Reverse-Engineering the First Pocket PC Trojan

[Brad Isaac]

I have always been sort of fascinated with the way that antivirus firms can receive a virus attachment or trojan and within a couple of hours have a patch repairing said virus. How exactly do they get into the code? How do they figure out what's going on and the payload of the thousands of reported viruii each year? Well, by way of Geekzone we saw Reverse-Engineering the First Pocket PC Trojan (Part 1 and 2). This article seems to provide a pretty detailed analysis on how you or I could become virus super sleuths using hex editors and some searching tools of our own.
"The first step to reverse-engineering a malicious binary is to see what you can find out about it online. When the Brador Trojan first made headlines, it was sensationalized as being a widespread threat, which it really wasn't. Many of the larger antivirus companies that analyzed Brador later changed their descriptions of this Trojan (take a look at some of the change logs for more details). Brador may not be as widespread as originally thought, but it certainly is a threat that can be difficult for a beginner to detect and remove.
Before we dive into the full reverse-engineering process, we take a quick look at the binary using a hex editor. (Many free hex editors are available online.) As Figure 1 shows, the author's email address (brokensword@ukr.net) is included in the Trojan code. This Trojan implements an SMTP-based notification system that sends the victim's details to the author's email address. This email address is the key to the origins of this Trojan. Traced back, this email address originates from Russia, giving us a starting point for our search. Knowing that the Trojan originated in Russia and knowing the email address gives us enough information to begin uncovering the birthplace and author of this Trojan. "