USB battery charger executes backdoor Trojan

A USB battery charger that includes an optional Windows application that allows the user to view the battery charging status executes a backdoor Trojan.

The US Computer Emergency Response Team (US-CERT) said that the Energizer DUO USB battery charger has the option to add the Windows application made available on the Energizer website.

The installer for the software places the file UsbCharger.dll in the application's directory and Arucer.dll in the Windows system32 directory. When the Energizer USB Charger software executes, it utilises the UsbCharger.dll component for providing USB communication capabilities.

This software executes Arucer.dll via the Windows rundll32.exe mechanism, and also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runregistry key.

However, Arucer.dll is a backdoor that allows unauthorised remote system access by accepting connections on 7777/tcp. US-CERT said that the backdoor operates with the privileges of the logged-on user, and an attacker would be able to remotely control a system, including the ability to list directories, send and receive files, and execute programs.

Energizer has said that it has removed the software from its download site, and added that although it had offered similar software for Mac OS X, only the Windows version had been infected. It said in a statement: “Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software.”

In addition CERT and Energizer recommend that users remove Arucer.dll, which can be found in the Window system32 directory that may remain after the software has been removed.

Security blogger Gary Warner said: “The detection on that malware as of last night is still pretty sketchy according to VirusTotal. In this VirusTotal Report for Arucer.dll it showed that only nine of 42 anti-virus products would have triggered on this malware. Microsoft, Sunbelt and Symantec are now detecting it as ‘Arugizer' (or Arurizer in Microsoft's case). F-secure, Fortinet, McAfee and Sophos are also detecting.

“If you really want to Trojan yourself, perhaps your best bet is to buy one of these systems from a third party, such as Amazon.com who still offers Energizer Charger USB Duo for $16.99.”

Graham Cluley, senior technology consultant at Sophos, claimed that this was time to remind everyone that malware is not just something you download from the internet, or find attached to an email, or even discover lurking on a CD.

He said: “Any time you plug a storage device into your computer you are potentially exposing it to any malicious code which might reside on the unit. So, that means that you have to be conscious that all sorts of items can carry malware, and could transmit it to your laptop or desktop computer if you attach it. It does not matter if it is an iPod, BlackBerry, sat-nav or a digital photo frame. If it's got the ability to store data, it can store malware too.

“It is not yet known how the software, which is designed to display a battery's charge level, became infected. It is clear, however, that a more stringent quality control procedure might have saved consumers' computers and Energizer's blushes.”

For more information on Trojans, and how not to fall victim to them, listen to the SC webcast with Stephan Freeman, information security manager at the London School of Economics and Martin Lee, senior malware analyst at Symantec Hosted Services.

Sign up to our newsletters