Infecting a vehicle with a virus?
A virus or a trojan are pieces of code which automate an attack, and propagate more or less automatically (the terminology is a bit sloppy). First there must be a vulnerability which can be exploited to run malicious code on the target. There are many kinds of vulnerabilities, including a gullible user who will "open executable attachments" (the core principle of many a trojan), but there must be some. Then, the virus/trojan/malware brings it up to a higher level through automation.
With a vulnerability, the attacker gains some control on one car. Most attackers will stop there, because they are car thieves and don't want to take the control of any other car than the one they are standing next to. Even more so, they don't want to steal a car which is "too much damaged", be it mechanically or logically.
A car virus, "infecting" a lot of cars, would allow for large-scale heists, e.g. plunging a whole car-loving country into pedestrian chaos, or blackmailing authorities with the prospect of killing random drivers (gee, when I write that, I almost hear the voice of Bruce Willis cracking jokes while shooting villains). While this would be a great Hollywood scenario, I expect massive car-stealing to occur first. We will get warnings.
A redeeming property of cars is that they are not electronically centralized, not in the same was as a smartphone. An iPhone has a single big CPU which does everything. A car has dozens of small CPU, each responsible for one or two tasks. Though they are linked together, they still have a lot of autonomy. A remote exploit on a car would probably allow for shutting it down, or blinking lights, but not override everything. Car manufacturing regulations are also adamant: come what may, the driver must still be able to brake by heavily pushing on the pedal, even in case of a total collapse of electronics, e.g. after having been hit by lightning. The hand-brake, also, is supposed to be entirely mechanical, with no electrical part. As long as these properties are maintained, you cannot be abducted by your own car, even if it has "automatic driving" abilities.
To be honest I'm not worried only about malware/virus but also about the possible bugs inside all the electronics of the car/vehicle.
During "Hack in the Box" conference in Amsterdam, a security researcher Hugo Teso demonstrates how to take control of the electronic system of an air plane with an Android application (http://conference.hitb.org/hitbsecconf2013ams/hugo-teso/).
Our role, the role of community in this way is to research and to inform/share our results to avoid that someone use this information in a bad way. It's an important role but is the unique way that I know to do all the best for the others.
Modern cars are built from dozens (or even hundreds) of interconnected computer systems, so there is certainly no reason they can't be susceptible to malware; you've already noted the recent example of hackers playing with a car while a reporter drives it.
Are there technical measures being taken to reduce the possibility? Some. Many of those systems are located on factory-baked ROMs that can't be reprogrammed, or that have very limited amounts of RAM, and therefore can't host a malware infection. But in general, the entire CAN bus architecture was designed a long time ago without security in mind, and the whole vehicle must be treated as a single trusted entity.
You noted physical access above, but that gap is widening as carmakers try to provide more integrated "features" for consumers. My car provides no less than twenty-three entry points that are available to both me and to potential attackers!
Safely locked inside the cabin there is a USB port and a CD/DVD drive that directly interfaces with the stereo; there is also the OBD-II jack. Unless the attacker is already inside my car, (such as a 'friend' with a thumb drive,) those are fairly safe.
Externally, there are three short-range RFID readers available, at the trunk, driver's door, and inside the cabin. There are four RF based short-range tire pressure sensors and receivers. There is a Bluetooth system interfacing with the stereo that has at least a ten meter range outside the vehicle. There is an RF based remote keyless entry transceiver that works from several dozen meters. And there is an independent RF based remote starter that works from 500 meters away. Finally, the stereo receives both terrestrial HD-Radio and satellite data streams for music, traffic, weather, news, and other types of data.
Any of those offer some kind of access into my car's electronic system, and I can only trust that the automaker has secured them all.
In addition to the data-based interfaces above, there are other entry points into the car that are connected to the bus. There is a rear-facing camera on the trunk, and a forward facing camera for a driver safety system. Is it possible they have a library that can read and parse barcodes for some legitimate reason? If so, can a barcode be used to inject an attack into them? There is also a radar transceiver, four ultrasonic range sensors, and the nav system has a GPS receiver. While I have no idea how an attacker might use any of those to gain some kind of access, and I would categorize them as a very low risk, that doesn't discount the fact that very clever people have attacked all kinds of systems before.
Finally, there is another non-obvious area of vulnerability -- the side mirrors. My mirrors have at least three electronic functions: remote X-Y movement, dimming courtesy lights, and a "blind spot occupied" warning light. To handle all this activity, I can only assume that the CAN bus is extended into the mirror housing, meaning a thief with a screwdriver is probably only a small piece of plastic away from interfacing with my electronics from outside my car. From there, he could tell the doors to unlock, clip in his own malicious device, or do whatever he wants.
This car is also three years old. Newer cars include WiFi access points and GSM transceivers, providing ever more accessible connectivity options for the would-be attacker. Features are definitely expanding faster than security.