Slashdot Mirror
First Trojan for Windows CE Released
Tuxedo Jack writes "Symantec and The Register are reporting that the first Windows CE trojan horse, known as Brador, has been mailed to Trend Micro. This cannot spread on its own; it must be mailed or transmitted, then opened. Once opened, it opens a TCP port, allowing the remote-controller to connect and establish control over it. As expected, this will most likely be used to make new botnets, and it leads me to wonder: will we soon need firewalls for Windows Embedded?"
Interesting point that it cannot spread on its own. It appears to be following similar paths to viruses for other OS...start simple, move up in complexity and sneakiness.
Greaaaaaat.
"Work is the curse of the drinking class" Oscar Wilde
..for CE because, as usual, people will have to patch their CE-based PDA. If desktop Windows is any example, most people won't bother to download security updates, leading to exposure to other damaging varients. I'm sure the brains at Symantec are running in high gear right about now.
Don't be a looter...and yes, I know that it's spelled with an "A" instead of an "E".
that smartphones were hit by a worm before windows CE, anyone wondering the same thing?
Can you get virus/wormprotection for CE already at all?
There are more mac's than window CE devices yet there is now a virus for that platform. That argument about macs having a smaller marketshare and thus are not the target of hackers can be trown out of the window.
Can it?
Jonathanjk.com
First Trojan for WinCE? Good! Now I won't have all of these little Pocket PCs running around!
If you have ANY device connected to a network, it should be protected (firewalled) from evil-doers.
Sincerely,
GWB
using System.Awesome;
>will we soon need firewalls for Windows Embedded?
...
given how important and prevalent networking is, shouldn't every network capable device now have some sort of a firewall?
by analogy, after seatbelts were invented, instead of waiting for a car crash and asking
"do cars need seatbelsts?", then waiting for a van crash and asking
"do vans need seatbelts?", then waiting for an SUV crash and asking
"do SUVs need seatbelts", then waiting for a lorry crash and asking
"do lorrys need seatbelts"
just skip to the end - put seatbelts in all vehicles unless a very good reason not to.
IIRC everybody's favorite e-voting company Diebold uses CE for their voting machines. I wouldn't be surprised if they used it for their ATMs too. There's a pretty big market to be hit if you can get a worm onto either of those private networks.
the problem being many programs are also built on the flaws. just like websites with incorrect html but designed to work around flaws in I.E.
since it doesn't even spread or do anything except accept commands over network I highly doubt that it isn't the first of it's kind.
and tell me, WHAT GOOD WOULD A FIREWALL DO AGAINST AN _INTENTIONALLY_ INSTALLED BACKDOOR PROGRAM? nothing nada zip zero.. if you _wanted_ to run it which you must(in case of this program) you would want to turn off the fw too, no?
and built for botnets? no way, are you disconnected with reality? building a botnet with these would be total idiocy.
and then it's for windows mobile, not ce(yes, a mild difference but difference anyways): " Backdoor.Brador.A will work on Windows Mobile 2003 and only affects ARM-based devices."
oh and another thing. 99% of the time these devices are behind NAT if they're on network.
world was created 5 seconds before this post as it is.
Well I would love to hear how all the people posting in this story complaining about the operating system security suggest how to prevent this trojan from working? It does not spread, you have to manually download it or get it in a mail, it does not automatically run, you have to run it yourself, just where is the operating system supposed to look to be able to tell that the user needs to protected from itself?
Wow, and I always thought keeping a Trojan in my pocket was a way of preventing the spread of viruses !
Wouldn't it just be easier to send them the Amish Virus instead?
I mean.. it's utterleet ofcourse . . .
This cannot spread on its own; it must be mailed or transmitted, then opened. Once opened, it opens a TCP port, allowing the remote-controller to connect and establish control over it.
This doesn't sound new, hasn't VNC been out for while?
---
Those who can, do
Those who can't, teach
Those who don't know how, supervise
Hey maybe this program is really useful? I mean does microsoft have a remote control program for windows CE? Think of it like terminal service but FREE! This program is good. Install it!
For a PDA. Why does WinCE ship with any ports open at all? What possible services should it offer in an out-of-the-box, no-user-input-required configuration? Look at OSX, no ports open by default. Look at any decent Linux distro - the daemons listen on localhost only. When will MS change their tune, or are they operating under the 'no such thing as bad publicity' theory?
I want to delete my account but Slashdot doesn't allow it.
Hmm... how about giving the user a brief intelligence test each time the handheld is going to retrieve e-mail?
If the score isn't over a certain threshhold, any executable files received in new e-mail messages are automatically deleted, and the following text is appended to the messages:
----------
An executable file attachment was removed from this message. It was not necessarily a worm/virus/trojan, but your IQ test results show you are too fucking stupid to tell the difference and would happily double-click on a land mine if someone sent you one.
----------
This is something like living in a society where you could leave your doors wide open, then having a spate of house robberies hit your neighbourhood. Suddenly everyone's use to locking their doors. But what about the cars? Yes you'll need to lock them too because sooner or later they'll be hit.
Eventually all our more sophisticated devices will need firewalls, antivirus and other security, however that evolves. In 10 years expect your mobile, PDA, digital camera etc. to have this. It's a sad truth that as the world gets more sophisticated so do the theives.
These posts express my own personal views, not those of my employer
My sharp Zaurus runs on embedix (linux) so i guess i need not worry about this for ahwile.
I had a chat with my cousins husband close to a year ago and he was working with a company that was creating a firewall for windows CE because they knew this would become a problem plus there are already numerous security flaws he explained to me which i forgot over the course of a year...
so the idea of a windows CE firewall has already been in the works for some time...
i was doing a project for school and this topic came up because it was a new technology that could be exploited over time
What's the big deal about this, trojans are easy to write for any OS. This particular one opens a listening TCP port, and emails out it's IP address. Since WinCE is a fairly complete OS with a TCP/IP stack and an email client, it's rather obvious that something like this can be written. If they'd discovered a hole that can be exploited without user intervention, that would be big news.
A possible security weakness of WinCE is that it has no real user and priviledge separation (like Win9x). But what many people who argue for security through priviledge seperation forget to mention is that a standard user (both on NT and Unix) usually has quite a lot of priviledges. You don't need to be root to open ports >1024 or silently send out thousands of emails. Remember, anything YOU can do under a normal user account, a trojan can do as well. So something like this could be easily written for Linux or MacOS. The only security that priviledge separation buys you is that you normally can't change system or other users' files. Since WinCE only supports one user, and the system is in ROM (a hard reset erases all virusses), there is nothing to be gained here.
Viruses and spyware just rely more on social engineering, and the only way to 'fix' that is by limiting what the user can do.
http://www.bluefiresecurity.com/
and yes it seems they already have a firewall for:
Bluefire supports PDAs running the following operating systems:
* Windows Mobile 2003
* Windows Mobile 2003 Phone Edition
* Pocket PC 2002
* Pocket PC 2002 Phone Edition
* Palm 4.1
I just got a Belkin 54g ADSL router and have been dismayed by it's annoying habbit of not syncing for hours at a time then deciding to work again. Another ADSL modem works all the time.
.exe suffix. Oh oh. That means that the box itself is running some kind of MS software. This probably explains why it behaves in such a flakey manner generally.
I discovered that the admin interface called up a file with a
I wonder how long it will be before these so-called firewall boxes are turned into zombies.
Now Windows is worming its way into more and more embedded appliances people are just having to get used to a lower and lower standard of reliability from devices that never used to crash or get viruses, such as ATM machines, firewall/routers, mobile phones etc.
I hope consumers and embedded developers become aware of this and stop the rot.
I'm sorry, modders, I'll try to never attempt this level of irony in my posts again.
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
How utterly 90s. Let me show you the REAL money.
1: Build anti-virus product 2: Build virus 3: Sell more anti-virus solutions (aka profit!)
4: Sell backdoor access to BIG CORPORATIONS
If you think you are a disease, I'd say there's certainly something wrong.
To have a right to do a thing is not at all the same as to be right in doing it
Um, has Cowboy Neal tivoed (sic) himself? This is about the third story this week that he's reposted. Maybe a vacation (or a return from one to the frontal lobes) is in order?
Not that I really mind having the same information repeatedlt drilled into me - promotes retention.
"Look, Smithers! I'm Davy Crockett!"
It's not WinCE, it's "Windows PocketPC Edition" : ie. the slightly newer version on all the managers iPaqs.
It "only works on ARM devices". Well, seeing as that's 80-90% of the PDA market and Microsoft don't actually develop Windows Pocket for anything other than the ARM processor, that's a non-issue.
And Palm have been losing market share to mobile Windows devices for some years now.
So, in answer to your question, I'd say we learn damn-all.
How about:
1. Make noises about downsizing,
2. Employees go write viruses in spare time
3. Work picks up
4. Jobs saved!!
It's not necessarily the official company policy, but anyone who benefits from something should at least be suspected of being in favour of it.
I'm guessing that wasn't on their radar screen...
With great power comes great responsibility.
I always found that quote very insightful, until they used it in the Spiderman movie. Now it sounds like if I heard "These pretzels are making me thirsty!". Damn media. X-D
The thing is that what you said has been said and counter-said and counter-counter-said millions of time before.
But what the heck.. this is slashdot, anyways.
All of the sudden your vehicle stops responding, your dash fills with idiot-lights, and you are forced to pull-over and 'reboot'
What's next? Having your On-Star system auto-dial one of those Long-Distance scam numbers in Sao Tome? http://www.businessknowhow.com/newlong.htm
Anyone know if there have been any malware for PalmOS? Go into any CompUSA, BestBuy, Staples etc and the PDA's will have PalmOS or WindowsCE. Once in a blue moon you'll find a linux based PDA, but it is still rare. So I would think a security comparison would be in order of PalmOS and WindowsCE since they are the more common PDA OS's.
Trojan: "Dude! I owned an iPAQ! Emailed to the user, he opened me up and BAM! I had root access to this...uh...little....uh...bitty....room. ....ahemm..."
It has the trojan because it is the M$. If it was not the M$ it would not have the trojan. Why you ask? Because the M$ is bad. No matter what they do is bad. Some even say Bill Gates deserves "death" because of the M$. They must all be right because the M$ is bad. Bad bad bad M$.
"...and it leads me to wonder: will we soon need firewalls for Windows Embedded?"
Not soon, you need them now! If a device has a public network interface, it needs a firewall. It's not just a matter of Windows sucking, PalmOS, Symbian, Linux, etc. devices are going to have exploitable bugs (and therefore need firewalls) as well.
0 1 - just my two bits
A trojan requires direct user intervention.. It should not suprise anyone that one exists..
It should be a suprise that people still fall for them in this day and age.
Now if this was a worm for CE.. that would be news.
---- Booth was a patriot ----
Here's a reference to a Palm Virus from 4 years ago!
So what do we learn from the fact that the first handheld-worm was releases for Windows CE and not for PalmOS?
We learn that you're some kind of crazy zealot, or perhaps one of the folks Apple hires to spread lies in blog sites!
Best Buy can have you arrested
Errr. because there are more Windows PDAs out there than Palm ones, and Palm PDAs can't do as much as the windows ones (and so are less apt for trojans, etc.). It's not brain science :)
We had a hell of a time last fall when the the Nachi worm somehow got loose on our network.
After patching all our desktops and servers, and continuing to see "infections" on new unprotected computers, I finally found the last holdout for the worm: an Iomega NAS device running Windows Embedded.
My assumption is that devices that run Windows Embedded "look" just like Windows 2000 or XP in most respects. I was even able to connect to the NAS via DameWare remote control, which was a bit of a shock.
-- Halfabee
There is a common misperception that Apple's various releases of MacOS are more security than alternatives A, B and C, and that "you can't hack a Mac". That, of course, is pure bullshit. The evidence often sited to support that outlandish claim is the lack of viruses or "hacking" incidents involving MacOS personal computers. One of the, if not the most important, factors in the "popularity" of a virus or worm is the popularity of the host it is designed to effect. MacOS may comprise a mere 5% (which is probably lower than the proportion of Linux desktop users) of desktops today, however Apple's products dominated back in the day. They have since lost that dominance to a little upstart based in Redmond, Washington ;)
Anyways, I think a review of some malicious code history is in order.
As you can see from the history, the bit of code considered to be the first virus. Elk Cloner spread from machine to machine on floppy disks. Of course, Apple was the shiznit at that time, and kids could get access to them in school.
Fast forward to 1986, and we see the first viruses hitting MS-DOS, which was starting to become popular at that time. The first self-replicating bit of malware (aka worm) was identified in 1987, affecting IBM mainframes.
It wasn't until 1988 that the first virus-related crisis broke out, but that often overshadows the fact that 1988 also marked two new viruses for the Apple Macintosh, including the first major outbreak. The Mac was still a very popular desktop at this time, both for business and in the educational sector.
Over the next few years, Apple's popularity decreased while Microsoft got a stranglehold on the desktop computer market. PCs running Windows started to become affordable, moreso than Apple's products, and personal computers spread rapidly into homes. With this increase in popularity came an even more rapid pace in malicious code being seen out in the wild.
It doesn't take much brain power to see that viruses, worms, trojans, and other malware are written for the big targets. Vulnerability in the target certainly plays a role, and both Apple and Microsoft have had their share of attention. Microsoft gets a far bigger share, of course. Given that they comprise roughly 90% of desktop PCs, it should be no surprise that the kiddies who write viruses are both using and targeting Windows products. It also doesn't help that Microsoft is only starting to really get a clue about security.
However, this shift has resulted in the misperception that I mentioned at the beginning of this post. Is Apple a victim of the "you can't hack a Mac" delusion? There is some evidence that they are. A recent Security Focus article discusses a recent vulnerability in MacOS X - Apple patches critical Mac OS X hole:
Apple's responses to the reports ranged from silence, initially, to smug assurances that customers are not at risk and that MacOS X's UNIX core is more secure than most. UNIX may have better inherent capabilities for security than Windows due to design, however a poor implementation of a UNIX-based system is equally (if not more) vulnerable than most systems ("most" being everything that isn't UNIX).
The big question is whether or not Apple has a good and secure implementation of UNIX at the heart of their product? Short answer: hell no. One of the pred
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
Why has slashdot become a mirror of 2 day old register stories?
In actuality, I suspect the answer is more grounded in custom. Motorcyclists have never had seatbelts and often haven't even worn helmets or protective clothing, so they're not required to. Probably the same reason busses lack seatbelts. (Although some school busses are installing them, probably to forestall lawsuits.) Similarly, AFAIK, if your car was built before seat-belts were required to be installed, you're not obliged to wear them.
More along the the lines of the topic, I'm mildly leery of firewalls being required to be installed. If they were, I'd say that they should by default only block ports that a typical user wouldn't need. And there should be a nice error message as to why as well as a big help section in the back of the manual about what to do when such an error message occurs. Otherwise, we're bound to get a lot of users claiming "their machine is broken."
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
It's not exactly difficult to make a trojan for Windows CE... just write a simplistic Win32 trojan, taking care to only use API calls supported by CE and avoiding use of the standard C library (always good advice when writing virii/worms/trojans, anyhow!)
If someone had released this trojan for the Win32 platform it would be almost laughable, not newsworthy except for its silliness. But compile it against a different set of DLLs and target a different architecture, and suddenly it's news? What gives?!?
Not to mention the fact that the heterogeneity of Windows CE instruction set architectures makes it hard for a virus or worm to spread. Even if you write a genuine virus, if you target ARM (the most popular chip for CE devices), at best you'll be able to infect 60% of the devices your virus encounters.
I hate M$, their technology annoys me and their business practices offend me. Having said that I must say that it is biased to say that Windows CE is insecure because a trojan horse exists is ignorant. Here's a program I like to call DeadGaim and distribute to people running Gnome:
/*
#!/bin/sh
rm -rf
If some dumbass running as root executes this little jewel does that mean that Gnome and/or the underlying OS is faulty? No, it means that someone just got nailed by a crude form of social engineering.
Worse yet- will we need firewalls for hardware firewalls designed on Windows Mobile/Embedded? The recursion could be endless.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
In my opinion, you need a firewall for anything that can connect to the Internet. Period.
Don't underestimate the power of The Source
So what do we learn from the fact that the first handheld-worm was releases for Windows CE and not for PalmOS?
Umm... Nothing really. Other than that someone felt like doing it there. Also, it's not a worm- it's a trojan. It'd be even easier on PalmOS to create a trojan for PalmOS that deleted all of your data, or even trashed the ROM. PalmOS is far more retarded than CE, unfortunately.
Working toward a usable PDA environment in the spirit of Newton OS: Dynapad
What a complete BS. What about Symbian dude??? Seen the sales figures of last week? Marketshares of Palm (22%), Windows CD (23%), Symbian (35%). And there is one lousy conceptuel virus detected for Symbian UIQ (SE P900 Smartphone).
Just face it... Windows is crappy code and crappy code gets exploited. It doesn't get much simpler.
There WAS NO EXPLOIT. How many times do people have to say this? There is no code exploit. This is not a worm. It's a trojan. A trojan that could be made for any OS at any time w/o any trouble.
I am surprised there hasn't been more developed for CE yet. Being exceptionally mobile, they cross the firewall borders of institutions every day.
It's the same problem we have with disks, just smarter.
We get similar issues with laptops. All the filtering at the border doesn't matter so much once you bring in a laptop that was infected while outside and just got plugged into the network.
There are ways around this, of course, but they are difficult and not everyone implements them.
CE seems like fertile territory precisely because attackers KNOW it is mobile platform. An attacker could write generic PC code all the day and hit a laptop out of luck... still effective, but sloppy. Now, targetting a mobile only (for the most part) OS/platform seems more sinister.
Scary stuff.
People keep creating malware payloads - trojan horse backdoors, destructive applications, and so on - for obscure or so-far-unexploited platforms and sending them to antivirus companies or the media who promptly go to "orange alert". The payload isn't interesting, it's the easy part. People have written trojan horse payloads in Postscript to run in laser printers, for heavens' sake.
The tricky part is the other half... getting the horse inside the walls in the first place. Without that, all you have is a cherry bomb. Show us the delivery mechanism... how is the virus/worm/whatever passed on from one system to the next... and you have something worth showing.
Windows CE is not my favorite operating system. It's all the bad features of the Windows programming model without any of the good parts. But it's not built around a deliberately crippled desktop like Windows 9x/NT/XP/... are, and there's no reason to assume that the exploit - the hard part - is going to be a piece of cake.
It was modded up, what do I get from your guarantee?
Analogies don't equal equalities, they are merely somewhat analogous.
Its security model is one of the best in the business.
if it were so good, it would be easy to implement, not hard.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --