> First off, by "propogate," I meant transfer itself from an > infected device to an uninfected device.
I understood you correctly the first time. > On a Hotsync, it could reinstall itself on a device, or a trojan > could be installed initially. I'm not sure how this process could > infect a *second* palm device, even if they sync to the same box. > The infected .prc file must be scheduled to install to that device > name, and I know of no way that an infected palm app can cause the > sync software's behavior to change. Your reasoning is mostly correct here - but you underestimate the deviousness of the virus writers. On the PC side, installing into the HotSync process is trivial - it is as easy as copying the PRC file in a particular folder and modifying the contents of a couple of files. Note that a virus could consist of multiple components and be able to have parts running on different platforms (we call those "multi-platform" viruses). For instance, it could run (and infect) a PC and also drop parts of itself to the PDA on HotSync. As an example (albeit a rather primitive one), the Win32/MTX_II.A virus (which infects Windows) drops a PRC file such that it is installed on the PDA running PalmOS during a HotSync. The part that is installed there is not viral - it's basically a joke application in which the virus author has modified the texts on one of the dialogs to include greetings to other virus writers - but you get the general idea. For more information about this virus (and, more exactly, the PalmOS component it drops), see http://www.f-secure.com/v-descs/palm_mtx.shtml One PDA side, what would happen if one of the applications gets modified (i.e., infected)? Wouldn't it be synched to the PC on the next HotSync? > On beaming of applications, yes, certainly. But my about not being > able to do so surreptitiously still stands. When an application is > beamed, a modal dialog is displayed requiring the receiver to > "accept" the application. If the receiver does not do so, I know > of no way for the beamed app to still infect the machine. Again, > you might accept a trojan. I never said you couldn't. Again, you're underestimating the possibilities. Imagine that, somehow, and application infecting virus has installed itself on your PDA. It is just stitting there, infecting all the applications you put on it. Sure, it doesn't propagate to another device - for now. But, one day, you find a really cool game. You've put it on your device, and you liked it so much that you want to share it with your friends who all have PDAs running PalmOS. So, you beam it to them - and they accept it, because they are your friends and you told them that it's a cool game (and, when they run it, it looks like a cool game) - so why wouldn't they accept it? Unfortunately, the moment you have installed the game on your PDA, the virus there has infected it parasitically. When you beam the game to your friend, it's no longer the original game - it now has the virus too. Voila, your friend's PDA is now infected and the virus can use the same mechanism to spread further. And think also of the possinilities if the PDA is networked! The virus there could send e-mails, SMS messages, Bluetooth comminications, whatever - as if you're doing it. > The act of inserting a memory card does not, to my knowledge, > automatically cause the execution of any code on that memory card. > Again, please correct me if I am wrong. I honestly don't know - I haven't researched this subject yet. I know that on card insertion, some code is executed on the Palm. Whether the card itself can have any "autostart" program - I don't know yet. But the reason why I mentioned it, is because it is a data entry point. The contents of the card might contain virus-infected applications. Even if the virus there can't execute until you launch one of these applications, it still means that a virus can enter your PDA this way. And, once the virus is in your PDA, it could intercept memory card insertion and infect all the applications that reside there. > Of course you can run malware. But I still do not see how that > malware can propogate itself like a virus or worm without the > PalmOS user *actively triggering* the initial infection. The PalmOS user won't *know* that s/he is "actively triggering" the initial infection. It's basically the same with PCs, you know? Very few viruses can run themselves without user interaction there. Most of the time, some kind of user action is required - forgetting a floppy in drive A: at boot time, running a program you have downloaded or copied from a floppy, double-clicking on an e-mail attachment. Yet despite these "limitations", hundreds of thousands of viruses exist for the PCs - and some of them spread very fast and very widely. > The standard mail and web browser apps for PalmOS do not do file > downloads or attachments. I suspect that this is not quite true. PalmOS provides an installer, with which you can install applications "off the wire". That is, you can point your Web-enabled PDA to the URL on the Web side distributing the application, and the necessary stuff gets downloaded and installed onto your PDA. Nothing prevents a malicious person from distributing a malicious application this way. Once installed on your PDA, the virus would examine your contacts and send e-mail (which would look as if it comes from you), telling them about "this great application; go to that URL to download it". Furthermore, there was something about the e-mail application "unwrapping" the attachments - look for the "exgUnwrap" flag; it is used when you want to register your application to handle the data bundled in, say, an e-mail message and unpacked by the e-mail application. So, while it might not be terribly easy, I doubt that e-mail virus propagation is impossible. > > With all due respect, this is probably false. I am not familiar > > enough with the PalmOS support of Bluetooth, but on the Symbian > > platform even Trojans can spread like wildfire through this > > mechanism. > > This is the point with which I particularly take exception. All > receipt of applications cause a modal window requiring > "acceptance." Sure they do. They do that on Symbian, too - you get a dialog, asking you whether to accept the thing. Make a wild guess - how does the average user respond to that dialog? :-) > This I must agree with. I think the risk of a trojan app is HUGE. > You are quite right. But I'd like to think that if a person fired > up their PDA and found the aforementioned modal dialog up and they > didn't ask anyone to beam them an app, they would have the sense > to say "no." Not just the risk of a Trojan - a virus could spread this way too. I agree that what you say sounds logical. However, for some bizarre reason, this logic doesn't seem to hold in the PC world - people keep double-clicking on e-mail attachments and getting infected. It doesn't seem to hold in the Symbian world. Why do you think that it will hold in the PalmOS world? :-) Besides, I'll say it again, do not equate "virus" with "immediate mindless destruction". The user might be unable to realize the acceptance of *which* application has resulted in the troubles s/he currently is experiencing. > I agree here too. I've been a programmer for 15 years, and I never > got into the virus culture. I always thought it was more > interesting to find new constructive things to do with a computer. > I've never been interested in a life of crime. Oh, most virus writers don't really think that they are committing a crime. For many of them, it is a challenging problem they are solving - e.g., being the first to write a virus for some new, unusual environment, being able to write a virus that spreads very widely, showing to the world how clever they are, making some kind of statement (from a political one to "I love you" to their girlfriends) and so on. At least that's how it used to be. Things have changed lately. Nowadays it is indeed mostly the criminals who are doing it for the money - botnets, phishing scams, spam, backdoors, keyloggers... :-( This is a completely different crowd - and the "quality" (i.e., the cleverness) of the malware has dropped considerably, too. [Kernigan's speech] Ah, yes, "Reflections on Trusting Trust"; that's a really famous one. :-) > When I read that excerpt from his speech (given nearly 20 years > ago now, I think), I realized that the only way I could be sure my > system was secure would be to bench check every single binary. You can't do that. What are you going to inspect the binaries with? A debugger? A hex editor? What if they have been Trojanized already? :-) We have this problem for real in the anti-virus world. The various "rootkits" often modify the system binaries so that they don't show the malicious components (files, directories, Registry entries, etc.). Stealth viruses intercept the object read requests and, if the object is infected, modify the results of those requests, so that the object looks not infected to the program that has issued the request. The only reliable way to handle this is to boot from a known-clean environment and use known-clean tools for the inspection. > I don't trust attachments unless they are digitally signed by a > key I know and trust. (And even then, how sure can I be of the > owner of that key? I can be sure it was asigned with that key, but > I can't be sure he or she is as careful as I am.) Yup. His machine could be infected, the virus could have sniffed his passphrase and could have signed with his key the infected application it is sending to you from his e-mail address. Regards, Vesselin -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/support/forums/
