Before disassembling the binary (a "micro" analysis, which we'll perform in the next article), a great deal of information can be discovered by a macro analysis. For example, how does the Trojan embed itself? Does it write to the startup folder? How about the registry? Can the process be killed in memory?
Brador is successful in part because the Pocket PC operating system doesn't come with a native process monitor. Without a process monitor (such as the Win32 Task Manager), it can be difficult to detect and remove this Trojan and any future Trojans. Pocket PC lacks this feature; when a user attempts to delete the malicious file, the system presents an error message saying that the program is in use. In this case, it might seem that the only way to remove the Trojan is a hard factory reset (similar to formatting the hard drive on a desktop PC).
To remove the Trojan without resorting to hard resetting your device, a third-party process monitor is needed. We've provided this tool as part of our antivirus software, which is free for personal use (just download the free, full-featured version).
The Airscanner antivirus software process viewer allows you to view all the current running processes on the Pocket PC and to kill any that you don't want running. In this case, we want to kill the Brador installer before deleting it (see Figure 2).
Figure 2 Detecting Brador in memory, using a third-party process monitor.
However, we've only deleted the installer. The trick is that Brador drops the server executable into the Windows startup folder and names it svchost.exe. How did we know this? If you turn on the ActiveGuard feature of the Airscanner antivirus, it monitors all filesystem changes to the Pocket PC. It's similar to a host-based intrusion detection system such as Tripwire for desktop computers.
Figure 3 shows Airscanner's ActiveGuard detecting the secret file created by Brador. Once executed, the Brador installer creates a file called svchost.exe and drops it into the WinCE startup folder at Windows\StartUp\.
Figure 3 Using Pocket PCnative, host-based intrusion detection to find where the Trojan server is dropped.
Many AV company sites simply tell users to delete this file in order to remove the Trojan. But they fail to explain that the file cannot easily be deleted. If an infected victim simply tries to delete the svchost.exe file, she'll get the error shown in Figure 4.
Figure 4 You can't delete the Brador server until you kill the process in memory.
Performing a hard reset of the mobile device would fix the problem, but why should you have to hard reset your Pocket PC just to delete a Trojan? This equates to formatting your desktop PC every time you detect malware. It's an inadequate solution. Instead, use a process manager to kill the running application, and then delete it manually.