The iPhone, it seems, is under siege: a recent worm exploits a known (and previously exploited) vulnerability that affects the owners of "jailbroken" phones on which OpenSSH has been installed. (Jailbreaking allows iPhone users to install and use unapproved applications.)
Of course, there's been an enormous amount of media coverage on this already (I've just returned from a conference trip at which I had no email access), and I don't care for "me too" blogs, but there's also been a certain element of mythmaking, so I'm going to concentrate on a few aspects of this (admittedly interesting) event that I don't think have received sufficient attention.
Jailbreaking is (irrespective of whether it's a good idea) enough to expose an iPhone to infection by this particular worm.
So is this really harmless fun? The apparent creator of this mess seems to think so (http://blog.jeltel.com.au/2009/11/interview-with-ikee-iphone-virus.html). That interview seems to me to argue a moral sensibility displaying an immaturity close to the sociopathic, but at least he seems to have attempted to give some information about removing the infection. Given his admitted carelessness in coding and failure to anticipate some of the effects of his malware, you might want to be careful about taking his advice. As I don't have an iPhone or a sample, I'm not currently able to verify its accuracy.
Apparently a number of people agree that it's harmless. Apart from some reports that refer to this "prank" (I'm reminded of Microsoft's attempts to minimize the importance of WM/Concept, the first major Word macro virus, by dubbing it Prank Macro), a poll conducted by Sophos apparently determined that 76% of respondents consider malware an acceptable way to raise security awareness. Well, I never heard that one before… Oh, wait a minute, isn't that the excuse used by countless script kiddies and hobbyist virus writers, not to mention BBC journalists in the market for buying botnets? Well, I'm sure malware will start having a beneficial effect on public security awareness any century now.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, ESET