First Trojan for Windows CE Released

Tuxedo Jack writes "Symantec and The Register are reporting that the first Windows CE trojan horse, known as Brador, has been mailed to Trend Micro. This cannot spread on its own; it must be mailed or transmitted, then opened. Once opened, it opens a TCP port, allowing the remote-controller to connect and establish control over it. As expected, this will most likely be used to make new botnets, and it leads me to wonder: will we soon need firewalls for Windows Embedded?"

Of course we're going to need firewalls...

[Dagny+Taggert]

..for CE because, as usual, people will have to patch their CE-based PDA. If desktop Windows is any example, most people won't bother to download security updates, leading to exposure to other damaging varients. I'm sure the brains at Symantec are running in high gear right about now.

Re:Of course we're going to need firewalls...

[silverfuck]

IMHO, any device capable of running user programs and with any sort of communications should need a firewall. Computers need them, handhelds need them, soon phones (when they become more like PDAs) will need them, everything! It would save a lot of bother if this type of feature were designed into a system from the beginning, when the threat was more theory than any real problem - just think how things would be if computers had had firewalls from the beginning.

Attitudes to networking

[rokzy]

>will we soon need firewalls for Windows Embedded?

given how important and prevalent networking is, shouldn't every network capable device now have some sort of a firewall?

by analogy, after seatbelts were invented, instead of waiting for a car crash and asking
"do cars need seatbelsts?", then waiting for a van crash and asking
"do vans need seatbelts?", then waiting for an SUV crash and asking
"do SUVs need seatbelts", then waiting for a lorry crash and asking
"do lorrys need seatbelts" ...
just skip to the end - put seatbelts in all vehicles unless a very good reason not to.

Re:Attitudes to networking

[FireFury03]

"do busses need seatbelts?" - yes, but not many have them
"do trains need seatbelts?" - probably, but they don't have them
"do motorcycles need seatbelts?" - dunno, but I don't see many the them :)

first? bullshit.

[gl4ss]

since it doesn't even spread or do anything except accept commands over network I highly doubt that it isn't the first of it's kind.

and tell me, WHAT GOOD WOULD A FIREWALL DO AGAINST AN _INTENTIONALLY_ INSTALLED BACKDOOR PROGRAM? nothing nada zip zero.. if you _wanted_ to run it which you must(in case of this program) you would want to turn off the fw too, no?

and built for botnets? no way, are you disconnected with reality? building a botnet with these would be total idiocy.

and then it's for windows mobile, not ce(yes, a mild difference but difference anyways): " Backdoor.Brador.A will work on Windows Mobile 2003 and only affects ARM-based devices."

oh and another thing. 99% of the time these devices are behind NAT if they're on network.

Re:first? bullshit.

[barcodez]

and tell me, WHAT GOOD WOULD A FIREWALL DO AGAINST AN _INTENTIONALLY_ INSTALLED BACKDOOR PROGRAM? nothing nada zip zero.. if you _wanted_ to run it which you must(in case of this program) you would want to turn off the fw too, no?

OK from the post not even the article...

Once opened, it opens a TCP port, allowing the remote-controller to connect and establish control over it.

So adding a firewall will stop commands from evil doers (tm) from executing on your PDA. The point of this trojan is you trick people into installing it. Send a mail saying "hey install this cool new game!".

Re:Windows Broken Security Model.

[tesmako]

Well I would love to hear how all the people posting in this story complaining about the operating system security suggest how to prevent this trojan from working? It does not spread, you have to manually download it or get it in a mail, it does not automatically run, you have to run it yourself, just where is the operating system supposed to look to be able to tell that the user needs to protected from itself?

Re:Ask a stupid question...

[FireFury03]

If you have ANY device connected to a network, it should be protected (firewalled) from evil-doers.

No - if your device is set up _correctly_ then insecure and unnecessary services shouldn't even be listening for connections from the big bad internet, so you don't need a firewall.

IMHO the _only_ reasons to have a firewall on a system set up by someone with a clue are:
1. controlling forwarded traffic if the device is routing network traffic for other machines
2. as a fail safe incase you accidentally enable a service you didn't intend to.

You shouldn't need a firewall

[Gothmolly]

For a PDA. Why does WinCE ship with any ports open at all? What possible services should it offer in an out-of-the-box, no-user-input-required configuration? Look at OSX, no ports open by default. Look at any decent Linux distro - the daemons listen on localhost only. When will MS change their tune, or are they operating under the 'no such thing as bad publicity' theory?

Re:You shouldn't need a firewall

[jimicus]

"No Ports Open" simply means that nothing's listening on those ports. It doesn't mean there's some voodoo magic which keeps them closed. If you want that, it implies you want something at a TCP/IP level in the host OS preventing anything from getting to user level programs. I'd call that a firewall.

The daemons listening on localhost are configured to. Users don't usually configure trojans.

Not a big deal.

[mst76]

What's the big deal about this, trojans are easy to write for any OS. This particular one opens a listening TCP port, and emails out it's IP address. Since WinCE is a fairly complete OS with a TCP/IP stack and an email client, it's rather obvious that something like this can be written. If they'd discovered a hole that can be exploited without user intervention, that would be big news.

A possible security weakness of WinCE is that it has no real user and priviledge separation (like Win9x). But what many people who argue for security through priviledge seperation forget to mention is that a standard user (both on NT and Unix) usually has quite a lot of priviledges. You don't need to be root to open ports >1024 or silently send out thousands of emails. Remember, anything YOU can do under a normal user account, a trojan can do as well. So something like this could be easily written for Linux or MacOS. The only security that priviledge separation buys you is that you normally can't change system or other users' files. Since WinCE only supports one user, and the system is in ROM (a hard reset erases all virusses), there is nothing to be gained here.

Ahem..... ILOVEYOU

[jimicus]

kindly check the attached LOVELETTER coming from me.

<Attachment: LOVE-LETTER-FOR-YOU.TXT.VBS>

... and I guarantee this will be modded down.

Re:Marketshare isn't an issue either with this

> There are viruses for Mac OS X.
For an extra ten points, name all of them

Typical mac zealot response. Go google them yourself. You'll find dozens

Re:Ask a stupid question...

[aurelian]

If you mean that the attacker could install code listening on any other port then a firewall running on the machine itself isn't going to help you - there's nothing stopping the attacker from shutting down the firewall while they're installing a rootkit.

Sure, if it's an attacker installing a rootkit then there's not much you can do. But internet worms aren't necessarily that sophisticated. Often they're just looking for unpatched unprotected boxes.

Firewalls all around!

[Cid+Highwind]

"...and it leads me to wonder: will we soon need firewalls for Windows Embedded?"

Not soon, you need them now! If a device has a public network interface, it needs a firewall. It's not just a matter of Windows sucking, PalmOS, Symbian, Linux, etc. devices are going to have exploitable bugs (and therefore need firewalls) as well.

Catching trojans is for idiots

[nurb432]

A trojan requires direct user intervention.. It should not suprise anyone that one exists..

It should be a suprise that people still fall for them in this day and age.

Now if this was a worm for CE.. that would be news.

Re:Only a matter of time I guess...

Somewhere along the line people figured out that viruses just have no where near the spreading power of an email that says "click here for porn -> porn.exe". The sad part is, that it STILL fucking works! You'd think everyone and thier dog would have learned after the LoveLetter "virus" (which is actually a trojan), but no, people will happily click on any random attachment, even if there is no message, and the file name means absolutely nothing. Simply put, the cleverness of creating a virus pales in comparison to preying on the stupidity of regular people - sad but true.

/. is a mirror of the register

Why has slashdot become a mirror of 2 day old register stories?

No big whoop

[Xeger]

It's not exactly difficult to make a trojan for Windows CE... just write a simplistic Win32 trojan, taking care to only use API calls supported by CE and avoiding use of the standard C library (always good advice when writing virii/worms/trojans, anyhow!)

If someone had released this trojan for the Win32 platform it would be almost laughable, not newsworthy except for its silliness. But compile it against a different set of DLLs and target a different architecture, and suddenly it's news? What gives?!?

Not to mention the fact that the heterogeneity of Windows CE instruction set architectures makes it hard for a virus or worm to spread. Even if you write a genuine virus, if you target ARM (the most popular chip for CE devices), at best you'll be able to infect 60% of the devices your virus encounters.

Re:Marketshare isn't an issue either with this

[Carnildo]

Last time I checked, there were 24 viruses and one worm. None of them would work on MacOS X.