Reverse-Engineering the First Pocket PC Trojan, Part 1
Date: Oct 1, 2004
Introduction
Recently we were the first to provide a detailed analysis and fix for WinCE4.Dust, the inaugural Pocket PC virus. We also gave the first detailed analysis of Mosquito, the inaugural Symbian Trojan horse. Now we're going to present a detailed analysis of Brador, the inaugural Trojan horse for the Windows Mobile operating system.
We weren't the first to discover Brador. We actually had a difficult time getting our hands on it. The author of WinCE4.Dust sent it to all antivirus (AV) companies, including ours (Airscanner). However, Brador was written by a different author, from Russia, who reportedly released it to only a select few "big" AV companies. As a smaller company that focuses exclusively on Windows Mobile antivirus software, we were left out in the cold.
The author, or perhaps his agent, was apparently selling copies of the client to interested parties for $150. With the client, anyone could take total control of a remote Pocket PC and steal passwords, empty bank accounts, or even penetrate "secure" corporate networks. (To put it into perspective, the Windows CE architecture is about as secure as a default Windows 95 installation was a decade ago.) However, no copy of the Trojan server itself could to be found. And we would never pay for a virus binary, as that would contribute to a market incentive for malware creation—a definite conflict of interest.
Fortunately, after mucking around in the underground for a while, we were able to obtain a copy of the Trojan, and we immediately started to reverse-engineer it. This article is our step-by-step investigation—not only of the Trojan, but also of the author, who until this article was not publicly known. We hope you will follow along to learn how to reverse-engineer for yourself. In this article, we use mostly free software tools, with the exception of IDA.
The Hunt Begins
The first step to reverse-engineering a malicious binary is to see what you can find out about it online. When the Brador Trojan first made headlines, it was sensationalized as being a widespread threat, which it really wasn't. Many of the larger antivirus companies that analyzed Brador later changed their descriptions of this Trojan (take a look at some of the change logs for more details). Brador may not be as widespread as originally thought, but it certainly is a threat that can be difficult for a beginner to detect and remove.
Before we dive into the full reverse-engineering process, we take a quick look at the binary using a hex editor. (Many free hex editors are available online.) As Figure 1 shows, the author's email address (brokensword@ukr.net) is included in the Trojan code. This Trojan implements an SMTP-based notification system that sends the victim's details to the author's email address. This email address is the key to the origins of this Trojan. Traced back, this email address originates from Russia, giving us a starting point for our search. Knowing that the Trojan originated in Russia and knowing the email address gives us enough information to begin uncovering the birthplace and author of this Trojan.
)
Figure
1 A quick hex edit of the Brador Trojan reveals the author's email
address.
Would the Trojan author use the same email address elsewhere? A quick search for that email address on Google provided only news reports and analyses of the Trojan. This was information we had already read, and some that we had discovered ourselves. What about a search on Google for sites in Russia that included the word brokensword? The following Google search produced some useful results:
+brokensword inurl:.ru
One of the results was from a site called wasm.ru; realizing from the very compact code that this Trojan was more than likely coded in ASM, this site was our first choice. Wasm.ru proved to be a goldmine of information. The BrokenSword from this site already seemed to be making ASM Trojans for Linux. Other articles on the site, although in Russian, clearly showed that the BrokenSword from this site was extremely knowledgeable in Windows CE security.
While there is never 100% certainty that BrokenSword is the true author, the writer of this page did have a few comments worth noting, in a postscript to his article on securing Windows CE. The following was originally written in Russian, and suffered a bit of translation loss in BabelFish. We've taken the liberty of paraphrasing to make it more readable:
A few words about viruses for WinCE. Until now, there have allegedly been no publicly released viruses for WinCE. This situation seemed to me to be incomprehensible, first that there are no publicly released viruses, and second that the virus would write itself into all the files of the current directory. [We can only guess what this means, but WinCE4.Dust—the first Windows CE virus—only infects files in the root directory, regardless of where it's launched. This is due to the way the filesystem is set up in Windows CE.] To me, it was a chance to become famous in the field, but then I suddenly and randomly visited pocketnow.com, where it was revealed that today (!) [July 19, 2004], the first Pocket PC virus was created (by a fellow of 29A). On Yahoo on Demand, the Windows CE virus had five references to this remarkable case (although only yesterday there was not one on the theme!). I will not be surprised if this will be on all the news in a week. Well, that sucks—my only chance to become famous is forever missed.... The virus, by the way, is sufficiently inoffensive, and even asks the user if it is possible to play pranks on the system. However, I think a Trojan will produce a much larger effect...
It appears that BrokenSword might have been considering a virus of his own when Ratter of 29A collected that "first prize" for himself. It's possible that if Ratter/29A had not released a benign proof-of-concept virus to AV companies first, BrokenSword may have released a deliberately malicious one in the wild.
Macro Analysis
Before disassembling the binary (a "micro" analysis, which we'll perform in the next article), a great deal of information can be discovered by a macro analysis. For example, how does the Trojan embed itself? Does it write to the startup folder? How about the registry? Can the process be killed in memory?
Brador is successful in part because the Pocket PC operating system doesn't come with a native process monitor. Without a process monitor (such as the Win32 Task Manager), it can be difficult to detect and remove this Trojan and any future Trojans. Pocket PC lacks this feature; when a user attempts to delete the malicious file, the system presents an error message saying that the program is in use. In this case, it might seem that the only way to remove the Trojan is a hard factory reset (similar to formatting the hard drive on a desktop PC).
To remove the Trojan without resorting to hard resetting your device, a third-party process monitor is needed. We've provided this tool as part of our antivirus software, which is free for personal use (just download the free, full-featured version).
The Airscanner antivirus software process viewer allows you to view all the current running processes on the Pocket PC and to kill any that you don't want running. In this case, we want to kill the Brador installer before deleting it (see Figure 2).
)
Figure
2 Detecting Brador in memory, using a third-party process monitor.
However, we've only deleted the installer. The trick is that Brador drops the server executable into the Windows startup folder and names it svchost.exe. How did we know this? If you turn on the ActiveGuard feature of the Airscanner antivirus, it monitors all filesystem changes to the Pocket PC. It's similar to a host-based intrusion detection system such as Tripwire for desktop computers.
Figure 3 shows Airscanner's ActiveGuard detecting the secret file created by Brador. Once executed, the Brador installer creates a file called svchost.exe and drops it into the WinCE startup folder at Windows\StartUp\.
)
Figure
3 Using Pocket PC–native, host-based intrusion detection to find where
the Trojan server is dropped.
Many AV company sites simply tell users to delete this file in order to remove the Trojan. But they fail to explain that the file cannot easily be deleted. If an infected victim simply tries to delete the svchost.exe file, she'll get the error shown in Figure 4.
)
Figure
4 You can't delete the Brador server until you kill the process in
memory.
Performing a hard reset of the mobile device would fix the problem, but why should you have to hard reset your Pocket PC just to delete a Trojan? This equates to formatting your desktop PC every time you detect malware. It's an inadequate solution. Instead, use a process manager to kill the running application, and then delete it manually.
More To Come...
Now that we know what the Brador Trojan does and how to kill it, our intrepid team will delve deeply into a micro analysis of the Trojan in part 2.