Pocket PC Trojan Backdoor Detected

Steve · 08-05-2004, 10:30 AM

Kaspersky Labs has detected Backdoor.WinCE.Brador.a, the first backdoor for PDAs running under Pocket PC (based on Windows CE).

Read about it at http://www.brighthand.com/article/pocketpc_backdoor

strider_mt2k · 08-05-2004, 02:03 PM

Way to go, Windows!

Way to deliver desktop vunerability to handhelds too.

NJL!2016 · 08-05-2004, 02:10 PM

I'd rather keep the insecurity of Windows at home, not in my pocket. That's why I choose PalmOS.

ctitanic · 08-05-2004, 02:26 PM

Quote:

Brador is a small file (less than 6K in size) that typically arrives as an email attachment. Once launched, it creates a file called svchost.exe in the Windows autorun folder, sends the device's IP address to the author and opens port 44299. This enables the author to take full control of the system and send commands to the program, which has been programmed to perform tasks such as uploading and downloading files, including viruses.

Ok, here is how it works, you receive an email from somebody that you don't know or either you go to Kazaa and you download a file that you don't know and claims that it a game for Pocket PC. Them you install it and run it. Up to this point this sound very stupid but it works.

Once the virus open that port... it send the your IP address to the guy who sends you the virus. What IP address? If it sends let say my Intranet IP address that guy wont be able to reach my Pocket PC using that IP. If it's sends the IP address of my router he wont gain access to my intranet either unless he is a very good hacker. So FINITO.

Let's look for another scenario. You are connected via GPRS so the IP of your Pocket PC Phone edition give access to your device. How long do you browse using GPRS, well taking in consideration the GPRS price I wont say that long enough to gives that guy the chance to browse your whole PPC looking for good information to upload to his PC. In another hand... as soon as you see anything wrong in your PPC the first thing you are going to do for sure is to use the magic stylus and the soft reset hole

So FINITO, end of the atack, it will take many times for him to download anything from your device.

This HORROR STORY brings only one question WHO ARE THE ONE THAT SHOULD BE AFRAID OF THIS VIRUS? Well it seems to me that those downloading illegal software from warez sites and other peer to peer places.

imported_Duncan · 08-06-2004, 01:27 PM

Quote:

Originally posted by NJL!2016
I'd rather keep the insecurity of Windows at home, not in my pocket. That's why I choose PalmOS.

Ah yes - let's keep the functionality of our PDA limited and run in fear of the virus writers...

This trojan is aimed entirely at stupid people. Pretty much any virus aimed at PDAs will only affect stupid people. Come to think of it - I've yet to have a single virus caught by Norton on my home PC that would have been a problem even without virus protection. I wouldn't even get them in my inbox if it wasn't for the brain dead morons that click on stuff they shouldn't...

tes · 08-07-2004, 12:40 AM

Quote:

Once the virus open that port... it send the your IP address to the guy who sends you the virus. What IP address? If it sends let say my Intranet IP address that guy wont be able to reach my Pocket PC using that IP. If it's sends the IP address of my router he wont gain access to my intranet either unless he is a very good hacker. So FINITO.

Disclaimer: I'm a sysadmin, and these are quick thoughts on threats I might have to defend against.

With a couple of modifications these limits can be circumvented. The trojan can establish an outbound TCP connection to an intermediate zombie machine(s) already under the control of an attacker. Perimeter security devices are frequently configured to permit any outbound traffic. Once a connection exists the attacker is in.

Quote:

How long do you browse using GPRS, well taking in consideration the GPRS price I wont say that long enough to gives that guy the chance to browse your whole PPC looking for good information to upload to his PC.

So an attacker preloads a search algorithm for popular data targets. Offhand I think the default storage locations for id management & financial apps make good candidates. A user might notice after one billing cycle the extra data transfer. By then its too late.

How might I get a trojan onto a handheld? Compromised AvantGo channel? Some combination of exploits of desktop IE, allowing access to ActiveSync? Refer to the attacks against finance sites some weeks ago. Does Pocket IE enforce Security Zones? (I don't know.)

Why might I want to attack a handheld? If I catch a corporate machine, maybe I 'm lucky enough that the company uses Mobile Information Server (?) and syncs directly with their MS-Exchange store. Maybe someone just wants to be a PITA.

The value of a compromised handheld is the avenues it opens to mount an attack against other entities.

I don't believe it is only warez and P2P users who could get caught up in a horror story. If a firm is going to permit handhelds, and it should, then none of this should be a surprise, and products are available to deal with the threat.

Eriq · 08-11-2004, 04:14 PM

I'm not worried--right now--about viruses for the Pocket PC. Why would you want to control a Pocket PC? The memory is so limited an attacker would find little or nothing to do with it. I understand the virus was probably just created to see if this could be done, but I really don't think that any real hacker would focus their time on a Pocket PC or other PDA.

But when the time comes, the last thing I want is Norton Anti-Virus running in the background on my Pocket PC Phone slowing it down even further. That'll be a nightmare.

ctitanic · 08-11-2004, 04:19 PM

Quote:

Originally posted by Eriq
I'm not worried--right now--about viruses for the Pocket PC. Why would you want to control a Pocket PC? The memory is so limited an attacker would find little or nothing to do with it. I understand the virus was probably just created to see if this could be done, but I really don't think that any real hacker would focus their time on a Pocket PC or other PDA.

But when the time comes, the last thing I want is Norton Anti-Virus running in the background on my Pocket PC Phone slowing it down even further. That'll be a nightmare.

I'm 200% agree with you.