Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Trojan for Windows CE Released

Posted by CowboyNeal on from the handheld-infestation dept.

Tuxedo Jack writes "Symantec and The Register are reporting that the first Windows CE trojan horse, known as Brador, has been mailed to Trend Micro. This cannot spread on its own; it must be mailed or transmitted, then opened. Once opened, it opens a TCP port, allowing the remote-controller to connect and establish control over it. As expected, this will most likely be used to make new botnets, and it leads me to wonder: will we soon need firewalls for Windows Embedded?"

49 of 213 comments (clear)

  1. Only a matter of time I guess... by pillageplunder · · Score: 4, Interesting

    Interesting point that it cannot spread on its own. It appears to be following similar paths to viruses for other OS...start simple, move up in complexity and sneakiness.
    Greaaaaaat.

    --
    "Work is the curse of the drinking class" Oscar Wilde
    1. Re:Only a matter of time I guess... by Lumpy · · Score: 5, Interesting

      not really.

      The first viruses I saw back in the 80's were 20 times more elegant and amazing. they would actually attach to other programs, chaing the first byte of the software to jump to the end of the program, execute the virus, then run the program. Many would even convince the DOS dir command to lie to the user and show the same filesize as the normal program... even though a user would not really notice the file size change cince many of these viruses were smaller than 1K some less than 500 bytes.

      today we really dont have many viruses but simply mal-ware.... although there are some real viruses out there.

      granted adding network capabilities to a virus is harder, but a simple local filesystem spreader can jump network mounted drives because the OS is happy to make it easy for the program.

      --
      Do not look at laser with remaining good eye.
    2. Re:Only a matter of time I guess... by Errtu76 · · Score: 2

      Also back then the virii were more 'fun' to have. I still remember my mom, on a 8088 freaking out when a bouncing ball was on her screen, right in the middle of Word Perfect :) Or when my dad asked me to remove the music from his programs. Apparently every now and then he had to stop working, because the pc was playing yankee doodle :)

    3. Re:Only a matter of time I guess... by Anonymous Coward · · Score: 2, Insightful

      Somewhere along the line people figured out that viruses just have no where near the spreading power of an email that says "click here for porn -> porn.exe". The sad part is, that it STILL fucking works! You'd think everyone and thier dog would have learned after the LoveLetter "virus" (which is actually a trojan), but no, people will happily click on any random attachment, even if there is no message, and the file name means absolutely nothing. Simply put, the cleverness of creating a virus pales in comparison to preying on the stupidity of regular people - sad but true.

    4. Re:Only a matter of time I guess... by maxwell+demon · · Score: 3, Interesting

      Hmmm ... my television is actually connected to a network (the cable TV network). Do I need a firewall for it?

      --
      The Tao of math: The numbers you can count are not the real numbers.
    5. Re:Only a matter of time I guess... by bsmoor01 · · Score: 2, Informative

      NTFS

  2. Of course we're going to need firewalls... by Dagny+Taggert · · Score: 4, Insightful

    ..for CE because, as usual, people will have to patch their CE-based PDA. If desktop Windows is any example, most people won't bother to download security updates, leading to exposure to other damaging varients. I'm sure the brains at Symantec are running in high gear right about now.

    --
    Don't be a looter...and yes, I know that it's spelled with an "A" instead of an "E".
    1. Re:Of course we're going to need firewalls... by danamania · · Score: 2, Interesting

      ..for CE because, as usual, people will have to patch their CE-based PDA

      Good point, if WinCE based machines operate in a network manner the same as desktop Windows. Are they in any way comparable? If you somehow had a desktop running WinCE, would it be comparable to say, a Win XP machine with its networking?

    2. Re:Of course we're going to need firewalls... by SpinyManiac · · Score: 5, Funny

      This is a social engineering exploit in user.exe
      To patch this vulnerability, run the following:

      clueX4.exe /beat common.sense user.exe

      --
      It's never too late to have a happy childhood.
    3. Re:Of course we're going to need firewalls... by FireFury03 · · Score: 3, Funny

      Just wait - soon you'll need to download 70MB patches over GPRS :)

      --
      http://blog.nexusuk.org
    4. Re:Of course we're going to need firewalls... by thpdg · · Score: 4, Informative

      Don't forget that with Windows CE, when you do a hard reset, it's like formatting a hard drive. Any updates you have on, will be erased and need to reinstalled. For some users, that would need to happen pretty regularly.
      It's because of this, that most Windows CE updates are in the form of ROM updates, and these don't usually make it to consumers, and when they do, are a pain to install.
      There are ways around it, but Microsoft isn't showing any effort, perhaps now they will. Everytime I reset, I have to install the updates for Pocket MSN and Pocket IE from flash card again.

      --

      -Patrick

      "They never stop thinking about new ways to harm our country and our people, and neither do we."

    5. Re:Of course we're going to need firewalls... by silverfuck · · Score: 3, Insightful

      IMHO, any device capable of running user programs and with any sort of communications should need a firewall. Computers need them, handhelds need them, soon phones (when they become more like PDAs) will need them, everything! It would save a lot of bother if this type of feature were designed into a system from the beginning, when the threat was more theory than any real problem - just think how things would be if computers had had firewalls from the beginning.

      --
      You know you've been IMing too long when you almost say 'lol' out loud to a non-geeky friend...
    6. Re:Of course we're going to need firewalls... by Anonymous Coward · · Score: 2, Funny

      unless the virus disables the hard reset using the foward deflector array and

      never mind.

    7. Re:Of course we're going to need firewalls... by RevAaron · · Score: 4, Informative

      Good point, if WinCE based machines operate in a network manner the same as desktop Windows. Are they in any way comparable? If you somehow had a desktop running WinCE, would it be comparable to say, a Win XP machine with its networking?

      Short answer: yes.

      Long answer: Pretty much. CE doesn't have the services with ports open that regular Windows does, but otherwise the networking system is very similar in its capabilities. When it's on it's always on. CE is a lot like regular NT/XP in a lot of ways in its capabilities, though it was done from scratch, which benefits it a lot. It has a substantial subset (think Carbon from Mac OS Toolbox) of the Win32 API found in XP.

      --

      Working toward a usable PDA environment in the spirit of Newton OS: Dynapad
  3. i find it interesting by dncsky1530 · · Score: 2, Interesting

    that smartphones were hit by a worm before windows CE, anyone wondering the same thing?

    1. Re:i find it interesting by SenseiLeNoir · · Score: 2, Informative

      that was a concept worm.. not a real worm, please do not do a SCO and make something seem different to what it really is.

      Secondly it uses the standard Bluetooth file transfer mechanism, and does not exploit any vulnerability. The symbian (certainly on my p800) system will recieve a file ONLY if it is paired to the phone, otherwise you get a message specifically asking if you wish to recieve it.

      Once recieved, you have ot open the warn, read about two or three warnings, telling exactly what is happening before you even get to the point of installign the application. Finally the application needs to be physically started.

      Finally being a 10meter range on bluetooth, guess what the biggest limiting factor is!

      I know users can be stupid, but this one woudl most probably remain a concept, nothing more

      --
      Have a nice day!
  4. Its about time! by Anonymous Coward · · Score: 4, Interesting

    Can you get virus/wormprotection for CE already at all?

    1. Re:Its about time! by anno1602 · · Score: 2, Informative

      RTFA. The link that has details to the Virus has update instructions for Symantec AntiVirus for Handhelds (TM). So, in a word: Yes.

    2. Re:Its about time! by SpinyManiac · · Score: 2, Informative

      And Trend.

      --
      It's never too late to have a happy childhood.
  5. Marketshare isn't an issue either with this by CrackedButter · · Score: 3, Interesting


    There are more mac's than window CE devices yet there is now a virus for that platform. That argument about macs having a smaller marketshare and thus are not the target of hackers can be trown out of the window.
    Can it?

    --
    Jonathanjk.com
    1. Re:Marketshare isn't an issue either with this by DaHat · · Score: 2, Interesting

      You say that as if there are no viruses on the Mac platform. A simple google search will reveal that is not the case.

      --
      Help Brendan pay off his student loans
    2. Re:Marketshare isn't an issue either with this by gl4ss · · Score: 2, Interesting

      this is not a virus, or not even a trojan.

      it's a honest backdoor program.. which means that it's just a program that takes commands from outside the device and as such is very unlikely to even be first of it's kind.

      very bad excuse for an antivirus company to get some pr tho.

      I believe this kind of programs exist for mac as well(opensshd would technically count as well, strange we don't see it mentioned there).

      --
      world was created 5 seconds before this post as it is.
    3. Re:Marketshare isn't an issue either with this by fiftyvolts · · Score: 4, Informative

      I'm a Mac user, perhaps even a ac zealot, but I'll admit that there are security issues with OS X. First of all no matter what OS you run someone can make a Trojan horse. It's quite easy to write a program that just zaps all your files or something. If you can convince someone to run your code, no matter how many warnings the OS throws up, then you've pretty much got them by the balls so to speak.

      In addition there was on quite scary vulnerability with macs. As you may know when you double click an Icon OS X helpfully tries to figure out how to "do what you mean." It is possible to hide executable code in the data tags on a mp3 that OS X will (helpfully?) run when it is double clicked. If you play it through iTunes it will seem like a regular mp3, but opening it could run malicious code

      I am still of the opinion that windows is swiss cheese when it comes to wholes, but no operating system is immune to duplicity

      --
      100% Crunchier
    4. Re:Marketshare isn't an issue either with this by mst76 · · Score: 4, Informative

      Except that this isn't a virus or a worm, it's a trojan. Trojans are trivial to make for any OS that can execute applications. You can probably come up with your own OSX trojan in 30 seconds.

    5. Re:Marketshare isn't an issue either with this by Carnildo · · Score: 2, Insightful

      Last time I checked, there were 24 viruses and one worm. None of them would work on MacOS X.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  6. This is a Good Thing by wackysootroom · · Score: 4, Funny

    First Trojan for WinCE? Good! Now I won't have all of these little Pocket PCs running around!

  7. Ask a stupid question... by A+Guy+From+Ottawa · · Score: 3, Funny
    will we soon need firewalls for Windows Embedded?

    If you have ANY device connected to a network, it should be protected (firewalled) from evil-doers.

    Sincerely,
    GWB

    --

    using System.Awesome;

    1. Re:Ask a stupid question... by FireFury03 · · Score: 2, Insightful

      If you have ANY device connected to a network, it should be protected (firewalled) from evil-doers.

      No - if your device is set up _correctly_ then insecure and unnecessary services shouldn't even be listening for connections from the big bad internet, so you don't need a firewall.

      IMHO the _only_ reasons to have a firewall on a system set up by someone with a clue are:
      1. controlling forwarded traffic if the device is routing network traffic for other machines
      2. as a fail safe incase you accidentally enable a service you didn't intend to.

      --
      http://blog.nexusuk.org
    2. Re:Ask a stupid question... by aurelian · · Score: 2, Insightful
      If you mean that the attacker could install code listening on any other port then a firewall running on the machine itself isn't going to help you - there's nothing stopping the attacker from shutting down the firewall while they're installing a rootkit.

      Sure, if it's an attacker installing a rootkit then there's not much you can do. But internet worms aren't necessarily that sophisticated. Often they're just looking for unpatched unprotected boxes.

  8. Attitudes to networking by rokzy · · Score: 3, Insightful

    >will we soon need firewalls for Windows Embedded?

    given how important and prevalent networking is, shouldn't every network capable device now have some sort of a firewall?

    by analogy, after seatbelts were invented, instead of waiting for a car crash and asking
    "do cars need seatbelsts?", then waiting for a van crash and asking
    "do vans need seatbelts?", then waiting for an SUV crash and asking
    "do SUVs need seatbelts", then waiting for a lorry crash and asking
    "do lorrys need seatbelts" ...
    just skip to the end - put seatbelts in all vehicles unless a very good reason not to.

    1. Re:Attitudes to networking by FireFury03 · · Score: 3, Insightful

      "do busses need seatbelts?" - yes, but not many have them
      "do trains need seatbelts?" - probably, but they don't have them
      "do motorcycles need seatbelts?" - dunno, but I don't see many the them :)

      --
      http://blog.nexusuk.org
    2. Re:Attitudes to networking by MikeXpop · · Score: 2, Interesting
      "do motorcycles need seatbelts?"
      That's the silliest thing I've ever heard. Of course they don't need them. Adding seat belts would be a saftey hazard. If I fall on a motorcycle, the last thing I want is to have a motercycle strapped to me. The whole purpose of a seatbelt is so you don't smash into the front of the car/train/bus. That doesn't make sense on a motorcycle.
      --
      Etiquette is etiquette. He kills his mother but he can't wear grey trousers.
  9. diebold. by Neophytus · · Score: 4, Interesting

    IIRC everybody's favorite e-voting company Diebold uses CE for their voting machines. I wouldn't be surprised if they used it for their ATMs too. There's a pretty big market to be hit if you can get a worm onto either of those private networks.

  10. first? bullshit. by gl4ss · · Score: 4, Insightful

    since it doesn't even spread or do anything except accept commands over network I highly doubt that it isn't the first of it's kind.

    and tell me, WHAT GOOD WOULD A FIREWALL DO AGAINST AN _INTENTIONALLY_ INSTALLED BACKDOOR PROGRAM? nothing nada zip zero.. if you _wanted_ to run it which you must(in case of this program) you would want to turn off the fw too, no?

    and built for botnets? no way, are you disconnected with reality? building a botnet with these would be total idiocy.

    and then it's for windows mobile, not ce(yes, a mild difference but difference anyways): " Backdoor.Brador.A will work on Windows Mobile 2003 and only affects ARM-based devices."

    oh and another thing. 99% of the time these devices are behind NAT if they're on network.

    --
    world was created 5 seconds before this post as it is.
    1. Re:first? bullshit. by barcodez · · Score: 2, Insightful

      and tell me, WHAT GOOD WOULD A FIREWALL DO AGAINST AN _INTENTIONALLY_ INSTALLED BACKDOOR PROGRAM? nothing nada zip zero.. if you _wanted_ to run it which you must(in case of this program) you would want to turn off the fw too, no?

      OK from the post not even the article...

      Once opened, it opens a TCP port, allowing the remote-controller to connect and establish control over it.

      So adding a firewall will stop commands from evil doers (tm) from executing on your PDA. The point of this trojan is you trick people into installing it. Send a mail saying "hey install this cool new game!".

      --

      ----
  11. Re:Windows Broken Security Model. by tesmako · · Score: 4, Insightful

    Well I would love to hear how all the people posting in this story complaining about the operating system security suggest how to prevent this trojan from working? It does not spread, you have to manually download it or get it in a mail, it does not automatically run, you have to run it yourself, just where is the operating system supposed to look to be able to tell that the user needs to protected from itself?

  12. Isn't this just an updated amish virus? by AnswerIs42 · · Score: 2, Funny
    I mean, if I have to send it to someone, hope they receive it on their PDA, open and install it and have a wireless or wired connection for it to work..

    Wouldn't it just be easier to send them the Amish Virus instead?

  13. Useful! by mwdmeyer · · Score: 2, Funny

    Hey maybe this program is really useful? I mean does microsoft have a remote control program for windows CE? Think of it like terminal service but FREE! This program is good. Install it!

  14. You shouldn't need a firewall by Gothmolly · · Score: 2, Insightful

    For a PDA. Why does WinCE ship with any ports open at all? What possible services should it offer in an out-of-the-box, no-user-input-required configuration? Look at OSX, no ports open by default. Look at any decent Linux distro - the daemons listen on localhost only. When will MS change their tune, or are they operating under the 'no such thing as bad publicity' theory?

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:You shouldn't need a firewall by jimicus · · Score: 3, Insightful

      "No Ports Open" simply means that nothing's listening on those ports. It doesn't mean there's some voodoo magic which keeps them closed. If you want that, it implies you want something at a TCP/IP level in the host OS preventing anything from getting to user level programs. I'd call that a firewall.

      The daemons listening on localhost are configured to. Users don't usually configure trojans.

  15. they are already creating a firewall for it by FluffyG · · Score: 3, Interesting

    I had a chat with my cousins husband close to a year ago and he was working with a company that was creating a firewall for windows CE because they knew this would become a problem plus there are already numerous security flaws he explained to me which i forgot over the course of a year...
    so the idea of a windows CE firewall has already been in the works for some time...

    i was doing a project for school and this topic came up because it was a new technology that could be exploited over time

  16. Not a big deal. by mst76 · · Score: 4, Insightful

    What's the big deal about this, trojans are easy to write for any OS. This particular one opens a listening TCP port, and emails out it's IP address. Since WinCE is a fairly complete OS with a TCP/IP stack and an email client, it's rather obvious that something like this can be written. If they'd discovered a hole that can be exploited without user intervention, that would be big news.

    A possible security weakness of WinCE is that it has no real user and priviledge separation (like Win9x). But what many people who argue for security through priviledge seperation forget to mention is that a standard user (both on NT and Unix) usually has quite a lot of priviledges. You don't need to be root to open ports >1024 or silently send out thousands of emails. Remember, anything YOU can do under a normal user account, a trojan can do as well. So something like this could be easily written for Linux or MacOS. The only security that priviledge separation buys you is that you normally can't change system or other users' files. Since WinCE only supports one user, and the system is in ROM (a hard reset erases all virusses), there is nothing to be gained here.

  17. My Firewall IS running Windows CE by Air-conditioned+cowh · · Score: 4, Interesting

    I just got a Belkin 54g ADSL router and have been dismayed by it's annoying habbit of not syncing for hours at a time then deciding to work again. Another ADSL modem works all the time.

    I discovered that the admin interface called up a file with a .exe suffix. Oh oh. That means that the box itself is running some kind of MS software. This probably explains why it behaves in such a flakey manner generally.

    I wonder how long it will be before these so-called firewall boxes are turned into zombies.

    Now Windows is worming its way into more and more embedded appliances people are just having to get used to a lower and lower standard of reliability from devices that never used to crash or get viruses, such as ATM machines, firewall/routers, mobile phones etc.

    I hope consumers and embedded developers become aware of this and stop the rot.

  18. Re:The more viruses.. by tehcyder · · Score: 2, Funny
    Call me paranoia
    Well, I'd call you paranoid.

    If you think you are a disease, I'd say there's certainly something wrong.

    --
    To have a right to do a thing is not at all the same as to be right in doing it
  19. What about PalmOS? by lokiz · · Score: 2, Interesting

    Anyone know if there have been any malware for PalmOS? Go into any CompUSA, BestBuy, Staples etc and the PDA's will have PalmOS or WindowsCE. Once in a blue moon you'll find a linux based PDA, but it is still rare. So I would think a security comparison would be in order of PalmOS and WindowsCE since they are the more common PDA OS's.

  20. COOL! by jav1231 · · Score: 2, Funny

    Trojan: "Dude! I owned an iPAQ! Emailed to the user, he opened me up and BAM! I had root access to this...uh...little....uh...bitty....room. ....ahemm..."

  21. Firewalls all around! by Cid+Highwind · · Score: 3, Insightful

    "...and it leads me to wonder: will we soon need firewalls for Windows Embedded?"

    Not soon, you need them now! If a device has a public network interface, it needs a firewall. It's not just a matter of Windows sucking, PalmOS, Symbian, Linux, etc. devices are going to have exploitable bugs (and therefore need firewalls) as well.

    --
    0 1 - just my two bits
  22. Catching trojans is for idiots by nurb432 · · Score: 2, Insightful

    A trojan requires direct user intervention.. It should not suprise anyone that one exists..

    It should be a suprise that people still fall for them in this day and age.

    Now if this was a worm for CE.. that would be news.

    --
    ---- Booth was a patriot ----
  23. No big whoop by Xeger · · Score: 2, Insightful

    It's not exactly difficult to make a trojan for Windows CE... just write a simplistic Win32 trojan, taking care to only use API calls supported by CE and avoiding use of the standard C library (always good advice when writing virii/worms/trojans, anyhow!)

    If someone had released this trojan for the Win32 platform it would be almost laughable, not newsworthy except for its silliness. But compile it against a different set of DLLs and target a different architecture, and suddenly it's news? What gives?!?

    Not to mention the fact that the heterogeneity of Windows CE instruction set architectures makes it hard for a virus or worm to spread. Even if you write a genuine virus, if you target ARM (the most popular chip for CE devices), at best you'll be able to infect 60% of the devices your virus encounters.