Viruses that target handhelds can be even more dangerous than their cousins that attack PCs, spawning self-replicating programs that hide easily, a security researcher told an audience of security professionals at the Black Hat Briefings conference in Las Vegas last week.

The first virus aimed at Pocket PC handhelds, revealed last week, could be far worse if it were modified slightly to carry a harmful payload, said Seth Fogie, a vice president of Airscanner, which develops security software for the Window Mobile platform.

The benign WinCE4.Duts.A (or just "Dust") virus was created as a demonstration of threats against personal digital assistants. However, Fogie noted, such programs could spread stealthily, logging keystrokes on the Pocket PC's "soft keyboard," and sending data stored on handhelds across the Internet.

Sample Weapons

Fogie demonstrated several malicious tools he has created. The programs work properly only on Pocket PCs that use ARM processors -- the same kind of devices that are vulnerable to the Dust virus. Such devices make up the majority of Pocket PC handhelds sold today.

Among Fogie's tools are a keystroke-logging program, a virtual remote control application that runs undetected, and an FTP server applet that could be modified to run invisibly in the background. Rogue applications of these sorts typically spread as Trojan horse programs when PCs are infected with a virus. They allow virus writers to steal or manipulate data, or to make mischief.

The Dust virus is only a proof of concept, carrying no malicious code or destructive programming. In fact, the virus actually asks the handheld's owner for permission to install itself, and in Fogie's demo it obeyed when the "no" button is clicked on its dialog box.

Most disturbing is that only a few characters of code need to be changed to force the handheld device to store or run the programs without the user's being aware of them. Only a hard, factory reset that wipes out the device's entire memory will remove the dangerous payload applications.

Fogie's company is developing a software firewall that runs on Pocket PCs. He says that he expects the company to distribute the tool "free for private, nonbusiness users," similar to the ZoneAlarm firewall for Windows.

Other Presentations

Also speaking at the conference were noted virus researcher Sarah Gordon and Yuji Ukai, a software engineer at EEye Digital Security, which identifies many application vulnerabilities. Gordon presented her analysis of how magazines and antivirus companies test antivirus software. Ukai is recognized as the discoverer of the LSASS vulnerability in Windows that the many versions of the Sasser worm later exploited.

Coders using the monikers HD Moore and Spoonm demonstrated a tool they created called Metasploit, which Spoonm described as a comprehensive platform for testing various exploits against operating systems and applications. In fact, six new kinds of tools for security professionals were announced at various sessions. Among them are applications designed to circumvent so-called Honeynets, or decoy servers that are used by researchers, and an application that can hide data inside executable applications.