March 9, 2010

Security experts at Symantec have discovered a software application made for a USB-based battery charger sold by Energizer actually included a hidden backdoor that allowed unauthorized remote access to the user’s system. The backdoor Trojan is easily removed, but Symantec believes the tainted software may have been in circulation since May 2007.

The product is the Energizer Duo USB battery charger, a device that charges batteries by drawing power from a USB port. The downloadable software that goes with the product — designed to monitor the charger’s performance and status — was available for both Mac and Windows, but according to the U.S. Computer Emergency Response Team (US-CERT) only the Windows version was affected.

Symantec said it found the backdoor after analyzing a component of the USB charger software sent to it by US-CERT. The backdoor is designed to run every time the computer starts, and then listen for commands from anyone who connects. Among the actions an attacker can take after connecting include downloading a file; running a file; sending a list of files on the system; and offloading the files to the remote attacker.

U.S. CERT has published an advisory that explains in greater detail how to remove this backdoor, should you have been unlucky enough to have installed the software. But the incident is the latest reminder that USB-based devices should always be considered hostile. At the very least, users should disable the autorun capability in Windows (which many malware families use to piggyback on removable media), and thoroughly scan any removable media for malicious files.

In another incident of malware hitchhiking on USB devices, Panda Security published a blog post Monday saying it had found a brand new Vodaphone HTC Magic mobile with Google’s Android operating system that came factory-packed with malicious software. According to Panda, the malware, which took advantage of the autorun functionality in Windows, was set up to enslave the host computer in the Mariposa botnet.

16 thoughts on “Energizer Battery Charger Software Included Backdoor

  1. Mike Nash

    I worry that this is only the first of many we will find in the future – I am willing to bet this was manufactured in China where they have a long history of launching cyber attacks.

    Embedding at the manufacturing level is a much simpler way to invade computer systems.

    1. bob

      “they have a long history of launching cyber attacks”? Who’s “they”?

      Every country has a long history of launching cyber attacks. USA probably has the longest (thank you, Mr.Morris).

      Or by “they” do you mean the Chinese government? You’re accusing a foreign power of attempting to hack computers on no evidence at all?

  2. Moike

    This highlights a problem in general – customers can only have blind trust in installation software distributed with a new device. If something was planted by ‘bad guys’, it would be custom written, and therefore would not show up on AV scans. There is no way to check software before installation. ‘Bad guys’ have enough of an incentive to plant employees in manufacturing locations.

    And of course, the Mac and Linux are susceptible to this also – if you need to install a driver to use your new device, you have no choice but to sudo-install it and you’re owned just like the Windows boxes.

    1. DeppityBob

      I’ve never once had to use sudo to install a driver.

  3. TFBW

    Apropos of the original article, the software didn’t ship with the USB charger device, strictly speaking. Both the Symantec and CERT reports indicate that the software was optional, and available for download from Energizer. This was not an “autorun” issue.

    Apropos of comments by “Mike Nash” and “bob” above, there is actually a link to China in this case, although not a conclusive one. According to the CERT report, the suspicious DLL has language metadata specifying “Chinese (PRC)”.

    Apropos of the comment by “Moike”, Linux is blessed by the fact that few device manufacturers bother to provide device drivers for Linux! Your scenario of “sudo-install” is generally impractical, and rarely used. Most device support comes from direct kernel contributions, where it’s somewhat harder to slip in a back door of this sort. Security-conscious folks insist on Open Source for that reason.

    1. BrianKrebs Post author

      TFBW — The U.S. CERT advisory says, first sentence: “The software included with the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.” The very next sentence in that advisory reads: “An optional Windows application that allows the user to view the battery charging status has been available on the Energizer website.”

      1. WD

        The US-CERT vulnerability note has been updated to correct this.

      2. kurt wismer

        as an owner of one of these devices i can confirm that the software did not come with it. the device does go out of it’s way to direct people to the energizer website to download the software, however.

        1. BrianKrebs Post author

          Ah. Good to know thanks for the clarification, fellas. I’ve updated the first sentence of this blog to reflect that.

    2. BrianKrebs Post author

      @TFBW- You said this was not an autorun issue. True, on the USB battery charger item. However, the “autorun” reference in the penultimate paragraph of this story was setting up the last paragraph, which involved autorun-enabled malware that was loaded when the HTC phone user plugged the phone into a computer using a standard USB connector.

  4. Bruce Mc Donald

    Have you read the really really fine print on your energizer AA and AAA rechargeabls? There 1.2 volts!! Not 1.5 . Is that even legal! I think this is why my camera autofocus motor burned out and might explain charger burnout as well.
    ps: luv the site thanks

  5. Bruce Mc Donald

    Also it definatly explains why there so gutless someone should start a class suit for a recall or refund.

Comments are closed.