Investigation Continues Into Malware In Battery Charger Software

The backdoor Trojan bundled with software for the Energizer Duo USB battery charger may have been active for nearly three years, security researchers have found. According to Symantec’s analysis, there is evidence that the Trojan dates back to 10 May, 2007.

“It’s really impossible to say for sure that this Trojan has always been in the USB charger-monitoring software, but the creation date in the Trojan binary’s header indeed states that it was created back in May 2007,” noted Dean Turner, director of Symantec’s Global Intelligence Network. “This would imply that the Trojan was most likely created back in 2007; however, there is a possibility that the time and date were set wrong on the computer that was used when the binary source files were compiled.”

Regardless of when it was created, its discovery prompted Energizer to announce on 5 March that it was discontinuing the sale of the product and removing the site from which the software could be downloaded. In addition, the company is urging consumers who downloaded the Windows version of the software to uninstall it.

Energizer did not say how the backdoor made its way into the software. However, it is not unheard of for attackers to hide malware inside products. For example, researchers at Kaspersky Lab in 2009 uncovered three pieces of malware on a brand-new M&A Companion Touch netbook the company had purchased to run compatibility tests.

An advisory by US-CERT explained, “The installer for the Energizer Duo software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component … UsbCharger.dll executes Arucer.dll … and it also configures Arucer.dll to execute automatically when Windows starts.”

The problem—Arucer.dll is a backdoor that allows unauthorized remote system access via TCP port 7777. “An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs,” the US-CERT advisory said. “The backdoor operates with the privileges of the logged-on user.”

Users can go into the Windows system32 directory and delete the Arucer.dll file to address the issue, though the system may need a restart before the file is officially removed. Alternatively, users can remove the Energizer UsbCharger software: “The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present,” US-CERT said.

Furthermore, “Blocking access to [port] 7777/tcp can mitigate this vulnerability by preventing network connectivity to the backdoor.” In addition, the US-CERT advisory includes Snort rules that “can be used to detect network traffic related to this backdoor.”