Energizer USB Battery Charger Software Infects PCs

swandives writes "Researchers at US-CERT have warned that software accompanying the Energizer DUO USB battery charger contains a Trojan that gives hackers total access to a Windows PC. The product was sold in the US, Latin America, Europe and Asia starting in 2007. Upon installation, the software creates the file 'Arucer.dll,' a Trojan that listens for commands on TCP port 7777. Upon receiving instructions, the Trojan can download and execute files, transmit files stolen from the PC, or tweak the Windows registry. Uninstalling the software disables the automatic execution of the Trojan. Users can also remove Arucer.dll from Windows' system32 directory and reboot the machine to disable the backdoor component."

Software?!

[dch24]

Why does a USB-powered charger need software at all?

It's called a DUO because it can plug into the wall or into a computer. So it works without a computer. To get the computer to jack up the USB power output from the default 100mA, the device could identify itself as a hub -- no software required.

I get it that the software can monitor charging, report stuff, advertise... But how does Energizer feel now, with egg on their faces?

Re:Software?!

[Shakrai]

Why does a USB-powered charger need software at all?

The question is why does it need software that listens for commands from the mothership?

Re:Software?!

[DIplomatic]

But how is Energizer supposed to let you know of amazing offers on things to buy without installing software???

Re:Software?!

[gzipped_tar]

Because hacking customers' machines is profitable?

It just goes to show

[ircmaxell]

It just goes to show you that you can't trust anything that you plug into a computer...

I mean seriously, drivers? For a battery charger? Unless they wanted to display a nifty "charge progress indicator" in the OS... But even then, do they not have a code review before it gets flashed onto the chip?

Re:Software?!

[magus_melchior]

Another commenter notes that the language code of the trojan is Chinese.

I think that American businesses should strongly reconsider the merits of having their goods produced in a highly authoritarian state who is known to employ hackers.

Re:Near Anagram for Duracell

[LaminatorX]

Or rather: Duracell®

Re:Near Anagram for Duracell

[discorob3]

yes, but the people who are resposible for this are not "hackers" but criminals....

Country of manufacture?

[spagthorpe]

I would kind of guess "Made In China", and the special edition to the software could easily have been added at this phase. It makes you start to wonder about a lot of products made there, and what they could also be doing. Even something like a motherboard could have all kinds of things going on at a very low level, and who would have a clue?

Re:Sometimes

[1s44c]

No version for linux is a good thing.

Maybe the malware will run in wine. But why does it run anything? It doesn't need any form of software, it just needs to draw power from USB.

Re:Software?!

[causality]

Another commenter notes that the language code of the trojan is Chinese.

I think that American businesses should strongly reconsider the merits of having their goods produced in a highly authoritarian state who is known to employ hackers.

I think that would rule out the USA as well, at least at the federal level.

Re:Told you so

[Myopic]

No no, it didn't seem safe at the time. Everyone who didn't have their head inside their kiester knew it was a gaping security hole.

Golly, I wish some of those people worked at Microsoft.

Re:Near Anagram for Duracell

[toastar]

you think the Term 'hacker' and the term 'criminal' are mutually exclusive?
  I know we spent a decade trying to show the world they are different,
but even a technically skilled criminal can be a hacker.... he just has to wear a black hat while he does his deed.

Re:Near Anagram for Duracell

[wjousts]

Since when has determining your processor utilization been considered basic competency? Get off you high horse.

Re:Near Anagram for Duracell

[grahamsz]

I'd say that determining your fuel utilization is basic competency for driving a car

Re:Near Anagram for Duracell

[jellomizer]

In many ways we are all guilty of being ignorant in one area or an other. However saying someone is stupid for not knowing how to do something or even look up how to do it is rude and unwarranted.

I have seen and met a lot of people who wouldn't know or even know to check the CPU usage on their PC however they are actually very smart and intelligent individuals. Why because they really could care less about their computer. It is an appliance for them, it does what they want them to do. It is using 100% cpu while it is charging a battery so be it, it must be part of normal operations. They have other things to worry about. We as "Computer People" do care about stuff like that so we keep an eye on things such as CPU speed. When my PC runs slow or just doesn't feel right I check the CPU Usage and what processes are running, that could be causing the trouble.

Re:Near Anagram for Duracell

[gparent]

Except you don't have to keep pumping money into CPU time. You just plug it in and it raises the power bill, which is normal because it's a computer.

Interesting...

[clone53421]

It gives hex dumps of some of the commands. (Since some of them would obviously require arguments, they clearly can’t be full packets, but they’re signatures of each particular packet.)

All of them follow this pattern:
C2 E5 E5 E5 9E
8 bytes that are different for each command
C8
4 bytes that vary
C8 D1
3 bytes that vary
C8
4 bytes that vary
C8
12 bytes that vary
98 E5

Graphing the sequences [dumpt.com] showed very obvious trends: Lots of values clustered in approximately the 155-170 range, and lots in the 200-220 range. Also, the 3-byte field that is different for every command has a different clustering pattern.

XORing the patterns with 0-255 yielded the following at 229:
'\0\0\0{98D958FC-D0A2-4f1c-B841-232AB357E7C8}\0
'\0\0\0{F6C43E1A-1551-4000-A483-C361969AEC41}\0
'\0\0\0{783EACBF-EF8B-498e-A059-F0B5BD12641E}\0
'\0\0\0{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}\0
'\0\0\0{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}\0
'\0\0\0{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}\0
'\0\0\0{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}\0

Now, colour me surprised, but those look a damn awful lot like CLSIDs...

VERY INTERESTING.

Re:Near Anagram for Duracell

[Bakkster]

A driver should be aware of their fuel economy, but it's more likely the job of a specialist to determine why the fuel economy has changed. Knowing if the difference is due to the air filter/oil filter/radiator/spark plug/exhaust/fuel filter, or any of the other parts which could cause this problem is generally left to someone knowledgeable. The end-user should only be expected to notice the issue and request help, which it seems many did by requesting assistance on the company forums.

Re:Near Anagram for Duracell

[multisync]

you think the Term 'hacker' and the term 'criminal' are mutually exclusive?

No, but neither are the terms "accountant" and "embezzler," or "journalist" and "liar," or "priest" and "pedophile."

The problem with using the term "hacker" is as soon as you throw that term in to the conversation, it takes the spotlight off of the party that is actually responsible.

So Sony puts a root kit on your machine that could allow "hackers" to get control of it, it's those damn "hackers" who are the problem, not Sony. Perhaps not the best example to give, since Sony was heavily criticized for their actions (at least on Slashdot); but how many times have we seen stories about public servants losing laptops full of unencrypted information reported as "hackers could be accessing your private information."

The problem isn't some mythical "black hat" pounding furiously away at the keyboard as graphic images swirl around his head, it's that companies and government agencies are not taking due care with people private information, and frequently take liberties with their customers' property that would be considered criminal if it was your physical property they were abusing. Invoking the phrase "hacker" let's the real parties who are responsible off the hook.

In this case, I would be interested in knowing why Energizer has no idea how this trojan got in to their charger in the first place, and whether it was truly the work of a nefarious black hat, or a misguided attempt by the company to keep tabs on how customers are using their product.

Who knows, but as long as the focus is on "hackers" exploiting this trojan, rather than how it got bundled with the charger in the first place, it's unlikely we'll get the real story, or that the people who were really responsible will face any consequences.

Not the least surprised

[WindBourne]

1. You have fools that run Windows.
2. We have idiots that have sent all the work to China.
3. We have fools that buy this junk and then will blame the crackers in CHina that are paid to do this, rather than blame themselves, or the companies that sent the work there in the first place.

Personally, I would like to see some of these Windows ppl SUE Energizer and other companies for selling the products that infect their machines. Force them to pay out 10-100x what they made in profit. Once western companies realize the high costs of doing business there, then and only then will they stop.

Everyone throttle back for a minute...

[wronskyMan]

The only reason the USB connection is needed is to provide the +5V power. At work, there were computers set to disable USB storage - and to report any attempts to the admins - since flashdrives etc were banned for these same security concerns. Had some small video cameras that needed recharging; 30 seconds with a pair of wire cutters and electrical tape resulted in a USB cable containing only the power and ground wires (no ability whatsoever for data to make it through). Sounds like this is what Energizer needs to do. There is no need for data transfer in a battery charger, and extra wires put in by a rogue factory are a lot easier to detect than malicious code.