Investigation Continues Into Malware In Battery Charger Software

The backdoor Trojan bundled with software for the Energizer Duo USB battery charger may have been active for nearly three years, security researchers have found. According to Symantec’s analysis, there is evidence that the Trojan dates back to 10 May, 2007.

“It’s really impossible to say for sure that this Trojan has always been in the USB charger-monitoring software, but the creation date in the Trojan binary’s header indeed states that it was created back in May 2007,” noted Dean Turner, director of Symantec’s Global Intelligence Network. “This would imply that the Trojan was most likely created back in 2007; however, there is a possibility that the time and date were set wrong on the computer that was used when the binary source files were compiled.”

Regardless of when it was created, its discovery prompted Energizer to announce on 5 March that it was discontinuing the sale of the product and removing the site from which the software could be downloaded. In addition, the company is urging consumers who downloaded the Windows version of the software to uninstall it.

Energizer did not say how the backdoor made its way into the software. However, it is not unheard of for attackers to hide malware inside products. For example, researchers at Kaspersky Lab in 2009 uncovered three pieces of malware on a brand-new M&A Companion Touch netbook the company had purchased to run compatibility tests.

An advisory by US-CERT explained, “The installer for the Energizer Duo software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component … UsbCharger.dll executes Arucer.dll … and it also configures Arucer.dll to execute automatically when Windows starts.”

The problem—Arucer.dll is a backdoor that allows unauthorized remote system access via TCP port 7777. “An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs,” the US-CERT advisory said. “The backdoor operates with the privileges of the logged-on user.”

Users can go into the Windows system32 directory and delete the Arucer.dll file to address the issue, though the system may need a restart before the file is officially removed. Alternatively, users can remove the Energizer UsbCharger software: “The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present,” US-CERT said.

Furthermore, “Blocking access to [port] 7777/tcp can mitigate this vulnerability by preventing network connectivity to the backdoor.” In addition, the US-CERT advisory includes Snort rules that “can be used to detect network traffic related to this backdoor.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved
Tags: SymantecUSB

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

16 hours ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

18 hours ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

20 hours ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

2 days ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

2 days ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

2 days ago