Reverse-Engineering the First Pocket PC Trojan, Part 1
Recently we were the first to provide a detailed analysis and fix for WinCE4.Dust, the inaugural Pocket PC virus. We also gave the first detailed analysis of Mosquito, the inaugural Symbian Trojan horse. Now we're going to present a detailed analysis of Brador, the inaugural Trojan horse for the Windows Mobile operating system.
We weren't the first to discover Brador. We actually had a difficult time getting our hands on it. The author of WinCE4.Dust sent it to all antivirus (AV) companies, including ours (Airscanner). However, Brador was written by a different author, from Russia, who reportedly released it to only a select few "big" AV companies. As a smaller company that focuses exclusively on Windows Mobile antivirus software, we were left out in the cold.
The author, or perhaps his agent, was apparently selling copies of the client to interested parties for $150. With the client, anyone could take total control of a remote Pocket PC and steal passwords, empty bank accounts, or even penetrate "secure" corporate networks. (To put it into perspective, the Windows CE architecture is about as secure as a default Windows 95 installation was a decade ago.) However, no copy of the Trojan server itself could to be found. And we would never pay for a virus binary, as that would contribute to a market incentive for malware creationa definite conflict of interest.
Fortunately, after mucking around in the underground for a while, we were able to obtain a copy of the Trojan, and we immediately started to reverse-engineer it. This article is our step-by-step investigationnot only of the Trojan, but also of the author, who until this article was not publicly known. We hope you will follow along to learn how to reverse-engineer for yourself. In this article, we use mostly free software tools, with the exception of IDA.