Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Handhelds Operating Systems Security Software Windows Hardware

First Trojan for Windows CE Released 213

Tuxedo Jack writes "Symantec and The Register are reporting that the first Windows CE trojan horse, known as Brador, has been mailed to Trend Micro. This cannot spread on its own; it must be mailed or transmitted, then opened. Once opened, it opens a TCP port, allowing the remote-controller to connect and establish control over it. As expected, this will most likely be used to make new botnets, and it leads me to wonder: will we soon need firewalls for Windows Embedded?"
This discussion has been archived. No new comments can be posted.

First Trojan for Windows CE Released

Comments Filter:
  • by pillageplunder ( 183475 ) <`moc.liamtoh' `ta' `eniatootnrat'> on Friday August 06, 2004 @06:55AM (#9897860)
    Interesting point that it cannot spread on its own. It appears to be following similar paths to viruses for other OS...start simple, move up in complexity and sneakiness.
    Greaaaaaat.
    • by Lumpy ( 12016 ) on Friday August 06, 2004 @07:55AM (#9898132) Homepage
      not really.

      The first viruses I saw back in the 80's were 20 times more elegant and amazing. they would actually attach to other programs, chaing the first byte of the software to jump to the end of the program, execute the virus, then run the program. Many would even convince the DOS dir command to lie to the user and show the same filesize as the normal program... even though a user would not really notice the file size change cince many of these viruses were smaller than 1K some less than 500 bytes.

      today we really dont have many viruses but simply mal-ware.... although there are some real viruses out there.

      granted adding network capabilities to a virus is harder, but a simple local filesystem spreader can jump network mounted drives because the OS is happy to make it easy for the program.

      • Indeed. Back then it was an intellectual treat to read the assembly of a virus, for a lot of them at least. It may sound lame to say that, but it's true. Like looking at the DNA of a tapeworm. Today's viruses an worms work, but only because Windows is that wide open in so many ways- the people behind them aren't doing that much thinking.
      • Also back then the virii were more 'fun' to have. I still remember my mom, on a 8088 freaking out when a bouncing ball was on her screen, right in the middle of Word Perfect :) Or when my dad asked me to remove the music from his programs. Apparently every now and then he had to stop working, because the pc was playing yankee doodle :)
      • by Anonymous Coward
        Somewhere along the line people figured out that viruses just have no where near the spreading power of an email that says "click here for porn -> porn.exe". The sad part is, that it STILL fucking works! You'd think everyone and thier dog would have learned after the LoveLetter "virus" (which is actually a trojan), but no, people will happily click on any random attachment, even if there is no message, and the file name means absolutely nothing. Simply put, the cleverness of creating a virus pales i
    • "...will we soon need firewalls for...."

      Silly question. The answer is always, "yes, and you should have designed them in from the beginning."

      If it connects to a network, it needs protection. It's as simple as that.
  • ..for CE because, as usual, people will have to patch their CE-based PDA. If desktop Windows is any example, most people won't bother to download security updates, leading to exposure to other damaging varients. I'm sure the brains at Symantec are running in high gear right about now.
    • ..for CE because, as usual, people will have to patch their CE-based PDA

      Good point, if WinCE based machines operate in a network manner the same as desktop Windows. Are they in any way comparable? If you somehow had a desktop running WinCE, would it be comparable to say, a Win XP machine with its networking?
      • by RevAaron ( 125240 ) <revaaron@hotmail. c o m> on Friday August 06, 2004 @08:21AM (#9898314) Homepage
        Good point, if WinCE based machines operate in a network manner the same as desktop Windows. Are they in any way comparable? If you somehow had a desktop running WinCE, would it be comparable to say, a Win XP machine with its networking?

        Short answer: yes.

        Long answer: Pretty much. CE doesn't have the services with ports open that regular Windows does, but otherwise the networking system is very similar in its capabilities. When it's on it's always on. CE is a lot like regular NT/XP in a lot of ways in its capabilities, though it was done from scratch, which benefits it a lot. It has a substantial subset (think Carbon from Mac OS Toolbox) of the Win32 API found in XP.
    • by SpinyManiac ( 542071 ) on Friday August 06, 2004 @07:11AM (#9897916)
      This is a social engineering exploit in user.exe
      To patch this vulnerability, run the following:

      clueX4.exe /beat common.sense user.exe

    • Just wait - soon you'll need to download 70MB patches over GPRS :)
    • by thpdg ( 519053 ) on Friday August 06, 2004 @07:35AM (#9898030) Journal
      Don't forget that with Windows CE, when you do a hard reset, it's like formatting a hard drive. Any updates you have on, will be erased and need to reinstalled. For some users, that would need to happen pretty regularly.
      It's because of this, that most Windows CE updates are in the form of ROM updates, and these don't usually make it to consumers, and when they do, are a pain to install.
      There are ways around it, but Microsoft isn't showing any effort, perhaps now they will. Everytime I reset, I have to install the updates for Pocket MSN and Pocket IE from flash card again.
      • by Anonymous Coward
        unless the virus disables the hard reset using the foward deflector array and

        never mind.
      • Don't forget that with Windows CE, when you do a hard reset, it's like formatting a hard drive. Any updates you have on, will be erased and need to reinstalled. For some users, that would need to happen pretty regularly.
        It's because of this, that most Windows CE updates are in the form of ROM updates, and these don't usually make it to consumers, and when they do, are a pain to install.
        There are ways around it, but Microsoft isn't showing any effort, perhaps now they will. Everytime I reset, I have to insta
    • IMHO, any device capable of running user programs and with any sort of communications should need a firewall. Computers need them, handhelds need them, soon phones (when they become more like PDAs) will need them, everything! It would save a lot of bother if this type of feature were designed into a system from the beginning, when the threat was more theory than any real problem - just think how things would be if computers had had firewalls from the beginning.
    • You can already get firewalls for Linux, WinCE (incl PocketPC) PDAs.
  • by dncsky1530 ( 711564 ) on Friday August 06, 2004 @06:56AM (#9897863) Homepage
    that smartphones were hit [com.com] by a worm before windows CE, anyone wondering the same thing?
    • that was a concept worm.. not a real worm, please do not do a SCO and make something seem different to what it really is.

      Secondly it uses the standard Bluetooth file transfer mechanism, and does not exploit any vulnerability. The symbian (certainly on my p800) system will recieve a file ONLY if it is paired to the phone, otherwise you get a message specifically asking if you wish to recieve it.

      Once recieved, you have ot open the warn, read about two or three warnings, telling exactly what is happening bef
      • This CE trojan isn't much different. The person has to download it and run it *on purpose*. It odesn't exploit any vunerabilities.

        With both, users can be stupid enough to do it. You say "hey, try out this game!" whether ir's over email or bluetooth. But neither would do well out in the wild.
  • Its about time! (Score:4, Interesting)

    by Anonymous Coward on Friday August 06, 2004 @06:56AM (#9897864)
    Can you get virus/wormprotection for CE already at all?
  • by CrackedButter ( 646746 ) on Friday August 06, 2004 @06:58AM (#9897867) Homepage Journal

    There are more mac's than window CE devices yet there is now a virus for that platform. That argument about macs having a smaller marketshare and thus are not the target of hackers can be trown out of the window.
    Can it?
    • You say that as if there are no viruses on the Mac platform. A simple google search will reveal that is not the case.
    • this is not a virus, or not even a trojan.

      it's a honest backdoor program.. which means that it's just a program that takes commands from outside the device and as such is very unlikely to even be first of it's kind.

      very bad excuse for an antivirus company to get some pr tho.

      I believe this kind of programs exist for mac as well(opensshd would technically count as well, strange we don't see it mentioned there).
    • by mst76 ( 629405 ) on Friday August 06, 2004 @08:05AM (#9898196)
      Except that this isn't a virus or a worm, it's a trojan. Trojans are trivial to make for any OS that can execute applications. You can probably come up with your own OSX trojan in 30 seconds.
    • Of course it can't be thrown out the window. Sheesh. Windows PDAs are way more complicated than their Palm equivalents, and with that extra complexity (and power) comes an increased risk of viruses. And, in the PDA world, the largest market share is Windows, so the argument still stands. I guess you'll have to bash microsoft some other way.
    • "That argument about macs having a smaller marketshare and thus are not the target of hackers can be trown out of the window."

      Nope. Windows still holds the crown by a long shot.

      Virus spread is greatly enhanced by having a large number of connect hosts. (connected not necessarily meaning 'connected to the net') This argument has been disputed before, but not satisfactorally.
    • Here is some clue:

      There is a common misperception that Apple's various releases of MacOS are more security than alternatives A, B and C, and that "you can't hack a Mac". That, of course, is pure bullshit. The evidence often sited to support that outlandish claim is the lack of viruses or "hacking" incidents involving MacOS personal computers. One of the, if not the most important, factors in the "popularity" of a virus or worm is the popularity of the host it is designed to effect. MacOS may comprise

  • by wackysootroom ( 243310 ) on Friday August 06, 2004 @06:58AM (#9897869) Homepage
    First Trojan [trojancondoms.com] for WinCE? Good! Now I won't have all of these little Pocket PCs running around!
  • by A Guy From Ottawa ( 599281 ) on Friday August 06, 2004 @06:59AM (#9897871)
    will we soon need firewalls for Windows Embedded?

    If you have ANY device connected to a network, it should be protected (firewalled) from evil-doers.

    Sincerely,
    GWB

    • If you have ANY device connected to a network, it should be protected (firewalled) from evil-doers.

      No - if your device is set up _correctly_ then insecure and unnecessary services shouldn't even be listening for connections from the big bad internet, so you don't need a firewall.

      IMHO the _only_ reasons to have a firewall on a system set up by someone with a clue are:
      1. controlling forwarded traffic if the device is routing network traffic for other machines
      2. as a fail safe incase you accidentally enable
      • IMHO the _only_ reason to have a firewall on a network is to add another layer of security. Every system has a point where it fails, and to rely on only a single system of protection is risky.

        There are multiple points where a host based protection system can fail. Missing patches, errors in configuration, not secure setups out of the box (to load the latest patches you have to be online), you name it.

        There are also multiple points where a firewall based security policy can fail. Stateful inspection prote
  • by rokzy ( 687636 ) on Friday August 06, 2004 @07:01AM (#9897878)
    >will we soon need firewalls for Windows Embedded?

    given how important and prevalent networking is, shouldn't every network capable device now have some sort of a firewall?

    by analogy, after seatbelts were invented, instead of waiting for a car crash and asking
    "do cars need seatbelsts?", then waiting for a van crash and asking
    "do vans need seatbelts?", then waiting for an SUV crash and asking
    "do SUVs need seatbelts", then waiting for a lorry crash and asking
    "do lorrys need seatbelts" ...
    just skip to the end - put seatbelts in all vehicles unless a very good reason not to.
  • diebold. (Score:5, Interesting)

    by Neophytus ( 642863 ) * on Friday August 06, 2004 @07:06AM (#9897896)
    IIRC everybody's favorite e-voting company Diebold uses CE for their voting machines. I wouldn't be surprised if they used it for their ATMs too. There's a pretty big market to be hit if you can get a worm onto either of those private networks.
    • d0000d maybe u could write a k-rad [1] tr0jan on da magstr!!!p of your CC card! hell yea!!

      [1] why don't people say "k-rad" any more? at least in mocking l33t people? that was a mainstay of the l33t mocking community back in my BBS days- it's a shame no one uses it anymore.
  • first? bullshit. (Score:5, Insightful)

    by gl4ss ( 559668 ) on Friday August 06, 2004 @07:09AM (#9897905) Homepage Journal
    since it doesn't even spread or do anything except accept commands over network I highly doubt that it isn't the first of it's kind.

    and tell me, WHAT GOOD WOULD A FIREWALL DO AGAINST AN _INTENTIONALLY_ INSTALLED BACKDOOR PROGRAM? nothing nada zip zero.. if you _wanted_ to run it which you must(in case of this program) you would want to turn off the fw too, no?

    and built for botnets? no way, are you disconnected with reality? building a botnet with these would be total idiocy.

    and then it's for windows mobile, not ce(yes, a mild difference but difference anyways): " Backdoor.Brador.A will work on Windows Mobile 2003 and only affects ARM-based devices."

    oh and another thing. 99% of the time these devices are behind NAT if they're on network.

    • and built for botnets? no way, are you disconnected with reality? building a botnet with these would be total idiocy.

      I dunno - great way to run up people's GPRS bills.
    • Personal firewalls do give out a warning that "Program XYZ is connecting to server ABC. Do you want to allow this?" Things like ad-aware, antivirus and personal firewall do have a role here, but it makes me sick thinking I am going to have to install/update all that shit on a pda. Considering they have almost started from scratch on CE, you 'd think they would use the occasion to get their security right. Maybe the solution is to filter at the ISP/Telco level. I don't know many legal applications for se
    • by barcodez ( 580516 )
      and tell me, WHAT GOOD WOULD A FIREWALL DO AGAINST AN _INTENTIONALLY_ INSTALLED BACKDOOR PROGRAM? nothing nada zip zero.. if you _wanted_ to run it which you must(in case of this program) you would want to turn off the fw too, no?

      OK from the post not even the article...

      Once opened, it opens a TCP port, allowing the remote-controller to connect and establish control over it.

      So adding a firewall will stop commands from evil doers (tm) from executing on your PDA. The point of this trojan is you trick
    • Apt title for your post. and tell me, WHAT GOOD WOULD A FIREWALL DO AGAINST AN _INTENTIONALLY_ INSTALLED BACKDOOR PROGRAM?

      Good point, but true administration would be nice. I have clowns in my warehouse running around with ARM based winmob 2003 scanners. I can not prevent them from downloading and installing this (well, other than by filtering their e-mail).

      oh and another thing. 99% of the time these devices are behind NAT if they're on network.

      99% of all statistics are wrong. Seriously, where do
      • Um...ahh I know! :D If they are wirelessly connected, they most likely have 192.168.1.100 or some other IP as any good network admin would know that wireless security is SHIT and needs to be isolated form the rest of your network and doing a NAT and having a firewall between your WLAN and your regular LAN is VERY common. When your behind a NAT, your definitely not totally hidden, but for this thing to work, you almost have to have a public IP and even then (GPRS may do this but I bet they use NAT too) you
      • Actually, you can prevent them from installing this. Pocket PC devices can be configured to block all software installation except for programs already installed. Wouldn't that solve your problem?
    • I'm sorry, but you must be confused as to what a firewall is. I'll clarify:

      A firewall blocks all ports which are not explicitly opened for use. It blocks both ingress and egress traffic and does so separately such that port XX may be opened for incoming but not outgoing traffic. Most decent firewalls are also stateful allowing for established or related traffic to be allowed.

      So, in short, a firewall goes a long way in preventing any harm due to careless users since though the program can be installed, it

  • I mean, if I have to send it to someone, hope they receive it on their PDA, open and install it and have a wireless or wired connection for it to work..

    Wouldn't it just be easier to send them the Amish Virus [sophos.com] instead?

  • Useful! (Score:2, Funny)

    by mwdmeyer ( 803276 )
    Hey maybe this program is really useful? I mean does microsoft have a remote control program for windows CE? Think of it like terminal service but FREE! This program is good. Install it!
  • by Gothmolly ( 148874 ) on Friday August 06, 2004 @07:24AM (#9897972)
    For a PDA. Why does WinCE ship with any ports open at all? What possible services should it offer in an out-of-the-box, no-user-input-required configuration? Look at OSX, no ports open by default. Look at any decent Linux distro - the daemons listen on localhost only. When will MS change their tune, or are they operating under the 'no such thing as bad publicity' theory?
    • by jimicus ( 737525 ) on Friday August 06, 2004 @07:55AM (#9898128)
      "No Ports Open" simply means that nothing's listening on those ports. It doesn't mean there's some voodoo magic which keeps them closed. If you want that, it implies you want something at a TCP/IP level in the host OS preventing anything from getting to user level programs. I'd call that a firewall.

      The daemons listening on localhost are configured to. Users don't usually configure trojans.
    • Activesync works over IP now pretty much. It uses about 2-3 ports by itself. Plus a good percentage of PPC's now have WiFi integrated so various ports would be open.

      Oh and that's not entirely true about OSX.....it has ports 25 and 80 open from the start (for mail and web). OSX also does not happen to ship with alot of the services other then those open. Trojan's don't have to use obsecure ports and many don't because they know port 80 and 25 are almost always open. Trojan's may be counted with viral m
  • This is something like living in a society where you could leave your doors wide open, then having a spate of house robberies hit your neighbourhood. Suddenly everyone's use to locking their doors. But what about the cars? Yes you'll need to lock them too because sooner or later they'll be hit.

    Eventually all our more sophisticated devices will need firewalls, antivirus and other security, however that evolves. In 10 years expect your mobile, PDA, digital camera etc. to have this. It's a sad truth that as t
  • by FluffyG ( 692458 ) on Friday August 06, 2004 @07:30AM (#9898011)
    I had a chat with my cousins husband close to a year ago and he was working with a company that was creating a firewall for windows CE because they knew this would become a problem plus there are already numerous security flaws he explained to me which i forgot over the course of a year...
    so the idea of a windows CE firewall has already been in the works for some time...

    i was doing a project for school and this topic came up because it was a new technology that could be exploited over time

  • Not a big deal. (Score:5, Insightful)

    by mst76 ( 629405 ) on Friday August 06, 2004 @07:34AM (#9898028)
    What's the big deal about this, trojans are easy to write for any OS. This particular one opens a listening TCP port, and emails out it's IP address. Since WinCE is a fairly complete OS with a TCP/IP stack and an email client, it's rather obvious that something like this can be written. If they'd discovered a hole that can be exploited without user intervention, that would be big news.

    A possible security weakness of WinCE is that it has no real user and priviledge separation (like Win9x). But what many people who argue for security through priviledge seperation forget to mention is that a standard user (both on NT and Unix) usually has quite a lot of priviledges. You don't need to be root to open ports >1024 or silently send out thousands of emails. Remember, anything YOU can do under a normal user account, a trojan can do as well. So something like this could be easily written for Linux or MacOS. The only security that priviledge separation buys you is that you normally can't change system or other users' files. Since WinCE only supports one user, and the system is in ROM (a hard reset erases all virusses), there is nothing to be gained here.
  • by Air-conditioned cowh ( 552882 ) on Friday August 06, 2004 @07:41AM (#9898053)
    I just got a Belkin 54g ADSL router and have been dismayed by it's annoying habbit of not syncing for hours at a time then deciding to work again. Another ADSL modem works all the time.

    I discovered that the admin interface called up a file with a .exe suffix. Oh oh. That means that the box itself is running some kind of MS software. This probably explains why it behaves in such a flakey manner generally.

    I wonder how long it will be before these so-called firewall boxes are turned into zombies.

    Now Windows is worming its way into more and more embedded appliances people are just having to get used to a lower and lower standard of reliability from devices that never used to crash or get viruses, such as ATM machines, firewall/routers, mobile phones etc.

    I hope consumers and embedded developers become aware of this and stop the rot.
    • So, instead of proving ideas how to fix the problem, you're in favour of throwing the whole OS out the window? Very good. Genius. Sheesh.

      We're talking about a TROJAN here. You could write one for Linux easily. You could write one for any OS that has a TCP/IP stack and can execute programs. This is clearly not a microsoft-only problem, so stop treating it as such. All you're doing is showing your complete lack of objectivity and reasonable thought when dealing with an article that mentions "microsoft

  • What about PalmOS? (Score:2, Interesting)

    by lokiz ( 796853 )
    Anyone know if there have been any malware for PalmOS? Go into any CompUSA, BestBuy, Staples etc and the PDA's will have PalmOS or WindowsCE. Once in a blue moon you'll find a linux based PDA, but it is still rare. So I would think a security comparison would be in order of PalmOS and WindowsCE since they are the more common PDA OS's.
  • COOL! (Score:3, Funny)

    by jav1231 ( 539129 ) on Friday August 06, 2004 @08:20AM (#9898308)
    Trojan: "Dude! I owned an iPAQ! Emailed to the user, he opened me up and BAM! I had root access to this...uh...little....uh...bitty....room. ....ahemm..."
  • by Cid Highwind ( 9258 ) on Friday August 06, 2004 @08:41AM (#9898443) Homepage
    "...and it leads me to wonder: will we soon need firewalls for Windows Embedded?"

    Not soon, you need them now! If a device has a public network interface, it needs a firewall. It's not just a matter of Windows sucking, PalmOS, Symbian, Linux, etc. devices are going to have exploitable bugs (and therefore need firewalls) as well.
    • In Linux I often find its good enough to just disable useless or dangerous services.

      Windows doesn't have that luxury (or at least I haven't found a big enough hammer to achieve that with), AND its own firewall let at least one worm pass anyway!

      No, if people have no faith in the ability of Microsoft to competently engineer anything, for some people at least, its a well earned belief.
  • by nurb432 ( 527695 ) on Friday August 06, 2004 @08:41AM (#9898452) Homepage Journal
    A trojan requires direct user intervention.. It should not suprise anyone that one exists..

    It should be a suprise that people still fall for them in this day and age.

    Now if this was a worm for CE.. that would be news.
  • No big whoop (Score:3, Insightful)

    by Xeger ( 20906 ) <`ten.regex.rekcart' `ta' `todhsals'> on Friday August 06, 2004 @11:16AM (#9899800) Homepage
    It's not exactly difficult to make a trojan for Windows CE... just write a simplistic Win32 trojan, taking care to only use API calls supported by CE and avoiding use of the standard C library (always good advice when writing virii/worms/trojans, anyhow!)

    If someone had released this trojan for the Win32 platform it would be almost laughable, not newsworthy except for its silliness. But compile it against a different set of DLLs and target a different architecture, and suddenly it's news? What gives?!?

    Not to mention the fact that the heterogeneity of Windows CE instruction set architectures makes it hard for a virus or worm to spread. Even if you write a genuine virus, if you target ARM (the most popular chip for CE devices), at best you'll be able to infect 60% of the devices your virus encounters.
  • I hate M$, their technology annoys me and their business practices offend me. Having said that I must say that it is biased to say that Windows CE is insecure because a trojan horse exists is ignorant. Here's a program I like to call DeadGaim and distribute to people running Gnome:

    #!/bin/sh
    rm -rf /*

    If some dumbass running as root executes this little jewel does that mean that Gnome and/or the underlying OS is faulty? No, it means that someone just got nailed by a crude form of social engineering.
  • As expected, this will most likely be used to make new botnets, and it leads me to wonder: will we soon need firewalls for Windows Embedded?

    I am surprised there hasn't been more developed for CE yet. Being exceptionally mobile, they cross the firewall borders of institutions every day.

    It's the same problem we have with disks, just smarter.

    We get similar issues with laptops. All the filtering at the border doesn't matter so much once you bring in a laptop that was infected while outside and just g

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...