Monday, March 08, 2010

Energizer DUO: Trojan yourself for only $19.99


(image from EnergizerRecharge.eu)

The Energizer DUO, a USB-powered battery recharger, was confirmed on Friday by Energizer Holdings to contain malicious code. According to this Energizer Press Release, they were notified by the CERT Coordination Center that the Windows software that ships with their DUO Charger "contains a vulnerability".

Energizer has discontinued sale of this product and has removed the site to download the software. In addition, the company is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer. This will eliminate the vulnerability. In addition CERT and Energizer recommend that users remove a file that may remain after the software has been removed. The file name is Arucer.dll, which can be found in the Window system32 directory.

Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software. Additional technical information can be found at http://www.kb.cert.org/vuls/id/154421.


Apparently Unix tutorial author Ed Schaller was the one who reported the malware to US-CERT. US-CERT then asked Symantec to evaluate the malware, which was written up by Liam Murchu in the Symantec Security Response Blog.

According to the US-CERT article, Arucer.dll is launched in the traditional way, with a "rundll32" call from the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key.

The hashes for the malware file, Arucer.dll, which is 28,672 bytes in size, are:

MD5: 1070be3e60a1868d2cd62fc90d76c861
SHA1: d102b1d2538d8771be85403272e5a22a4b3f81ad

US-CERT indicates that the file properties indicate the file was written on a Chinese computer. (Language set = 0x0804)

The detection on that malware as of last night is still pretty sketchy according to VirusTotal. In this VirusTotal Report for Arucer.dll it showed that only 9 of 42 anti-virus products would have triggered on this malware. Microsoft, Sunbelt, and Symantec are now detecting it as "Arugizer" (or Arurizer in Microsoft's case). F-secure, Fortinet, McAfee, and Sophos are also detecting.

Although Symantec's Liam indicates they were able to download the software from the Energizer website on Friday, all links we could find for the downloadable package, formerly at:
hxxp://www.energizer.com/usbcharger/download/UsbCharger_setup_V1_1_1.exe
now redirect to an Energizer homepage.

If you REALLY want to trojan yourself, perhaps your best bet is to buy one of these systems from a third party, such as Amazon.com who still offers Energizer Charger USB Duo for $16.99.

Symantec reports that after infection, the machine begins to listen on port 7777. Valid commands which can be sent to that port are in the form of XOR'ed CLSIDs, with the list being:

• {E2AC5089-3820-43fe-8A4D-A7028FAD8C28}
• {F6C43E1A-1551-4000-A483-C361969AEC41}
• {EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}
• {783EACBF-EF8B-498e-A059-F0B5BD12641E}
• {0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}
• {98D958FC-D0A2-4f1c-B841-232AB357E7C8}
• {4F4F0D88-E715-4b1f-B311-61E530C2C8FC}
• {384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}
• {8AF1C164-EBD6-4b2b-BC1F-64674E98A710}

US-CERT has released Snort rules for these various detects, which it has named:
Arucer Command Execution
Arucer DIR Listing
Arucer WRITE FILE command
Arucer READ FILE command
Arucer NOP command
Arucer FIND FILE command
Arucer YES command
Arucer ADD RUN ONCE command
Arucer DEL FILE command

which seems to indicate a wide-range of possibilities from this trojan.

Gregg Keizer wrote a nice piece for ComputerWorld on this topic: Energizer Bunny's software infects PCs, which reminds us that in 2007 Seagate shipped trojaned drives, and Apple shipped some trojaned iPods, and that in 2008 Best Buy sold Digital Picture frames with attack code in them.

Thanks to @EdNadrotowicz for the Twitter tip-off on this story...

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.