Energizer USB Battery Charger Software Infects PCs

swandives writes "Researchers at US-CERT have warned that software accompanying the Energizer DUO USB battery charger contains a Trojan that gives hackers total access to a Windows PC. The product was sold in the US, Latin America, Europe and Asia starting in 2007. Upon installation, the software creates the file 'Arucer.dll,' a Trojan that listens for commands on TCP port 7777. Upon receiving instructions, the Trojan can download and execute files, transmit files stolen from the PC, or tweak the Windows registry. Uninstalling the software disables the automatic execution of the Trojan. Users can also remove Arucer.dll from Windows' system32 directory and reboot the machine to disable the backdoor component."

Near Anagram for Duracell

[eldavojohn]

Interesting that Arucer.dll is (aside from an extra 'r') an anagram for Energizer's competitor Duracell. Perhaps the authors of the software thought Duracell was spelled 'Durracell'? And perhaps they decided to pick an anagram of the competitor to make it look as though Duracell is behind this?

Re:Near Anagram for Duracell

[Jazz-Masta]

There have been reports of Arucer.dll utilizing 100% CPU as far back as mid 2007. It was originally included by Energizer and used to check that the device was indeed connected to the machine.

They aren't sure how long dll has been infected, but all signs point to the entire time (back to May 2007). Considering how many forum posts have issues with the dll going back 2.5 years, you'd think someone would have figured it out long ago.

Re:Near Anagram for Duracell

[CaptnMArk]

Duracell(r)

Re:Near Anagram for Duracell

[toastar]

you think the Term 'hacker' and the term 'criminal' are mutually exclusive?
  I know we spent a decade trying to show the world they are different,
but even a technically skilled criminal can be a hacker.... he just has to wear a black hat while he does his deed.

Re:Near Anagram for Duracell

[Runaway1956]

Since about the time Windows came out with their Task Manager. Basic competency. Very basic. No one suggests that finding the executable, and disassembling it to find out what makes it tick is part of basic competency, but opening task manager to see which of your 97 active processes is using all of your computer time is indeed "basic".

Re:Near Anagram for Duracell

[Anne_Nonymous]

The should all be charged with assaulting battery!

-rimshot-

Re:Near Anagram for Duracell

[multisync]

you think the Term 'hacker' and the term 'criminal' are mutually exclusive?

No, but neither are the terms "accountant" and "embezzler," or "journalist" and "liar," or "priest" and "pedophile."

The problem with using the term "hacker" is as soon as you throw that term in to the conversation, it takes the spotlight off of the party that is actually responsible.

So Sony puts a root kit on your machine that could allow "hackers" to get control of it, it's those damn "hackers" who are the problem, not Sony. Perhaps not the best example to give, since Sony was heavily criticized for their actions (at least on Slashdot); but how many times have we seen stories about public servants losing laptops full of unencrypted information reported as "hackers could be accessing your private information."

The problem isn't some mythical "black hat" pounding furiously away at the keyboard as graphic images swirl around his head, it's that companies and government agencies are not taking due care with people private information, and frequently take liberties with their customers' property that would be considered criminal if it was your physical property they were abusing. Invoking the phrase "hacker" let's the real parties who are responsible off the hook.

In this case, I would be interested in knowing why Energizer has no idea how this trojan got in to their charger in the first place, and whether it was truly the work of a nefarious black hat, or a misguided attempt by the company to keep tabs on how customers are using their product.

Who knows, but as long as the focus is on "hackers" exploiting this trojan, rather than how it got bundled with the charger in the first place, it's unlikely we'll get the real story, or that the people who were really responsible will face any consequences.

Software?!

[dch24]

Why does a USB-powered charger need software at all?

It's called a DUO because it can plug into the wall or into a computer. So it works without a computer. To get the computer to jack up the USB power output from the default 100mA, the device could identify itself as a hub -- no software required.

I get it that the software can monitor charging, report stuff, advertise... But how does Energizer feel now, with egg on their faces?

Re:Software?!

[Captain+Spam]

I get it that the software can monitor charging, report stuff, advertise...

I always wondered, with the sheer amount of portable devices which charge over USB nowdays, why not put some manner of standardized charge reporting into the specs of the next version of USB, so that we don't need to bother with nonsense like installing a new program or drivers for each device just to monitor its charging on the computer (or whatever charger), if we do want monitoring and such? That way, we could just tack a charge indicator onto whatever the OS or windowing system uses to track connected USB devices, instead of X amount of additional programs displaying it in any variety of mismatched ways.

I mean, I'll grant that many devices just report their own charge on their own respective screens, so for things like phones or whatnot, it might not be that useful. Plus, my suggested scheme would quickly get shot down by companies like Energizer in this case when they realize revenue stream conduits^W^W^W customers wouldn't have a reason to install "special" drivers and programs loaded with ads...

Oh, yeah. That IS why it wouldn't get adopted. Hrm.

Re:Software?!

[magus_melchior]

Another commenter notes that the language code of the trojan is Chinese.

I think that American businesses should strongly reconsider the merits of having their goods produced in a highly authoritarian state who is known to employ hackers.

Interesting detail in the DLL:

[carlhaagen]

Its language code is Chinese.

This Trojan

[retardpicnic]

just keeps going....and going...and going....

Sometimes

[xav_jones]

No version for linux is a good thing.

Told you so

[Animats]

Some time back, when USB chargers started to appear at airports, I warned that this might happen. A public charging port is such an attractive attack vector.

Of course, the real problem is Windows's "autorun". It was a truly awful idea to have Windows run any executable that appears on any removable device or medium. That went in (in Windows 95, I think) when CDs were only manufactured by major vendors, before home CD writers or USB storage devices. So it probably seemed "safe" at the time.

Worse was making it very difficult to turn autorun off.

Re:Told you so

[Myopic]

No no, it didn't seem safe at the time. Everyone who didn't have their head inside their kiester knew it was a gaping security hole.

Golly, I wish some of those people worked at Microsoft.

Purchasers should have known something was wrong

[jlowery]

if only because of the giant wooden Energizer Bunny on the packaging.

USB? Software? On a BATTERY CHARGER?

[Hurricane78]

What the... WHYY?

My battery charger takes four batteries and goes into the power socket. That’s it.
I don’t see why in the world a charged would need more than this.

It’s like having a supercomputer to control a toaster. It makes no sense at all.
In my eyes, those who bought that thing, deserve what they got.

Re:A clean uninstaller? wow!

[kseise]

Ubuntu does not equal Linux. Come on man! You probably have to wait for it to be packaged upstream. Besides, a DLL is a LIBRARY file. You should be looking for lib-arucer or something similar like waffles, or whatever the developer felt like naming it. If that doesn't work, try x-arucer, or switch to Gentoo. I am sure they can get it.

PS- Wine might run it, but you will probably need a patch. Try Cedega or Play-On-Linux, or qemu or dosbox.

Outsourcing / QA / Negligence

[grahamsaa]

Energizer obviously isn't the first company to be hit with this sort of embarrassment, and it's surprising to me how resistant some of these companies are to learning and adopting good QA and security practices.

If corporations feel that they must outsource production of devices like these, they damn well better be prepared to do thorough in-house testing before they release malware to the public. I'll give them the benefit of the doubt that they were probably unaware of this trojan, but that makes them no less negligent.

Re:Outsourcing / QA / Negligence

[vlm]

You're assuming they didn't outsource engineering, QA, security, and testing.

You have the olden days idea, that China only manufactures.

I would not be surprised to learn Energizer-USA in 2010 is no more than an overpriced CEO and some marketing folks.

Re:Purchasers should have known something was wron

[dkleinsc]

Not true. If it had been a giant wooden bunny, they'd have known that Lancelot, Galahad, and Bedevere had forgotten to get inside in the first place.

Just wait until...

[mhajicek]

Just wait until you plug it into your Toyota.

Re:Just wait until...

[ascari]

Toyota: Just keeps going, and going, and going?

An AutoStart Fix for Windows XP and W2K

[NicknamesAreStupid]

This little trick will disable all autoplay features, eg. CDs, USB-memories etc. Open the registry editor, regedt32.exe, and configure the following registry value:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Value Name: NoDriveTypeAutoRun
Type: REG_DWORD
Value: hex: 0x03fffffff

Re:An AutoStart Fix for Windows XP and W2K

[Sir_Lewk]

It's things like this that just go to show why windows will never be ready for the desktop.