USB charger from Energizer uses software that contains a Trojan, according to US-CERT. The software was apparently developed outside the U.S. and may have been giving hackers access to PCs since 2007. An analyst said trust in the Energizer bunny may have led many consumers to install the DUO USB charger malware even with a warning.
Some Windows Relevant Products/Services PC users may hope the Energizer bunny didn't keep going and going. It turns out the Energizer DUO USB battery charger is a vehicle for attacks on PCs, according to the Department of Homeland Security's Computer Emergency Readiness Team.
US-CERT researchers said Friday that the software that installs with the Energizer charger contains a Trojan horse that gives malicious hackers a back door into Windows machines.
"An attacker is able to remotely control a system Relevant Products/Services, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user," US-CERT said. "Removing the Energizer USB charger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts."
A Trusted Source
Although the fix seems relatively easy for consumers who are aware they have been infected, the path in was also straightforward. Rob Enderle, principal analyst at the Enderle Group, said consumers were probably not expecting the Energizer software to carry a malicious payload.
"Typically in a Windows 7 or even a Windows Vista install, if you mess around with ports you should get a warning," Enderle said. "Because consumers got the software from a trusted source, chances are you'll bypass the warning and go ahead and install it because you think you are only installing the battery monitor. This is a nasty piece of work."
Enderle questioned the origin of the software, noting that Trojans seem to make their way into programs when the software is developed outside the U.S. Chances are, he said, the software was developed in China or some other foreign country.
What's So Unusual?
Symantec also investigated the Energizer malware and discovered that the Trojan listens for commands on port 7777. That by itself is not so unusual, the company said, but Symantec researchers were surprised that the file was being distributed by Energizer as part of a USB charger-monitoring software package.
Symantec wanted to know how long the file was available to the public. The compile time for the file is May 10, 2007. Although it's impossible to say that the Trojan has always been in this software, Symantec's initial inspection leans toward this conclusion. Symantec also discovered the file was inserted into the package with the creator's knowledge and the USB charger doesn't need to be plugged in for the Trojan to be functioning.
"We also saw from the manufacturer's web site that the software is not distributed with the physical USB charger itself and, instead, it must be downloaded separately from the site. This may mean that fewer people installed it than bought the charger," said Liam Murchu of Symantec. "Whether this Trojan functionality was intended or not is unclear, but if it is intended behavior it would be very suspicious; I certainly wouldn't want my USB charger to download and execute files without my knowledge, or indeed send my files to a remote location."
