Thoughts about the Palm "virus" aka warez.prc aka crack1.1 aka Liberty

When run, this program, posing as a crack for the GameBoy emulator, erases applications installed on the Pilot. This program is not a virus - it doesn't replicate. It could be described as a trojan or as malware, since the result of its activation does not yield the expected result. I contend that the term "sh*tware" is more adequate as one can safely say that this is one of the dullest and most stupid piece of software ever written for the Palm or, for that matter, for any computing platform known to mankind at the end of the 20th century.

Yet, that sad truth has not prevented anti-virus companies, the media and the public from talking at length about it. That's why I thought I I'd contribute.

While generally keeping an extremely prudent tone - some companies went hysterical when the trojan surfaced but they have since rather heavily bugfixed their on-line descriptions - the anti-virus industry still feels compelled to detect and to name the thing. Having a name is essential to being noticed. Detection seems the obvious thing to do in such cases, if only to be ready for the day old threats invade new platforms.

Should they detect it ? Should they be ready ? Do they detect instances of del *.exe or del *.* in batch files ? Would you expect a Palm hosted anti-virus program to detect and erase PC batch files containing the above mentioned "dangerous" command ? It isn't that simple.

Readiness ? Yessssss Sir !

Does readiness matter ? Experience shows it does not.

The first viruses for any given platforms are, unsurprisingly, simple initial experiments. As such, neither do they require the most sophisticated detection techniques, nor do they exploit the target platform weaknesses to the fullest. A basic anti-virus can very well be a simple piece of code that recursively examines target files for the presence of a given pattern. Thats only when the fighting escalates that advanced techniques such as emulation, automatic signature extraction or validation, optimized hashing and sample pre-processing come into play.

Further, once a platform is widespread enough and when the viruses it hosts are mature enough, we have been shown that, in practice readiness does not matter. Eventhough Word Macro viruses had been around in a major way for several years before Melissa, we got into a mess anyway. Eventhough everyone knew that VBS was functionally equivalent to VBA, eventhough we knew of the intrinsical weaknesses of the most widespread and integrated e-mail client, eventhough the majority of the world's corporate computers were behind supposedly airtight firewalls and loaded with a dozen of megabytes of generally intrusive resident anti-virus software, we got spanked, yessssir, spanked by LoveLetter...

At that point, eventhough anti-virus companies reacted quickly - let's give credit when it is due - the most effective measures remained simple and common sensical : break the registry link that allows the double-click execution of the VBS files, set up simple mail server filters to prevent further spreading, even the built-in find command was handy to scan our hard drives... While we should be careful not to overplay these conclusions, after all the script can easily be "polymorphed" to defeat simple string matching mail scanners, we clearly see that no amount of "readiness" can prevent new threats from spreading when the environment is right, specifically when vulnerable hosts are numerous and not too far apart. By design, scanners that scan for a known pattern can't reduce the vulnerability of a population to an unknown threat and generics can not preempt class of threats they have never encountered.

One can't get PR without a Name.

So, if readiness does not matter, what does ? PR of course. PR is the engine that drives the anti-virus industry. From meaningless detection tests carried on by incompetent people who do not even check whether what they detect really are viruses, but acquire legitimity nonetheless through the further re-use and publicity of their flawed results by the anti-virus companies marketing departments, to high-profiles journalists who misunderstand basic issues but amplify threats just to avoid being overdone by a zealous colleague... the media generate FUD. Fear, uncertainty and doubt are powerful forces, especially when they can be substantiated from time to time by major incidents (that demonstrate that no amount of readiness will improve the situation, but let's forget that for the sake of the argument). Fear creates a substrate that lends some default credibility to otherwise laughable would-be threats... Skillfully exploited, the fears of the unsuspecting masses become an incredible revenue generator - the game is worth playing. Besides skill is not something the anti-virus industry lacks, having discovered - after some early failed experiments (see Michelangelo), the perfect "Cry Wolf" recipe - just enough real victims to support the paranoïa and just enough empty threats to give customers the impression they haven't spent in vain, that they are at least somewhat protected. The PR buzz around this baptism simultaneously marks the birth and the death of the pitiful creature known as warez.prc... But the main goal has been achieved : the average Palm user has discovered that he is at risk - of-course naysayers are right and the meaningless destructive three liner will soon be forgotten - but he will forever remember that unspeakable dangers are lurking out there, in the Net's darkest recesses.

Sad Conclusion.

Only in this global framework can the recent Palm Pilot event be fully understood. We have followed a long and twisted path to be reminded of on single fact : sometimes computer programs erase files we'd love to keep. But wait, there is more, a free amazing lifetime bonus, as marketoids would put it : we are nows secure in the knowledge that we are protected wherever we compute, or at least we should be, or at the _very_ least someone is trying to carry the burden of the watch. The fact that there is no threat is not relevant : wasn't mankind always proud of its virile watches by the camp fire ? What we are grateful for is the peace of mind or, if we happen to be an IT security manager, the reassuring feeling that only the digital equivalent of a leather belt, reinforced suspenders and buttock padding can provide.

And, as icing on the cake, naming threats on new platforms exorcises the anti-virus industry's own fears, the basic existential worry that, one day a new computing platform will come of age, a platform that renders the anti-virus tax obsolete...

Don't worry guys : as P.T. Barnum had it, some birth rates are a constant function of time.

Pierre Vandevenne