Software that can be downloaded for use with the Energizer Duo USB battery charger
contains a backdoor that could allow an attacker to remotely take control of a
Windows-based PC, Energizer and US-CERT is warning.
"The installer for the Energizer Duo software places the file UsbCharger.dll in the
application's directory and Arucer.dll in the Windows system32 directory," the
U.S. Computer Emergency Readiness Team said in an advisory on Friday. "Arucer.dll is a backdoor that
allows unauthorized remote system access via accepting connections on 7777/tcp.
Its capabilities include the ability to list directories, send and receive
files, and execute programs."
The Windows software was made available via a download with the Energizer Duo
Charger, Model CHUSB, Energizer said in a
The battery maker said it does not know how the Trojan got into the software.
"Energizer has discontinued sale of this product and has removed the site to
download the software," the statement said. "Energizer is currently working with
both CERT and U.S. government officials to understand how the code was inserted
in the software."
For systems with the software installed, US-CERT recommends removing the Energizer
Duo software and Arucer.dll file, as well as blocking access to port 7777 via
network perimeter devices or firewall software.
The Trojan may have been in the software since it was first offered three years ago,
according to Symantec.
"We were interested in finding out how long this file had been available to the
public. The compile time for the file is May 10, 2007. It is impossible to say
for sure that this Trojan has always been in this software, but from our initial
inspection it appears so," Symantec wrote in a blog
post. "The Trojan still operates whether this device is found or not, so a
USB charger doesn't need to be plugged in for the Trojan to be functioning."
If the Trojan does date back to 2007, that is around the same time that there were
a rash of products like digital photo
frames hitting U.S. shelves infected wi..., said Marcus Sachs,
director of the SANS Internet Storm Center.
"This may simply be from that time frame when all the factories in China were not
clean and many were putting malware onto stuff, not intentionally but because
the hygiene wasn't good," he said in an interview on Monday.
"Who knows where the server (hosting the software) is located," he said. "It could
have been exposed to the unclean conditions that were rampant there."
The bunny that gives now takes