Must Read: Galaxy Note 8.0 tablet: Beating the iPad mini (review)

Topic: CXO

Energizer battery charger contains backdoor

Summary: The software included in the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.

Ryan Naraine

By for Zero Day |

The United States Computer Emergency Response Team (US-CERT) has warned that the software included in the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.

In an advisory, the US-CERT warned that he installer for the Energizer DUO software places the file UsbCharger.dll in the application's directory and Arucer.dll in the Windows system32 directory. follow Ryan Naraine on twitter

When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

US-CERT said that Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp.

Here's the major risk:

An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.

Anti-malware researchers at Symantec have posed a detailed write-up of the Trojan discovery.

Energizer has issued a statement acknowledging the issue.  The company said it has discontinued sale of this product and has removed the site to download the software. In addition, Energizer is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer.

REMOVE THE SOFTWARE:

According to US-CERT, the backdoor component of the Energizer UsbCharger software can be removed by deleting the Arucer.dll file from the Windows system32 directory. Because the backdoor hosted by rundll32.exe continues to run after the software has been uninstalled, the Windows may need to be restarted before this file can be removed.

Affected users should also block access to 7777/tcp.  This helps to mitigate this vulnerability by preventing network connectivity to the backdoor.

This may be achieved with network perimeter devices or host-based software firewalls. The Energizer UsbCharger software does not automatically add an exception to the Windows Firewall for 7777/tcp or the backdoor application. Therefore, the first time that Energizer UsbCharger is executed, the user will be prompted that "Run a DLL as an APP" has been blocked by the Windows Firewall.

Topics: CXO, Hardware, Operating Systems, Software, IT Employment, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

73 comments
Log in or register to join the discussion

  • Energizer... its going...

    and going and going and going... and gone(with all your files).
    Ceridan
    Reply Vote

    • LOL! :) (nt)

      (nt)
      John Zern
      Reply Vote

  • WHY?

    Was this an honest mistake (overlooking the open door)?
    kd5auq
    Reply Vote

    • It shouldn't matter

      The charger's hardware should've been made such that it could only utilize the power and not the data part of USB. But they likely had a 3rd-party design the hardware and software for them and these people decided to be dicks.
      cslycord@...
      Reply Vote

      • ????

        The charger doesn't need to utilize anything for this.

        You simply install the software onto your computer and it opens a backdoor on port 7777.

        You don't even have to plug the charger in.
        AzuMao
        Reply Vote

      • RE: It Shouldn't matter

        @cslycord@... Not sure that's true. If I was going to go to the trouble of plugging a battery charger into a USB port rather than an outlet, I'd like to see the charge level in my task tray. If this doesn't happen, then I go back to totally agreeing with you.
        cgarrett
        Reply Vote

  • Good find Ryan Naraine, thank you!

    [quote][i]An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.[/i][/quote]

    If Windows users didn't use administrative roles when logging onto their systems, 92% of all critical vulnerabilities would be mitigated.

    A bit like never using root under Unix, but su or sudo to root whenever required to perform admin functions...

    Windows implement the "Run As" command for that precise purpose.

    Yes, the problem definitely sits between the chair and keyboard.

    At least according to the 80/20 rule...
    WinTard
    Reply Vote

    • Yes, it is user error.

      Since according to Microsoft, <a href=http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx?rss_fdn=TNTopNewInfo#id0560040>in Windows Vista/7 malware can give itself admin privileges without your permission, and this is by design</a>.

      This is a PICNIC error; only users who care nothing about security would use Windows.
      It is thus the fault of the user.
      AzuMao
      Reply Vote

    • Windows non-administrative user

      The problem with being a non administrative user
      is that you have to give administrative
      credentials to do anything besides browse the web,
      and even then it still will prompt you for
      administrative rights if you need an active x
      control.

      I never log in as root in linux or unix systems
      and rarely have to use sudo unless I am
      configuring the system or adding
      applications/updates. Windows is just not
      designed to be used by non-administrative users.
      Even some of my applications will not run/load
      with out administrative privileges. I would have
      to type my admin password more than 50 times a day
      if I did not log in as an administrative user.
      it's bad enough that as a Unix admin at work I
      have to log in over 40 times every day just to do
      my job, you'd have to pay me 3 times what I make
      at work to get me to run my pc at home without
      admin rights. (of course that is why come next
      weekend my only windows machine will be a VM).
      aiellenon
      Reply Vote

      • Windows VM

        I like the idea of a VM, security would definitely be enhanced, but...

        I keep having to use scanners with proprietary software.

        I keep having to support my 2 daughters with emergent needs to use downloaded software from their university or law school which is so obsolete as to not run under anything newer than XP.

        I've had to use various Mozilla add ons to allow access to corporate software originally designed for IE6 running on Windows 2000. Even now, corporate email may become inaccessible remotely for a week at a time due to whatever configuration problems.

        How easy is it to deal with all of this in a VM?

        I agree that I was unable to support non-admin user status even on my own laptop. Updates nagged me into insanity.
        Aesculapian
        Reply Vote

        • The same as it is to deal with without a VM.

          A VM is where you already have an operating system installed and running, and then you install another one and run it inside of the first one.

          Anything installed in the VM will run just like if you were using that OS on its own (aside from the huge resource usage from running multiple operating systems simultaneously on the same computer).
          AzuMao
          Reply Vote

      • Since when is Windows not designed to be run by non-admin?

        Not one of our users - including our IT staff - logs in with an account that has administrative privileges. Run-as is used for the few & far between times when admin privileges are required.

        The problem with Windows & users needing admin privileges is idiotic applications (such as Wordperfect, or the myriad of apps that have ignored Microsoft's guidelines for 15 years) that feel they simply MUST write to system areas to work.

        MS has been on developers since NT 3.1 to get their act in gear, and whenever they've forced it, the users & lazy developers cry about it. And we all suffer for it.
        s_southern
        Reply Vote

  • RE: Energizer battery charger contains backdoor

    And we thought that bunny was friendly. Boy, were we wrong.
    TxM2xTx
    Reply Vote

    • Don't you see...

      [pick your favorite Monty Python response]

      1) It IS the rabbit!

      or

      2) "Launcelot, Galahad, and I, wait until nightfall, and then leap out of the rabbit..."
      boothby171
      Reply Vote

  • Lawyers start your engines

    It is criminal that this malware was distributed in the first place. What the heck was the company thinking?
    terry flores
    Reply Vote

    • It is criminal to stop service on the reason theft ring is winded up

      They should have been forced to fix the software and keep the download page. Or can I get my money back? Otherwise the company has to be treated as criminals with no other intentions.
      incidental reader
      Reply Vote

      • Wrong.

        Energizer is based in the US.

        Here, only citizens are punished.
        AzuMao
        Reply Vote

  • Software for a battery charger?

    Why do we even need software to communicate with a battery charger?
    Rexxrally
    Reply Vote

    • Idiotic on the face of it

      All a battery charger needs is some status lights to show if the battery is defective, charging or fully charged. I wouldn't buy a product like this that comes with [i]any[/i] kind of software. What were they thinking?
      Tony R.
      Reply Vote

      • Even worse

        Even worse are the mp3 player/memory sticks with a "CDROM" partition and autorun.inf
        wkulecz
        Reply Vote
CNET Join | Log In | Privacy | Cookies Close