Installation and Autostart Technique
This is the detection for the server component of WINCE_BRADOR.A. This backdoor program allows its client component to control an infected system, which is a Pocket PC with the ARM architecture running Windows CE. It is the first backdoor known to run on the Windows CE platform.
It arrives on a Pocket PC system when it is manually sent via email, Bluetooth, Infrared, or any connection of the Pocket PC to any Windows CE device.
Upon execution, it attempts to create a copy of itself as the file SVCHOST.EXE in the following folder:
All files located in this folder automatically runs at every system startup. If the said file already exists, it proceeds initiating its connection with the client component. It can actually be seen using File Explorer, as follows:
This backdoor program makes use of a different approach when dropping a copy of itself in the \Windows\Startup folder. This approach was intended by the malware author since Pocket PCs are memory-based systems that make a running program inaccessible.
The said approach proceeds by initially creating the file SVCHOST.EXE without any data. It is then manually built-up by chunks of 1024 bytes. An exact copy of the first 1024-byte chunk of the MZ header is embedded in the malware file where it first writes this embedded chunk and then writes the rest of the malware file afterwards.
The dropped copy would actually look slightly different due to modified data, such as file handles and socket handles, which apparently are also copied from the memory during this process.
This backdoor program is the server component of a backdoor package. Its client component can control the infected system once a connection is established.
Once installed in the system, it starts an SMTP connection via Port 25 by sending the IP address of the infected system to the email address specified by the malware author. This email notification contains the following details:
<IP address of the infected system>
After is sends out the notification, it then opens TCP port 2989, or 0xBAD in hexadecimal. Once it successfully achieves a connection, the server component responds by sending the following text string:
It then waits for commands coming from the client component. The commands are simply letters and each letter corresponds to a certain command:
- d - lists the files in a folder
- g - uploads a file
- r - runs a program or an operating system command
- p - downloads a file
- m - displays a message box
- f - closes the established connection and sends the following text string to the client component:
However, even after closing the session, this backdoor still remains running in memory due to an endless loop.
The email addresses where this backdoor programs sends its notifications points to Russian domains.
Analysis by: Reginald Wong and Imelda Yap