Trojan horse rears its head on Palms

A malicious program masquerading as an illegal, but free, version of the popular gaming application Liberty has been making the rounds of Palm newsgroups and chat rooms since late last week. The arrival of the software, which has the potential to wipe out all the programs stored on the device, is believed to be the first Trojan horse for the Palm.

There are no reports of damage resulting from the Trojan horse, but the event marks the first time the handheld computers have been hit with a major security threat. According to Palm, which is downplaying the Trojan horse's significance, anyone who executes the malicious application can reset the device and re-synchronize with data stored on the PC.

A Trojan horse is a type of code that tricks a computer user into downloading or installing it by masquerading as legitimate software. Palm, which has credited its widespread success in the handheld computer market in part to its legions of third-party software and hardware developers, has been largely immune to these types of problems despite the popularity of these applications.

"We're aware that a developer has posted what appears to be a Trojan horse. Palm does not condone the use of our operating system for creating or distributing potentially destructive software," said Julia Rodriguez, a Palm representative, who added that the company is not warning people about the situation. "We don't see this as a major risk to the user base."

As devices continue to grow in popularity and move into the mainstream, analysts say these types of problems may occur more frequently. Further, because Palms are increasingly used by employees in the workplace, new viruses have the potential to quickly affect entire organizations.

Gartner mobile device analyst Ken Dulaney said he wasn't surprised to hear about the Trojan horse for Palms.

"It's almost a sign of a product becoming a dominant market force," he said.

Dulaney noted that Palms are quite vulnerable to viruses because of the popularity of beaming applications and contact information via the infrared port. "From a security standpoint," he said, "these things are just wide-open doors."

Antivirus software maker McAfee.com last month released the first version of its software designed specifically for personal digital assistants (PDAs). The software maker cited the growing popularity of PDAs as motivation for creating device-specific antivirus software.

"One of the problems is the intermixing of personal and company data," Dulaney said. "Devices like the Palm, which are owned by the individual but used in the corporation, represent this mass intermixing of two worlds which are not intended for each other. One's a highly locked-down environment, and one is use and do whatever you want until it breaks."

This first Trojan horse is also unusual in that the author is not only taking credit for writing the software but is also helping to contain its spread.

Aaron Ardiri is a Palm developer who co-wrote Liberty, a popular application that emulates Game Boy games for the Palm. Ardiri, who also actively campaigns against so-called crackers who steal software, created a destructive Palm application disguised as a free version of Liberty. Crackers search for methods of breaking security codes for Palm games and applications, he said, rather than purchasing the software outright.

Ardiri said the application, which wipes out all programs stored on a device, was part of another project to create a comprehensive uninstall application for the Palm. He initially decided to share the application, which uses the Liberty icon, with a few friends as an experiment in thwarting crackers tempted to download a free version of what is normally proprietary software.

However, the exercise backfired when the application was posted to a Palm developer chat room. Although Ardiri said the software was available in the chat room for less than an hour, he decided to post warnings to popular Palm newsgroups, such as PalmStation.com.

"It was one of the products that was never supposed to be run outside of the workshop," Ardiri said in a phone interview from Sweden. "Doing this on purpose would have been professional suicide. It's not my style."

The developer has been flamed on PalmStation and other Palm newsgroups by people who are skeptical of his story. To date, Palm has received no reports of anyone affected by the Trojan horse.

"This is rather a large event because it is the first virus-like program--although it's not a virus, it's a Trojan horse program," said Hal Schechner, owner of PalmStation, which has posted more than 60 messages about the situation. "In that sense, it's big news."

For his part, Ardiri said he hopes the incident will help people think twice before downloading unknown applications from Web sites.

"The point I'm trying to make is that people, without even thinking about what they're doing, are installing software and running it, which causes problems for everyone," he said.