release, a social engineering e-mail went out with the subject line "Congratulations, you have won a new iPhone from our store!" Following the link in the e-mail takes an unsuspecting user to a Web site that attempts to load a rootkit on the user's computer.

The attack is one, according to security vendor Secure Computing Corp., that was used in a widespread attack on about 10,000 Italian Web sites about two weeks ago.

The attack "is a two-phase download," according to Paul Henry, vice president of technology evangelism for Secure Computing. A user "gets the e-mail, and clicks on the link to get the iPhone. That takes them to a Web site in Malaysia." The Malaysian Web site looks for Active X exploits, and if it finds a hole, the browser is directed to a second Web site, this one in New Jersey, that loads the rootkit on the computer.

Once the rootkit is installed, it's virtually impossible for the average user to find. Henry said that further analysis this morning resulted in Secure Computing identifying the toolkit. It's the "mpack" toolkit, version 0.93 or higher.

Henry emphasized that it's not an iPhone vulnerability. "This exploit is not for the iPhone. This is a browser exploit," he said in an interview.

A potentially serious exploit. Henry said, "Any Windows PC user that clicks [the e-mail] can immediately be comprised. The PC will be turned into a spambot," part of an army of computers networked together to blast spam to the world. And since it's a rootkit, it would be easy for a hacker to update the malware to add things such as a keylogger, which could steal a user's passwords and other sensitive material.

The best advice, as always, is to remind users on a network to never click a link that they're sure is safe. Other actions to take as a safeguard include using an anti-malware scanning product which scans HTML code, and URL filtering products.

As of Monday afternoon, Henry said, the exploit hasn't spread like wildfire, but that shouldn't make users feel safe. In fact, both malicious sites in Malaysia and New Jersey were still up and running when he last checked. "It's a relatively small distribution [so far], but we expect that to continue to grow," he predicted.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.