Will No-One Rid Me Of This Turbulent Hacker Tool? (http://en.wikipedia.org/wiki/Thomas_Becket)
I was kind of hoping to have moved on from the iPhone data stealing hacker tool by now. While I do think it's a significant development (see http://www.eset.com/threat-center/blog/2009/11/12/iphone-hack-tool-a-postscript), there comes a point where the sheer volume of discussion of the subject gives it more importance than it really deserves.
However, I can't help but notice that there have been frequent references, based on both the Intego post and on my blogs, to a virus or a worm. Well, of course, I'm fully aware that many people talk about viruses when they mean all sorts of other malware, and if I'm not exactly resigned to it, I don't usually spend much time complaining about it.
In this case, however, it actually matters. The source code I have in front of me has no replicative code, so it's not a virus and it's not a worm. It isn't even a Trojan: if you run this code, you're not in any doubt as to what it does. It announces itself quite clearly as a program for stealing data, and keeps you informed as to what data it's trying to steal and whether it succeeds.
It is, in fact, a (very) basic tool that could be used by a badhat, in much the same way that he might use a sniffer or password cracker: it would require modification just to scan a different network.
I don't know if Intego are looking at exactly the same code. The article by Peter James suggests functionality that isn't present in the script I have, but he may just be indicating functions that the script could have in addition to those already present. Intego have confirmed to me, though, that what they have is a hacker tool with no self-replicating code.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, ESET