ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Energizer battery charger contains backdoor

By | March 8, 2010, 5:16am PST

Summary: The software included in the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.

The United States Computer Emergency Response Team (US-CERT) has warned that the software included in the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.

In an advisory, the US-CERT warned that he installer for the Energizer DUO software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. follow Ryan Naraine on twitter

When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

US-CERT said that Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp.

Here’s the major risk:

An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.

Anti-malware researchers at Symantec have posed a detailed write-up of the Trojan discovery.

Energizer has issued a statement acknowledging the issue.  The company said it has discontinued sale of this product and has removed the site to download the software. In addition, Energizer is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer.

REMOVE THE SOFTWARE:

According to US-CERT, the backdoor component of the Energizer UsbCharger software can be removed by deleting the Arucer.dll file from the Windows system32 directory. Because the backdoor hosted by rundll32.exe continues to run after the software has been uninstalled, the Windows may need to be restarted before this file can be removed.

Affected users should also block access to 7777/tcp.  This helps to mitigate this vulnerability by preventing network connectivity to the backdoor.

This may be achieved with network perimeter devices or host-based software firewalls. The Energizer UsbCharger software does not automatically add an exception to the Windows Firewall for 7777/tcp or the backdoor application. Therefore, the first time that Energizer UsbCharger is executed, the user will be prompted that “Run a DLL as an APP” has been blocked by the Windows Firewall.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Battery Charger, Back Door, Battery, Energizer Battery Charger, UsbCharger.dll, Arucer.dll, Energizer, Microsoft Windows, Tools & Techniques, Operating Systems, Software, Management, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

76
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Energizer battery charger contains backdoor
LexieAndWilliamsMOM 20th Jan
Does this charger only charge Energizer batteries? I purchased a Charge it from www.digitaltreasures.com. I love it! It charges any alkaline battery, and 9volts. It has a nice display on it and it tells me when a battery is bad. It is a smart charger and has been a great asset to my house hold.
View in thread
0 Votes
+ -
Energizer... its going...
Ceridan 8th Mar 2010
and going and going and going... and gone(with all your files).
0 Votes
+ -
LOL! (nt)
John Zern 8th Mar 2010
(nt)
0 Votes
+ -
RE: Energizer battery charger contains backdoor
lovedong 13th Sep
VERY NICE POST,THANKS FOR SHARING,I REALLY LIKE THIS SPACE,THANKS AGAIN replica watches
0 Votes
+ -
WHY?
kd5auq 8th Mar 2010
Was this an honest mistake (overlooking the open door)?
0 Votes
+ -
It shouldn't matter
cslycord@... 9th Mar 2010
The charger's hardware should've been made such that it could only utilize the power and not the data part of USB. But they likely had a 3rd-party design the hardware and software for them and these people decided to be dicks.
0 Votes
+ -
????
AzuMao 9th Mar 2010
The charger doesn't need to utilize anything for this.

You simply install the software onto your computer and it opens a backdoor on port 7777.

You don't even have to plug the charger in.
0 Votes
+ -
RE: It Shouldn't matter
cgarrett 22nd Jul 2010
@cslycord@... Not sure that's true. If I was going to go to the trouble of plugging a battery charger into a USB port rather than an outlet, I'd like to see the charge level in my task tray. If this doesn't happen, then I go back to totally agreeing with you.
0 Votes
+ -
Good find Ryan Naraine, thank you!
WinTard 8th Mar 2010

An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.



If Windows users didn't use administrative roles when logging onto their systems, 92% of all critical vulnerabilities would be mitigated.

A bit like never using root under Unix, but su or sudo to root whenever required to perform admin functions...

Windows implement the "Run As" command for that precise purpose.

Yes, the problem definitely sits between the chair and keyboard.

At least according to the 80/20 rule...
0 Votes
+ -
Yes, it is user error.
AzuMao 8th Mar 2010
Since according to Microsoft, in Windows Vista/7 malware can give itself admin privileges without your permission, and this is by design.

This is a PICNIC error; only users who care nothing about security would use Windows.
It is thus the fault of the user.
0 Votes
+ -
Windows non-administrative user
aiellenon 8th Mar 2010
The problem with being a non administrative user
is that you have to give administrative
credentials to do anything besides browse the web,
and even then it still will prompt you for
administrative rights if you need an active x
control.

I never log in as root in linux or unix systems
and rarely have to use sudo unless I am
configuring the system or adding
applications/updates. Windows is just not
designed to be used by non-administrative users.
Even some of my applications will not run/load
with out administrative privileges. I would have
to type my admin password more than 50 times a day
if I did not log in as an administrative user.
it's bad enough that as a Unix admin at work I
have to log in over 40 times every day just to do
my job, you'd have to pay me 3 times what I make
at work to get me to run my pc at home without
admin rights. (of course that is why come next
weekend my only windows machine will be a VM).
0 Votes
+ -
Windows VM
Aesculapian 8th Mar 2010
I like the idea of a VM, security would definitely be enhanced, but...

I keep having to use scanners with proprietary software.

I keep having to support my 2 daughters with emergent needs to use downloaded software from their university or law school which is so obsolete as to not run under anything newer than XP.

I've had to use various Mozilla add ons to allow access to corporate software originally designed for IE6 running on Windows 2000. Even now, corporate email may become inaccessible remotely for a week at a time due to whatever configuration problems.

How easy is it to deal with all of this in a VM?

I agree that I was unable to support non-admin user status even on my own laptop. Updates nagged me into insanity.
0 Votes
+ -
The same as it is to deal with without a VM.
AzuMao 8th Mar 2010
A VM is where you already have an operating system installed and running, and then you install another one and run it inside of the first one.

Anything installed in the VM will run just like if you were using that OS on its own (aside from the huge resource usage from running multiple operating systems simultaneously on the same computer).
0 Votes
+ -
Since when is Windows not designed to be run by non-admin?
s_southern 11th Mar 2010
Not one of our users - including our IT staff - logs in with an account that has administrative privileges. Run-as is used for the few & far between times when admin privileges are required.

The problem with Windows & users needing admin privileges is idiotic applications (such as Wordperfect, or the myriad of apps that have ignored Microsoft's guidelines for 15 years) that feel they simply MUST write to system areas to work.

MS has been on developers since NT 3.1 to get their act in gear, and whenever they've forced it, the users & lazy developers cry about it. And we all suffer for it.
0 Votes
+ -
RE: Energizer battery charger contains backdoor
TxM2xTx 8th Mar 2010
And we thought that bunny was friendly. Boy, were we wrong.
0 Votes
+ -
Don't you see...
boothby171 8th Mar 2010
[pick your favorite Monty Python response]

1) It IS the rabbit!

or

2) "Launcelot, Galahad, and I, wait until nightfall, and then leap out of the rabbit..."
0 Votes
+ -
Lawyers start your engines
terry flores 8th Mar 2010
It is criminal that this malware was distributed in the first place. What the heck was the company thinking?
0 Votes
+ -
It is criminal to stop service on the reason theft ring is winded up
incidental reader 13th Mar 2010
They should have been forced to fix the software and keep the download page. Or can I get my money back? Otherwise the company has to be treated as criminals with no other intentions.
0 Votes
+ -
Wrong.
AzuMao 13th Mar 2010
Energizer is based in the US.

Here, only citizens are punished.
0 Votes
+ -
Software for a battery charger?
Rexxrally Updated - 8th Mar 2010
Why do we even need software to communicate with a battery charger?
0 Votes
+ -
Idiotic on the face of it
Tony R. 8th Mar 2010
All a battery charger needs is some status lights to show if the battery is defective, charging or fully charged. I wouldn't buy a product like this that comes with any kind of software. What were they thinking?
0 Votes
+ -
Even worse
wkulecz 17th Mar 2010
Even worse are the mp3 player/memory sticks with a "CDROM" partition and autorun.inf
0 Votes
+ -
Most probably
rarsa 8th Mar 2010
Microsoft approached them and gave them a way to make a battery charger work only with Windows.

People will later complain that "Linux" does not support my battery charger.

See? Very simple.

Although that is a plausible explanation, most likely they added SW functionality to provide more information than just "Charged/discharged" such as battery life and other measurements.
0 Votes
+ -
Except that those could be included on the battery charger itself, too.
AzuMao 8th Mar 2010
And all major operating systems (Windows/Mac/Linux) support a standard for battery devices, anyways (so it could be displayed in the computer). I've personally used the same UPS on a Windows box and a Linux box (not at the same time), and they both automatically detected it and displayed the battery level correctly.

The same mechanism could be used by the battery recharger to display battery levels.

The only possible reason for a weird software requirement is to arbitrarily prevent interoperability.
0 Votes
+ -
Well, if you were
Economister 8th Mar 2010
an ignorant consumer, and you looked at two chargers: one dumb (no SW) and one with whiz-bang SW. Which one would you choose?

The one with SW is obviously "intelligent" and better, right?
0 Votes
+ -
I think most consumers prefer things that "just work" without having to..
AzuMao 8th Mar 2010
..go out of their way to install stuff.
0 Votes
+ -
RE: Energizer battery charger contains backdoor
pmwpaul@... 8th Mar 2010
I wonder if this is the only battery charger that does this?
0 Votes
+ -
RE: Energizer battery charger contains backdoor
psion@... 8th Mar 2010
Hmmmm....I plug my iPod Touch into a USB port to charge it...Hmmmmmm....I wonder.....
0 Votes
+ -
The rabbit is not my friend...
amaref 8th Mar 2010
Bhopal disaster was an industrial catastrophe that took place at a pesticide plant owned and operated by Union Carbide (UCIL) in Bhopal, Madhya Pradesh, India. Around midnight on December 3-4, 1984.
And Union Carbide (Energizer) did'nt give a damn about the thousands of dead peaple...
Since this time the rabbit is not my friend. I don't buy energizer batteries.
0 Votes
+ -
You can blame Union Carbide if you like ...
Tony R. 8th Mar 2010
... but the fact remains that the plant operators were all locals. When they screwed up, rather than staying and containing the problem, they cut and ran, leading to the deaths of those thousands. Union Carbide should have trained them better, or performed better screening before hiring them. Half the blame falls on the government of India and the state of Madhya Pradesh for lack of or lax enforcement of safety regulations.
0 Votes
+ -
Apologist drivel
whisperycat Updated - 8th Mar 2010
Apologist or what?

"Twenty-five years after an explosion causing a massive gas leak in the Union Carbide factory in Bhopal, India killed at least 8,000 people, toxic material from the ?biggest industrial disaster in history? continues to affect Bhopalis.

A new generation is growing up sick, disabled, and struggling for justice. The effects of the disaster on the health of generations to come?transferred from gas victims to their children and through the ongoing severe contamination caused by the Union Carbide factory?has only started to develop visible forms recently.
Research conducted by the state-run Indian Council of Medical Research (ICMR) until 1994 showed that 25,000 people had died from the consequences of the 44 tons of poisonous gases that were released. This was in addition to the 8,000 to 10,000 people killed within the first three days, the BBC reported"

----------------------------------

Let's just remember WHY the US chose India to build this filthy, toxic, inherently dangerous chemical plant in a 3rd world country -

NO SAFETY REGS

CHEAP LABOUR

VAST PROFITS

NO ACCOUNTABILITY - Union Carbide are still denying and evading, 25 years after the event.
0 Votes
+ -
A Union Carbide plant in West Virginia...
yonian 8th Mar 2010
... continued production of methyl isocyanate after the Indian facility was shut down. I'm from West Virginia - sometimes I'm glad to be FAR from it.
0 Votes
+ -
Who do these people think they are, Sony?
MrBeck 8th Mar 2010
no text
0 Votes
+ -
Great. So next the batteries will explode? (nt)
John Zern 8th Mar 2010
(nt)
0 Votes
+ -
Yes, just after
Economister 8th Mar 2010
all your data has been stolen. It is like committing a murder and then torching the place. wink
0 Votes
+ -
RE: Energizer battery charger contains backdoor
TexDad 8th Mar 2010
Good catch on the part of Ryan Naraine. It does make me wonder what else (backdoors, and what not) is out there waiting to be found. If the backdoor exists on an unsuspecting users' computer, how would the guy who put the backdoor program in the software know that the backdoor had been installed? Ryan did not say if there was phone home code. So, without the phone home code, this backdoor is just sort of there, but not telling anyone that it is there. Right? Granted it is a vulnerability, but just how vulnerable is it?
0 Votes
+ -
If you have it installed, anyone can remotely connect to your computer..
AzuMao 8th Mar 2010
..and take it over.
That's how vulnerable.
0 Votes
+ -
Sorry, I did not phrase my point very well.
TexDad 8th Mar 2010
My point was that you are only vulnerable if you could be found. I thought the software was included with the chargers. How would the bad guy know who had installed the software? When I realized the software was directly downloaded from the Energizer website then the download logs would contain the IP of the downloaders. THAT is how the bad guy would find the potential backdoors.
0 Votes
+ -
Or by scanning residential IP blocks for open port 7777.
AzuMao 8th Mar 2010
It's not usually open.
0 Votes
+ -
I think I figured out the answer to my own question:
TexDad 8th Mar 2010
OK, if there is no phone home code, then how would the bad guy know who has the backdoor installed? The software with the bad code was only available by direct download from the Energizer website, so the download log would have the IP address of the downloaders. If the IPs are not dynamic it would give the bad guy a list of IPs to go and check, and, of course, he could check a range of IPs to account for dynamic IPs. At first I thought the software was included with the chargers.
0 Votes
+ -
"Good catch on the part of Ryan Naraine"
EnKrptyed 17th Mar 2010
He didn't CATCH this... It's been news for several days, as a matter of fact I was chuckling about it as an AP byline about A WEEK AGO!
0 Votes
+ -
I've blocked 7777 in my Linux firewall using Webmin.
Grayson Peddie Updated - 8th Mar 2010
In the output chain of my iptables (in Webmin), I've set the action to drop it when the destination port is 7777.

Even if I don't have a battery charger, I can be armed and ready to block it when one of a visitor to my apartment has an Energizer battery charger that came with a backdoor.

But I do have a question. Is a battery charger a human interface device (HID)? If it is, then why can't we write our own software that is cross-platform (Windows, Linux, and Mac)? Surely, Microsoft could write a code and patch it to an operating system that can recognize a battery charger and show a status indicator in the system tray. A keyboard is a human interface device, right? I have an Insteon PowerLinc interface that Windows recognizes as a human interface device; that is, you don't have to install a driver from the CD to use it.
0 Votes
+ -
Why reactive?
AzuMao 8th Mar 2010
Why not be proactive and block all incoming by default and just make exceptions where necessary?
0 Votes
+ -
'twas the aliens who abducted the bunny that did it... [nt]
zkiwi 8th Mar 2010
0 Votes
+ -
Fire Energizer's CTO & VP of Engineering
Seattle_2010 9th Mar 2010
The CTO and VP of Engineering of Energizer should be
FIRED.

Why in the world would they ship software that does this?
This appears to be by-design of their product. This
article doesn't say that a virus attached to their
software that they ship.

The CTO and VP of Engineering of Energizer should be
FIRED for allowing this to happen.
0 Votes
+ -
Perhaps a more appropriate engineering job
MC_z 9th Mar 2010
I don't think the CTO should be fired. He should just be given something
more appropriate to his expertise. Something with a broom and a mop
sounds about right to me.
0 Votes
+ -
RE: Energizer battery charger contains backdoor
DDSCentral 9th Mar 2010
I do have this charger device, but I usually use it with a USB wall adapter instead of a PC.

I did not think a reputable company would distribute a trojan in their software, but they probably did not even know about the trojan, because the software was made for them by some external company or developer.

I wonder if it's possible to use the software without the backdoor component (by just getting rid of the trojan).
0 Votes
+ -
RE: Energizer battery charger contains backdoor
Brandi_w60 9th Mar 2010
I bought one of these devices in hong kong last summer while. I
am guessing this effects all versions and not just the ones sold
here in the states? I never installed or downloaded software when
I used mine the fist time on a computer so am I still vulnerable to
this backdoor Trojan?
0 Votes
+ -
am i safe?
BitBanger_USA 9th Mar 2010
'I never installed or downloaded software'

common sense should tell you the answer to your question.
0 Votes
+ -
Not necessarily.
AzuMao 9th Mar 2010
Some operating systems, such as Windows, will automatically run executable files from USB devices without the user even knowing.
0 Votes
+ -
Incredible
dev-null 13th Mar 2010
That autorun deal is one of the stupidest things ever put in an OS.
0 Votes
+ -
RE: Energizer battery charger contains backdoor
LexieAndWilliamsMOM 20th Jan
Does this charger only charge Energizer batteries? I purchased a Charge it from www.digitaltreasures.com. I love it! It charges any alkaline battery, and 9volts. It has a nice display on it and it tells me when a battery is bad. It is a smart charger and has been a great asset to my house hold.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix