The Hunt Begins
The first step to reverse-engineering a malicious binary is to see what you can find out about it online. When the Brador Trojan first made headlines, it was sensationalized as being a widespread threat, which it really wasn't. Many of the larger antivirus companies that analyzed Brador later changed their descriptions of this Trojan (take a look at some of the change logs for more details). Brador may not be as widespread as originally thought, but it certainly is a threat that can be difficult for a beginner to detect and remove.
Before we dive into the full reverse-engineering process, we take a quick look at the binary using a hex editor. (Many free hex editors are available online.) As Figure 1 shows, the author's email address (firstname.lastname@example.org) is included in the Trojan code. This Trojan implements an SMTP-based notification system that sends the victim's details to the author's email address. This email address is the key to the origins of this Trojan. Traced back, this email address originates from Russia, giving us a starting point for our search. Knowing that the Trojan originated in Russia and knowing the email address gives us enough information to begin uncovering the birthplace and author of this Trojan.
Figure 1 A quick hex edit of the Brador Trojan reveals the author's email address.
Would the Trojan author use the same email address elsewhere? A quick search for that email address on Google provided only news reports and analyses of the Trojan. This was information we had already read, and some that we had discovered ourselves. What about a search on Google for sites in Russia that included the word brokensword? The following Google search produced some useful results:
One of the results was from a site called wasm.ru; realizing from the very compact code that this Trojan was more than likely coded in ASM, this site was our first choice. Wasm.ru proved to be a goldmine of information. The BrokenSword from this site already seemed to be making ASM Trojans for Linux. Other articles on the site, although in Russian, clearly showed that the BrokenSword from this site was extremely knowledgeable in Windows CE security.
While there is never 100% certainty that BrokenSword is the true author, the writer of this page did have a few comments worth noting, in a postscript to his article on securing Windows CE. The following was originally written in Russian, and suffered a bit of translation loss in BabelFish. We've taken the liberty of paraphrasing to make it more readable:
A few words about viruses for WinCE. Until now, there have allegedly been no publicly released viruses for WinCE. This situation seemed to me to be incomprehensible, first that there are no publicly released viruses, and second that the virus would write itself into all the files of the current directory. [We can only guess what this means, but WinCE4.Dustthe first Windows CE virusonly infects files in the root directory, regardless of where it's launched. This is due to the way the filesystem is set up in Windows CE.] To me, it was a chance to become famous in the field, but then I suddenly and randomly visited pocketnow.com, where it was revealed that today (!) [July 19, 2004], the first Pocket PC virus was created (by a fellow of 29A). On Yahoo on Demand, the Windows CE virus had five references to this remarkable case (although only yesterday there was not one on the theme!). I will not be surprised if this will be on all the news in a week. Well, that sucksmy only chance to become famous is forever missed.... The virus, by the way, is sufficiently inoffensive, and even asks the user if it is possible to play pranks on the system. However, I think a Trojan will produce a much larger effect...
It appears that BrokenSword might have been considering a virus of his own when Ratter of 29A collected that "first prize" for himself. It's possible that if Ratter/29A had not released a benign proof-of-concept virus to AV companies first, BrokenSword may have released a deliberately malicious one in the wild.