I don't want to flog (or blog) this iPhone bot thing to death: after all, the number of potential victims should be shrinking all the time. However, having updated my previous blog (http://www.eset.com/threat-center/blog/2009/11/22/ibot-mark-2-go-straight-to-jail-do-not-pass-go) on the topic a couple of times, I thought I'd actually go to a new blog rather than insert update 3.
So here are the update bits again.
[Update, courtesy of Mikko: this worm targets at least one Dutch bank, and activates when users go to the online bank with an infected iPhone ]
[Update 2, courtesy of Paul Ducklin: how to change the password of an infected phone. I could just tell you what the password is, but you might want to read the whole blog.: http://bit.ly/4JJMCu]
And the latest update, courtesy of Henk Diemer, comes from http://www.security.nl/artikel/31552/1/iPhone_botnet_raakt_controle_kwijt.html, which broke a lot of the previous news on this and related malware. (Sorry, it's in Dutch.) The article indicates that the botnet has "lost control".
This may not be as positive as it sounds. It may just mean that the C&C server has been taken down through ISP or law enforcement action, which would be nice. On the other hand, it may mean that the server has been switched or some other change in the botnet infrastructure made. C&C switching is standard botnet practice, and could have been accelerated because of attention from the media and the security industry.
Every time we publicise something like this, we have to weigh the immediate benefit to potential and actual victims against the fact that we may make the situation worse, for instance by stampeding the bad guys into moving the goalposts . Sadly, there's no handy cost/benefit analysis tool to make the choice for us.
Perhaps the least attractive possibility is that another group of bad guys has stuck its oar in, though I've seen no evidence of that being the case, so far. If it did happen, that would suggest another rite of passage completed, and a step beyond mere "Proof of Concept" testing.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, We Live Security