Investigation Continues Into Malware In Battery Charger Software

The backdoor Trojan bundled with software for the Energizer Duo USB battery charger may have been active for nearly three years, security researchers have found. According to Symantec’s analysis, there is evidence that the Trojan dates back to 10 May, 2007.

“It’s really impossible to say for sure that this Trojan has always been in the USB charger-monitoring software, but the creation date in the Trojan binary’s header indeed states that it was created back in May 2007,” noted Dean Turner, director of Symantec’s Global Intelligence Network. “This would imply that the Trojan was most likely created back in 2007; however, there is a possibility that the time and date were set wrong on the computer that was used when the binary source files were compiled.”

Regardless of when it was created, its discovery prompted Energizer to announce on 5 March that it was discontinuing the sale of the product and removing the site from which the software could be downloaded. In addition, the company is urging consumers who downloaded the Windows version of the software to uninstall it.

Energizer did not say how the backdoor made its way into the software. However, it is not unheard of for attackers to hide malware inside products. For example, researchers at Kaspersky Lab in 2009 uncovered three pieces of malware on a brand-new M&A Companion Touch netbook the company had purchased to run compatibility tests.

An advisory by US-CERT explained, “The installer for the Energizer Duo software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component … UsbCharger.dll executes Arucer.dll … and it also configures Arucer.dll to execute automatically when Windows starts.”

The problem—Arucer.dll is a backdoor that allows unauthorized remote system access via TCP port 7777. “An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs,” the US-CERT advisory said. “The backdoor operates with the privileges of the logged-on user.”

Users can go into the Windows system32 directory and delete the Arucer.dll file to address the issue, though the system may need a restart before the file is officially removed. Alternatively, users can remove the Energizer UsbCharger software: “The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present,” US-CERT said.

Furthermore, “Blocking access to [port] 7777/tcp can mitigate this vulnerability by preventing network connectivity to the backdoor.” In addition, the US-CERT advisory includes Snort rules that “can be used to detect network traffic related to this backdoor.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

SoftBank Promises To Invest $100bn In US

Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…

11 hours ago

Synopsys, SiMa.ai To Collaborate On AI Car Chips

Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…

12 hours ago

AI Start-Up Basis Raises $34m For Accountancy Agent

Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…

12 hours ago

Databricks Raises $10bn In Huge AI Funding Round

Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…

13 hours ago

Congo Files Complaints Against Apple Over Conflict Minerals

Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…

13 hours ago