Security experts at Symantec have discovered a software application made for a USB-based battery charger sold by Energizer actually included a hidden backdoor that allowed unauthorized remote access to the user’s system. The backdoor Trojan is easily removed, but Symantec believes the tainted software may have been in circulation since May 2007.
The product is the Energizer Duo USB battery charger, a device that charges batteries by drawing power from a USB port. The downloadable software that goes with the product — designed to monitor the charger’s performance and status — was available for both Mac and Windows, but according to the U.S. Computer Emergency Response Team (US-CERT) only the Windows version was affected.
Symantec said it found the backdoor after analyzing a component of the USB charger software sent to it by US-CERT. The backdoor is designed to run every time the computer starts, and then listen for commands from anyone who connects. Among the actions an attacker can take after connecting include downloading a file; running a file; sending a list of files on the system; and offloading the files to the remote attacker.
U.S. CERT has published an advisory that explains in greater detail how to remove this backdoor, should you have been unlucky enough to have installed the software. But the incident is the latest reminder that USB-based devices should always be considered hostile. At the very least, users should disable the autorun capability in Windows (which many malware families use to piggyback on removable media), and thoroughly scan any removable media for malicious files.
In another incident of malware hitchhiking on USB devices, Panda Security published a blog post Monday saying it had found a brand new Vodaphone HTC Magic mobile with Google’s Android operating system that came factory-packed with malicious software. According to Panda, the malware, which took advantage of the autorun functionality in Windows, was set up to enslave the host computer in the Mariposa botnet.