Forgot your password?
typodupeerror
Toys Security Windows IT

Energizer USB Battery Charger Software Infects PCs 260

Posted by Soulskill
from the bad-bunny dept.
swandives writes "Researchers at US-CERT have warned that software accompanying the Energizer DUO USB battery charger contains a Trojan that gives hackers total access to a Windows PC. The product was sold in the US, Latin America, Europe and Asia starting in 2007. Upon installation, the software creates the file 'Arucer.dll,' a Trojan that listens for commands on TCP port 7777. Upon receiving instructions, the Trojan can download and execute files, transmit files stolen from the PC, or tweak the Windows registry. Uninstalling the software disables the automatic execution of the Trojan. Users can also remove Arucer.dll from Windows' system32 directory and reboot the machine to disable the backdoor component."
This discussion has been archived. No new comments can be posted.

Energizer USB Battery Charger Software Infects PCs

Comments Filter:
  • Interesting that Arucer.dll is (aside from an extra 'r') an anagram for Energizer's competitor Duracell [wikipedia.org]. Perhaps the authors of the software thought Duracell was spelled 'Durracell'? And perhaps they decided to pick an anagram of the competitor to make it look as though Duracell is behind this?
    • by Jazz-Masta (240659) on Monday March 08, 2010 @01:05PM (#31402072)

      There have been reports of Arucer.dll utilizing 100% CPU as far back as mid 2007. It was originally included by Energizer and used to check that the device was indeed connected to the machine.

      They aren't sure how long dll has been infected, but all signs point to the entire time (back to May 2007). Considering how many forum posts have issues with the dll going back 2.5 years, you'd think someone would have figured it out long ago.

    • by CaptnMArk (9003) on Monday March 08, 2010 @01:20PM (#31402254)

      Duracell(r)

    • by Anne_Nonymous (313852) on Monday March 08, 2010 @02:47PM (#31403442) Homepage Journal

      The should all be charged with assaulting battery!

      -rimshot-

  • Heck, I can't figure out how to disable half the auto-runs on my sister's laptop.

    These guys definitely know what they're doing :)

  • Software?! (Score:5, Insightful)

    by dch24 (904899) on Monday March 08, 2010 @12:52PM (#31401912) Journal
    Why does a USB-powered charger need software at all?

    It's called a DUO because it can plug into the wall or into a computer. So it works without a computer. To get the computer to jack up the USB power output from the default 100mA, the device could identify itself as a hub -- no software required.

    I get it that the software can monitor charging, report stuff, advertise... But how does Energizer feel now, with egg on their faces?
    • Re:Software?! (Score:4, Insightful)

      by Shakrai (717556) on Monday March 08, 2010 @12:59PM (#31401990) Journal

      Why does a USB-powered charger need software at all?

      The question is why does it need software that listens for commands from the mothership?

    • Re: (Score:3, Insightful)

      by DIplomatic (1759914)
      But how is Energizer supposed to let you know of amazing offers on things to buy without installing software???
      • by Shakrai (717556)

        But how is Energizer supposed to let you know of amazing offers on things to buy without installing software???

        They could do that with software that doesn't LISTEN for INCOMING connections....

        • But you'd waste so much bandwidth that way if it has to poll the ad server every few seconds so you don't miss one important announcement that could change your life!

    • Re: (Score:2, Insightful)

      by gzipped_tar (1151931)
      Because hacking customers' machines is profitable?
    • But how does Energizer feel now, with egg on their faces?

      Only appropriate, given that their mascot is a bunny.

    • Re:Software?! (Score:4, Interesting)

      by Captain Spam (66120) on Monday March 08, 2010 @01:11PM (#31402154) Homepage

      I get it that the software can monitor charging, report stuff, advertise...

      I always wondered, with the sheer amount of portable devices which charge over USB nowdays, why not put some manner of standardized charge reporting into the specs of the next version of USB, so that we don't need to bother with nonsense like installing a new program or drivers for each device just to monitor its charging on the computer (or whatever charger), if we do want monitoring and such? That way, we could just tack a charge indicator onto whatever the OS or windowing system uses to track connected USB devices, instead of X amount of additional programs displaying it in any variety of mismatched ways.

      I mean, I'll grant that many devices just report their own charge on their own respective screens, so for things like phones or whatnot, it might not be that useful. Plus, my suggested scheme would quickly get shot down by companies like Energizer in this case when they realize revenue stream conduits^W^W^W customers wouldn't have a reason to install "special" drivers and programs loaded with ads...

      Oh, yeah. That IS why it wouldn't get adopted. Hrm.

      • They could still provide a spec-compliant addware client to their customers if they so chose.

      • Re: (Score:3, Informative)

        by Jeng (926980)

        If an item just needs re-charging via USB I have been just plugging them into a powered USB hub.

        I do it as an energy saving scheme, no need to keep the computer on just to recharge a device.

        If the device is just recharging it doesn't need the computer to tell it when its done.

        • by hedwards (940851)
          I purchased a Sennheiser bluetooth headset, and it includes a USB charging cable and a wall adapter to plug it into. Additionally the jack is micro USB so in theory I should be able to use the whole thing to charge other things as well. I waste minimal power if I'm already using the computer and I can just plug it into the wall if I'm not. It's both convenient and well considered.
      • Re: (Score:3, Informative)

        > I always wondered, with the sheer amount of portable devices which charge
        > over USB nowdays, why not put some manner of standardized charge reporting
        > into the specs of the next version of USB

        You'd be surprised how lax are the implementations to "standards". I've worked with both USB memory sticks for .mp3s and Bluetooth phones, and the code to handle them is a morass of special cases per manufacturer. Not including the version number differences. That's within the same interface version.

        Imple

      • by toastar (573882)

        I get it that the software can monitor charging, report stuff, advertise...

        I always wondered, with the sheer amount of portable devices which charge over USB nowdays, why not put some manner of standardized charge reporting into the specs of the next version of USB, so that we don't need to bother with nonsense like installing a new program or drivers for each device just to monitor its charging on the computer (or whatever charger), if we do want monitoring and such? That way, we could just tack a charge indicator onto whatever the OS or windowing system uses to track connected USB devices, instead of X amount of additional programs displaying it in any variety of mismatched ways.

        I mean, I'll grant that many devices just report their own charge on their own respective screens, so for things like phones or whatnot, it might not be that useful. Plus, my suggested scheme would quickly get shot down by companies like Energizer in this case when they realize revenue stream conduits^W^W^W customers wouldn't have a reason to install "special" drivers and programs loaded with ads...

        Oh, yeah. That IS why it wouldn't get adopted. Hrm.

        I have a better idea, Put the monitoring software on the device being charged.

    • Re:Software?! (Score:4, Insightful)

      by magus_melchior (262681) on Monday March 08, 2010 @01:22PM (#31402282) Journal

      Another commenter notes that the language code of the trojan is Chinese.

      I think that American businesses should strongly reconsider the merits of having their goods produced in a highly authoritarian state who is known to employ hackers.

      • Re: (Score:3, Insightful)

        by causality (777677)

        Another commenter notes that the language code of the trojan is Chinese.

        I think that American businesses should strongly reconsider the merits of having their goods produced in a highly authoritarian state who is known to employ hackers.

        I think that would rule out the USA as well, at least at the federal level.

      • Look damnit, if the free market thought there was an advantage to doing things your way then we'd all be growing our own battery chargers on government plantations. You presume to tell American businesses how to optimize their production lines? Nonsense and tosh! If you want something done a particular way, do it yourself! Your elitist attitude makes me sick.

      • Re: (Score:3, Informative)

        by grumpyman (849537)
        The language code of the file is in Chinese - well they may have employed the manufacturer to write that .dll? I understand there's a chance that the hacker COULD BE Chinese but it's not even remotely conclusive. Why anytime anybody mentioned anything about Chinese then it's all about "highly authoritarian state who is known to employ hackers", slave labour, environment, blah blah blah. I'm not saying they don't have these problems but this post has remote speculative prospect to do with Chinese and all
    • by Yvanhoe (564877)

      I get it that the software can monitor charging, report stuff, advertise... But how does Energizer feel now, with egg on their faces?

      They blame Microsoft/subcontractors/trojan writers/OpenSource hippies, and it will not have any consequences for them.

    • by mhajicek (1582795)
      Because engineering is driven by marketing.
  • by carlhaagen (1021273) on Monday March 08, 2010 @12:58PM (#31401966)
    Its language code is Chinese.
    • Re: (Score:3, Interesting)

      by TheLink (130905)

      Yeah it was probably made in China, and typically nobody cares about QC/QA in the factory (or part of the QA is making sure the malware is installed ;) ).

      I found malware on a supposedly new PNY usb drive about a year ago. Perhaps it was a repackaged item.

      Anyway, didn't affect the machine I plugged it into since auto-run was disabled (like it should be).

  • This Trojan (Score:5, Funny)

    by retardpicnic (1762292) <retardpicnic@gmail.com> on Monday March 08, 2010 @12:59PM (#31401992)
    just keeps going....and going...and going....
  • Sometimes (Score:5, Funny)

    by xav_jones (612754) on Monday March 08, 2010 @01:00PM (#31402008)
    No version for linux is a good thing.
    • Re: (Score:3, Insightful)

      by 1s44c (552956)

      No version for linux is a good thing.

      Maybe the malware will run in wine. But why does it run anything? It doesn't need any form of software, it just needs to draw power from USB.

  • by ircmaxell (1117387)
    It just goes to show you that you can't trust anything that you plug into a computer...

    I mean seriously, drivers? For a battery charger? Unless they wanted to display a nifty "charge progress indicator" in the OS... But even then, do they not have a code review before it gets flashed onto the chip?
  • Told you so (Score:5, Interesting)

    by Animats (122034) on Monday March 08, 2010 @01:07PM (#31402094) Homepage

    Some time back, when USB chargers started to appear at airports, I warned that this might happen. A public charging port is such an attractive attack vector.

    Of course, the real problem is Windows's "autorun". It was a truly awful idea to have Windows run any executable that appears on any removable device or medium. That went in (in Windows 95, I think) when CDs were only manufactured by major vendors, before home CD writers or USB storage devices. So it probably seemed "safe" at the time.

    Worse was making it very difficult to turn autorun off. [cert.org]

    • Re:Told you so (Score:5, Insightful)

      by Myopic (18616) on Monday March 08, 2010 @01:43PM (#31402614)

      No no, it didn't seem safe at the time. Everyone who didn't have their head inside their kiester knew it was a gaping security hole.

      Golly, I wish some of those people worked at Microsoft.

      • by Sciros (986030)

        Everyone who didn't have their head inside their kiester knew it was a gaping security hole.

        Yes but there's no need to plug that hole with your head! You can use... an album cover...

        Mondays...

      • by jimicus (737525)

        No no, it didn't seem safe at the time. Everyone who didn't have their head inside their kiester knew it was a gaping security hole.

        Golly, I wish some of those people worked at Microsoft.

        That's partly because Microsoft (and, by extension, a large chunk of the worlds' Windows software developers) have taken the approach that a PC is only ever used by one person who generally speaking knows what they want the computer to do and can be trusted to do the right thing when the situation demands it - despite decades of experience to the contrary.

        To be fair, this attitude has become much less prevalent in their products since XP became the mainstream version of Windows, and even less so with the in

      • No no, [autorun] didn't seem safe at the time. Everyone who didn't have their head inside their kiester knew it was a gaping security hole.

        The security hole is running an unknown/unverified program, and anybody without the sense to disable autorun is going to just click on the installer and get the trojan anyway. Autorun doesn't make the problem worse, it just makes the computer more convenient for most users.

        Autorun is not the security hole. As usual, users are the security hole.

    • This isn't an issue with the charger presenting itself to the OS as a USB mass storage device ; this is an issue with the management software that comes with the device (or you can download it) and presents a graphical charge level monitor.

    • by asdf7890 (1518587)

      That went in (in Windows 95, I think) when CDs were only manufactured by major vendors, before home CD writers or USB storage devices. So it probably seemed "safe" at the time.

      Many people questioned the safety of autorun win Win95. Auto-running from removable media had already been a problem - one of the first viruses documented as being in-the-wild was distributed on Apple floppies and got itself run via that system's autorun feature (unlike PCs descended from the IBM line and its compatibles several machines and OSs,Apple's machines and Commodor's Amiga lines being two examples, supported detecting a new floppy being inserted) and that was long before Windows 95 hit the market.

    • At least Windows XP SP2 replaced AutoRun with AutoPlay. Devices (other than music CDs) no longer auto-run, instead asking you what you want to do with it, albeit with the AutoRun-specified item at the top of the list.

      This was changed further in Windows Vista/7, so that USB/FireWire drives don't even acknowledge that they have an AutoRun option. Which caused U3 [u3.com] to blatantly abuse this by pretending its U3 partition is a CD-ROM.

  • by jlowery (47102) on Monday March 08, 2010 @01:07PM (#31402096)

    if only because of the giant wooden Energizer Bunny on the packaging.

  • by Hurricane78 (562437) <deleted&slashdot,org> on Monday March 08, 2010 @01:17PM (#31402208)

    What the... WHYY?

    My battery charger takes four batteries and goes into the power socket. That’s it.
    I don’t see why in the world a charged would need more than this.

    It’s like having a supercomputer to control a toaster. It makes no sense at all.
    In my eyes, those who bought that thing, deserve what they got.

    • Re: (Score:2, Offtopic)

      by 1s44c (552956)

      In my eyes, those who bought that thing, deserve what they got.

      Those who brought windows deserve what they got.

      • In my eyes, those who bought that thing, deserve what they got.

        Those who brought windows deserve what they got.

        Wow, way to wish doom on 90% of the computer using populace. That doesn't make you sound like a crazed zealot at all. That kind of talk is sure to gain support to your ideology.

    • There could be times when you don't have access to a power socket - or your battery charger won't work in the power sockets (say you visit another continent).

      In which case, you've got your business laptop, so you can charge your batteries for your MP3 player.

      It shouldn't need software though, I'll agree with that.

    • by Otto (17870)

      It’s like having a supercomputer to control a toaster. It makes no sense at all.

      Plain old toast is so retro. I prefer my toast printed with nice designs and patterns:

      http://www.inseq.net/zuse.html [inseq.net] :)

  • by grahamsaa (1287732) on Monday March 08, 2010 @01:26PM (#31402358)
    Energizer obviously isn't the first company to be hit with this sort of embarrassment, and it's surprising to me how resistant some of these companies are to learning and adopting good QA and security practices.

    If corporations feel that they must outsource production of devices like these, they damn well better be prepared to do thorough in-house testing before they release malware to the public. I'll give them the benefit of the doubt that they were probably unaware of this trojan, but that makes them no less negligent.
    • by vlm (69642) on Monday March 08, 2010 @01:41PM (#31402584)

      You're assuming they didn't outsource engineering, QA, security, and testing.

      You have the olden days idea, that China only manufactures.

      I would not be surprised to learn Energizer-USA in 2010 is no more than an overpriced CEO and some marketing folks.

    • by meerling (1487879)
      All it takes to bypass all the security in the world is one mistake by one person one time.
      (I've seen it happen more than I can count, and that's a pretty big number.)
  • at least that particular backdoor. Trojans, bots, virus, other backdoors, keyloggers, etc, that went in during the 3 years that you had it installed will be a bit harder to uninstall. Same for the info that you considered safe that went thru your machine (passwords, credit card info, etc).

    Anyway, a proper firewall (that at the very least dont let connect to your machine thru not specifically enabled ports) should had stopped most of it.
  • by flahwho (1243110)
    That fucking bunny! He's gonna have to GO~!
  • by spagthorpe (111133) on Monday March 08, 2010 @01:30PM (#31402414)

    I would kind of guess "Made In China", and the special edition to the software could easily have been added at this phase. It makes you start to wonder about a lot of products made there, and what they could also be doing. Even something like a motherboard could have all kinds of things going on at a very low level, and who would have a clue?

  • by mhajicek (1582795) on Monday March 08, 2010 @02:05PM (#31402880)
    Just wait until you plug it into your Toyota.
  • by NicknamesAreStupid (1040118) on Monday March 08, 2010 @02:10PM (#31402936)
    This little trick will disable all autoplay features, eg. CDs, USB-memories etc. Open the registry editor, regedt32.exe, and configure the following registry value:
    Hive: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    Value Name: NoDriveTypeAutoRun
    Type: REG_DWORD
    Value: hex: 0x03fffffff
  • Interesting... (Score:4, Insightful)

    by clone53421 (1310749) on Monday March 08, 2010 @02:34PM (#31403276) Journal

    It gives hex dumps of some of the commands. (Since some of them would obviously require arguments, they clearly can’t be full packets, but they’re signatures of each particular packet.)

    All of them follow this pattern:
    C2 E5 E5 E5 9E
    8 bytes that are different for each command
    C8
    4 bytes that vary
    C8 D1
    3 bytes that vary
    C8
    4 bytes that vary
    C8
    12 bytes that vary
    98 E5

    Graphing the sequences [dumpt.com] showed very obvious trends: Lots of values clustered in approximately the 155-170 range, and lots in the 200-220 range. Also, the 3-byte field that is different for every command has a different clustering pattern.

    XORing the patterns with 0-255 yielded the following at 229:
    '\0\0\0{98D958FC-D0A2-4f1c-B841-232AB357E7C8}\0
    '\0\0\0{F6C43E1A-1551-4000-A483-C361969AEC41}\0
    '\0\0\0{783EACBF-EF8B-498e-A059-F0B5BD12641E}\0
    '\0\0\0{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}\0
    '\0\0\0{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}\0
    '\0\0\0{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}\0
    '\0\0\0{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}\0

    Now, colour me surprised, but those look a damn awful lot like CLSIDs...

    VERY INTERESTING.

  • Detect it with Nmap (Score:4, Informative)

    by iago-vL (760581) on Monday March 08, 2010 @02:48PM (#31403454)

    I spent the morning reverse engineering the Trojan and wrote an Nmap script to detect if a remote system is infected. Hope it helps out: http://www.skullsecurity.org/blog/?p=563 [skullsecurity.org].

    Ron

  • by WindBourne (631190) on Monday March 08, 2010 @05:51PM (#31405954) Journal
    1. You have fools that run Windows.
    2. We have idiots that have sent all the work to China.
    3. We have fools that buy this junk and then will blame the crackers in CHina that are paid to do this, rather than blame themselves, or the companies that sent the work there in the first place.

    Personally, I would like to see some of these Windows ppl SUE Energizer and other companies for selling the products that infect their machines. Force them to pay out 10-100x what they made in profit. Once western companies realize the high costs of doing business there, then and only then will they stop.

  • by wronskyMan (676763) on Tuesday March 09, 2010 @01:41AM (#31410278)
    The only reason the USB connection is needed is to provide the +5V power. At work, there were computers set to disable USB storage - and to report any attempts to the admins - since flashdrives etc were banned for these same security concerns. Had some small video cameras that needed recharging; 30 seconds with a pair of wire cutters and electrical tape resulted in a USB cable containing only the power and ground wires (no ability whatsoever for data to make it through). Sounds like this is what Energizer needs to do. There is no need for data transfer in a battery charger, and extra wires put in by a rogue factory are a lot easier to detect than malicious code.

"Just Say No." - Nancy Reagan "No." - Ronald Reagan

Working...