Energizer USB Battery Charger Software Infects PCs 260
swandives writes "Researchers at US-CERT have warned that software accompanying the Energizer DUO USB battery charger contains a Trojan that gives hackers total access to a Windows PC. The product was sold in the US, Latin America, Europe and Asia starting in 2007. Upon installation, the software creates the file 'Arucer.dll,' a Trojan that listens for commands on TCP port 7777. Upon receiving instructions, the Trojan can download and execute files, transmit files stolen from the PC, or tweak the Windows registry. Uninstalling the software disables the automatic execution of the Trojan. Users can also remove Arucer.dll from Windows' system32 directory and reboot the machine to disable the backdoor component."
Re:Near Anagram for Duracell (Score:5, Informative)
There have been reports of Arucer.dll utilizing 100% CPU as far back as mid 2007. It was originally included by Energizer and used to check that the device was indeed connected to the machine.
They aren't sure how long dll has been infected, but all signs point to the entire time (back to May 2007). Considering how many forum posts have issues with the dll going back 2.5 years, you'd think someone would have figured it out long ago.
Re:Software?! (Score:3, Informative)
If an item just needs re-charging via USB I have been just plugging them into a powered USB hub.
I do it as an energy saving scheme, no need to keep the computer on just to recharge a device.
If the device is just recharging it doesn't need the computer to tell it when its done.
Re:Software?! (Score:3, Informative)
Wrong. A device can only receive up to 100mA without asking for it (like a keyboard, mouse, etc.) The USB spec calls for a 500mA maximum. Many usb devices need more and use 2 ports (like external 2.5" hdds).
Re:Software?! (Score:3, Informative)
> I always wondered, with the sheer amount of portable devices which charge
> over USB nowdays, why not put some manner of standardized charge reporting
> into the specs of the next version of USB
You'd be surprised how lax are the implementations to "standards". I've worked with both USB memory sticks for .mp3s and Bluetooth phones, and the code to handle them is a morass of special cases per manufacturer. Not including the version number differences. That's within the same interface version.
Implement "just the spec" and be damned with any mfr. who doesn't work correctly, and suddenly you've lopped off 55% or more of the devices out there. Your client OEM won't be too happy.
That's a feature (CPO) (Score:1, Informative)
Actually, that's a feature also referred to as "Certified Pre-Owned" [attrition.org].
Re:Near Anagram for Duracell (Score:4, Informative)
Since when has determining your processor utilization been considered basic competency? Get off you high horse.
I think it's intellectually dishonest to mention processor utilization as though that were the only possible way. I notice this frequently, that people are often rather eager to excuse and defend incompetent users out of some misguided sympathy for them. Real compassion for them would mean teaching, explaining, and providing good references for their edification. It would not mean excusing their failures or sugarcoating their incompetence. Any literate adult can achieve competency with a computer, and most problems that make the network a worse place for everyone directly involve users who lack knowledge, so why the "get off your high horse" spite towards those who expect better?
If anything, I think the "high horse" is the belief that users will always be ignorant, will always be victims of these security issues, and can never overcome them. It is not the belief that they can and should overcome them. That's especially evident to me when you have to (intentionally or otherwise) zero in on one particularly unlikely means of detection because you think ignoring other possibilities helps your case. This is known as confirmation bias, incidentally. In response, I'll give you a plausible scenario for which CPU utilization need not be measured.
I'll give another scenario under which this could have been detected. Here, when I say "firewall", I refer to Komodo, ZoneAlarm, and other software firewalls that are commonly available for Windows and/or free of charge, and are installed on millions of machines.
Running a firewall that could have alerted the user to suspicious/unprompted network activity is basic competency, right up there with running a virus scanner and an anti-spyware scanner. For Windows, these tools can be regarded as "maintainence", and anyone who operates a machine without correctly maintaining it (personally or by seeking help) cannot be rightly called competent. Now, basic competency may or may not correctly interpret that network activity, but that doesn't matter. It doesn't take computer expertise to say "hey, this firewall keeps asking me about things I don't understand and did not set up myself, so maybe I should get this computer looked at by a techie." At that point you're no longer talking about average users and whether they can achieve competency.
An AutoStart Fix for Windows XP and W2K (Score:5, Informative)
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Value Name: NoDriveTypeAutoRun
Type: REG_DWORD
Value: hex: 0x03fffffff
Re:Near Anagram for Duracell (Score:5, Informative)
Since about the time Windows came out with their Task Manager. Basic competency. Very basic. No one suggests that finding the executable, and disassembling it to find out what makes it tick is part of basic competency, but opening task manager to see which of your 97 active processes is using all of your computer time is indeed "basic".
Detect it with Nmap (Score:4, Informative)
I spent the morning reverse engineering the Trojan and wrote an Nmap script to detect if a remote system is infected. Hope it helps out: http://www.skullsecurity.org/blog/?p=563 [skullsecurity.org].
Ron
Re:Software?! (Score:3, Informative)
Re:Detect it with Nmap (Score:3, Informative)
Yeah, the simple xor 'encryption' is pretty oldschool. I can't believe I didn't notice that right away myself. I didn't see it till I started looking at the send/recv functions.
As to the CLSID, good thought, but no -- the CLSID isn't a real CLSID, it's just a way of identifying its own commands. Basically, it's a list of if(!strcmpi(command, "clsid1")) { do_this() } elseif(!strcmpi(command, "clsid2")) { do_that() } etc.
It only has those 9 or so CLSID's included, and if it isn't on the list the command is simply discarded.
And for what it's worth, the initial "'\x00\x00\x00" that you're seeing is a length (0x27 = the length of the CLSID = ').