The Crunch: iPhone virus outbreak, AVG and 2012

By Ben Grubb, Munir Kotadia on Nov 13, 2009 12:27 PM
Filed under Security

No business case for OS X anti-virus app.

Hundreds, probably thousands of jailbroken iPhones have been infected by a virus written by Ashley Towns, a 21-year-old from Wollongong, who claimed his creation was a "harmless" practical joke.

Ashley said he was surprised by the amount of damage caused by his rick-rolling prank and has conceded the idea was "stupid".

Asked if he regretted the spread of the virus, "God yes," he responded.

You can listen to the entire interview with Ashey - as well as the views of Paul Ducklin from Sophos, on this week's Risky Business Podcast.

Two years ago, AVG's Larry Bridwell said that AVG had an Apple OS version of its security software in the lab. We caught up with him on Monday to find out when, if ever, the product will be released.

And finally, Munir Kotadia went to a special media preview of 2012, the huge blockbuster movie that opened today. So should you go and see it? Watch his report and make up your own mind.

5 comments in this discussion

"GordieGuy, thanks for showing me i need to be more clear when explaining system penetration.For starters my Jailbroken iPhone doesn't have SSH running, jailbreak does NOT require SSH. Your also ..."

By Daveh

Tags

iphone, virus, avg, ashley towns, jailbreak, 2012, movie, avg, apple, mac, security, osx

Apple user? You'll be one for life

Apple updates Java in Mac OS X, issues iOS Exchange bugfix

Apple given permission to publish govt data requests

Researchers use Exchange for smartphone mayhem

Breaking Stories

HP, ACCC reach agreement on warranty case

NBN Co launches 25/5 Mbps fixed wireless services

DFAT satisfied with Passports system

iiNet fined $102,000 over Naked DSL bus ad

Neural networks, Google and cats

Comments: 5

funkyg Nov 13, 2009 2:43 PM	Why is this still in the news? The fraction of a % of people who jailbreak their phone should know exactly what they are opening up when they do, and what the potential problems are. If you jail break you should also know how to solve these issues. I would go so far as saying that this was not even difficult to do and it was just a matter of time before someone was silly enough to do it (I say silly because I really wouldn't want to upset the jailbreaking community - they know how to hack!) We should emphasise that this is not a problem for iPhones that have not been jail broken, and this is one of the stated reasons that Apple is trying to discourage it. In the end all this guy did was reinforce Apples case, and put off people who might legitimately want to push their phones further than Apple wants them too.
OmniaZOID Nov 14, 2009 1:26 AM	Interesting to see whther there are any consequences for Ashley Towns or whther the fact it only affected JBed iPhones will let it slip and slide away.
Daveh Nov 16, 2009 10:55 AM	It seems something that nobody is willing to comment on. The ease of this hack was facilitated by Apple having one standard root password over these systems. The question becomes, what happens when another method of code insertion is found? Say SMS or EMail. What happens then? The only people who would be safe from these (ironically) are people who have Jailbroken phones with modified root passwords. It has been discussed by security groups, but what if an exploit in iPhone text or iPhone email is found? This could lay the groundwork for a mobile botnet. Every iPhone attacking every nearby iPhone collecting more Zombies. There is a SERIOUS danger here and all that has happened is the danger has been outlined. So lets blame this Ashley, for taking advantage of it, instead of asking apple why they have this gaping UNIX security hole, makes sense right?
GeordieGuy Nov 16, 2009 3:46 PM	Daveh you're a goose. Non jailbroken phones don't have an SSH server running, they are the only ones NOT vulnerable. There was an exploit found in SMS, it was patched. Apple cares if you use it properly, if you create a derivative device they don't.
Daveh Nov 16, 2009 11:49 PM	GordieGuy, thanks for showing me i need to be more clear when explaining system penetration.For starters my Jailbroken iPhone doesn't have SSH running, jailbreak does NOT require SSH. Your also making the assumption that SSH is the only attack vector in the known universe, its not. Let me be spell it out, im not talking about THIS exploit - Im talking about the NEXT exploit. For theory sake let me explain how to hack a UNIX based device from a high level. Your aim is to somehow get a daemon/process/application to drop a root level shell. Given that the iPhone has a FIXED root password, this job is made significantly easier, you no-longer need a root shell, just A shell. But let me continue in the hypothetical, AGAIN: Someone finds a buffer overrun in the iPhone renderer for png's, as a hypothetical. They, hypothetically, email out a png that hits this buffer, overruns it and places a call to access root level and connect to a web server for more instructions, then accesses the address book and emails the same PNG to everyone. This is a combination of the exploit used to hack most Wii Consoles (BannerBomb overloads a .WAD) and the method used to propagate and run a simple botnet. The point i am raising is that in modern System V derivatives root passwords aren't set for this reason. You cant directly escalate to root (see Ubuntu and OSX!). So GordieGuy, im guessing that you missed my point. Apple has missed this BASIC system security tenant and that while there is no problem now, what happens when there is? Whats the phrase a pint of prevention beats a pound of cure. Just because you cant SEE the exploits in the wild doesnt mean they DONT or WONT exist (see SSL for topical irony). Given that there are no ill effects of modifying the root password why cant Apple give this SIMPLE security update, which removes the current generation of threat and could prevent future threats?