If you’re using Energizer’s Duo USB battery charger software to monitor your battery charging status, it’s probably a good idea to shut it down and uninstall it pronto.
The software designed to work with the Duo contains a backdoor Trojan that lets unauthorized users access a PC remotely, among other things.
The Duo was introduced in 2007; it charges nickel metal hydride batteries from both wall outlets and computer USB ports. Energizer had encouraged Duo users to download companion software that allows them to monitor the charging status of the batteries when the Duo is plugged into their PCs.
Within this software lies the Trojan, a dynamic link library (DLL) file called “Arucer.dll.” It can also list directories, send and receive files and execute programs.
The backdoor operates with full user privileges, the United States Certified Emergency Response Team (US-CERT) warned in Vulnerability Note VU#154421 about Arucer.
Arucer.dll is added to the “run” key on infected PCs, so it starts every time the computer is turned on, according to security research firm Symantec. It listens for commands from anyone who connects to the PC, then sends files or directories, or downloads or executes files.
The threat doesn’t call home after an infection, Dean Turner, director of Symantec Security Response, told TechNewsWorld. Instead, it sits on the infected PC waiting to be discovered and used by hackers.
That makes it difficult to trace hackers. “Anyone with the knowledge of this threat’s capabilities can locate an infected machine and use any of this Trojan’s features in order to execute tasks from any location,” Turner pointed out.
Since the author would have to scan various networks to locate a machine infected by this threat, then activate the Trojan, there is no IP address from which to trace the attack, Turner said.
Once it has infected a PC, the Trojan will run whether or not the Energizer charger device is plugged in.
A Trojan’s Tale
The Energizer software containing the Arucer.dll file was located on an Energizer Web site. The software was available in Windows and Mac versions, but only the Windows version had the vulnerability. Energizer has removed the Web site and discontinued the sale of the product.
The Trojan was discovered by Symantec when CERT gave it a file for analysis.
Energizer has warned buyers of its Duo charger against using the software and has suggested they uninstall it. Energizer did not respond to requests for comment by press time.
Hopping Under the Radar
Apparently, the Trojan has been around since 2007. If that’s the case, why did it go undetected for so long?
“The problem with all these Trojans is that all you have to do is change an error message or tweak them in some other way and all of a sudden their signature is changed and it won’t be detected by your antivirus software,” Carl Howe, director of anywhere computer research at the Yankee Group, told TechNewsWorld.
“Today’s malware authors spend a great deal of time and energy armoring and obfuscating their attacks in order to avoid detection,” Symantec’s Turner said. “With an ever increasing number of targeted attacks, some may avoid detection longer than others.”
While this is true, Windows developers must also shoulder part of the blame, Howe pointed out.
“The problem is as much Microsoft’s as Energizer’s,” he said. “Windows is a collection of device drivers, and it was never a secure operating system. When you’re installing a USB driver, you only get a UAC challenge and most people click ‘yes’ because there’s no right answer to that unless they know they’re doing something bad.”
UAC is User Account Control, a technology and security infrastructure Microsoft introduced with Windows Vista and Windows Server 2008. It limits application software to standard user privileges until an administrator actively authorizes an increase or elevation of privileges. However, UAC sparked a lot of complaints from Windows Vista users who were bothered by the frequent requests for approval it generated.
The feedback from the field indicates a “significant number” of systems have been cleaned up since Symantec added a solution to its antivirus product, Symantec’s Turner said.
Possible Solutions for Victims
Naturally, anyone whose PC has been infected should uninstall the application immediately.
That doesn’t finish the job, though. “Once the application is uninstalled, the malicious DLL is left behind running,” Symantec’s Turner said. “However, on a subsequent reboot of the machine, the threat is no longer running. At this point, the DLL can be removed manually.”
To remove the DLL, users have to delete the Arucer.dll file from the Windows system 32 directory.
Enterprise IT staff can block access to Port 7777, which the backdoor opens.