On March 5, 2010, Energizer and US-CERT announced that some consumer Energizer DUO USB battery chargers had shipped with a malicious software trojan. The hardware device is used to charge Nickel Metal Hydride (NiMH) batteries from both a wall outlet and USB connection. The charger includes Windows software to allow the user to view the battery charging status when connected to a PC via USB. This software was found to contain malware.Here is the ThreatExpert report for a sample of this trojan with an MD5 of 3f4f10b927677e45a495d0cdd4390aaf.
The installer software places a file named “usbcharger.dll” in the applications directory and “arucer.dll” in the Windows system32 directory.
The trojan modifies the registry by adding itself to the HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun registry key.
The trojan also spawns a listener on port 7777/tcp. This is a bit curious, because widespread firewalling and NAT have pushed the authors of backdoor trojans to adopt a connect back or reverse shell approach. A listener on 7777/tcp would only typically be accessible within the local network, and even then only after the trojan has punched a hole in the host firewall found on more recent Windows platforms.
The capabilities of this trojan include the ability to:
- List directories
- Send and receive files
- Execute programs
- Delete files
The decompiled .dll that is installed indicates the origins may be Chinese:--a-- W32i DLL CHS 22.214.171.124 shp 28,672 05-10-2007 arucer.dll Language 0x0804 (Chinese (PRC)) CharSet 0x04b0 Unicode OleSelfRegister Disabled CompanyName FileDescription Arucer DLL InternalName Arucer OriginalFilenam Arucer.DLL ProductName Arucer Dynamic Link Library ProductVersion 1, 0, 0, 1 FileVersion 1, 0, 0, 1 LegalCopyright ???? (C) 2006 LegalTrademarks
A mutex name also suggests a possible Chinese origin:liuhong-061220
The purpose of the backdoor and how it was included in the distributed software was not disclosed.
The disclosure from Energizer was soon followed by another report of compromised consumer electronic equipment. On March 8, 2010, Panda Security?s Research blog reported that they had received a new Vodafone HTC Magic with Google's Android OS that was infected with Butterfly Bot (a.k.a. Mariposa). In addition, it was reported that the handset contained Conficker and a password stealer identified as “Lineage”. The infected Vodafone handset was reported to be an isolated incident, however Panda subsequently reported that Spanish security outfit S21sec had also obtained a compromised HTC Magic handset directly through Vodafone's website. Vodafone has recently confirmed shipping at least 3000 handsets with Mariposa.
Of course, this is not the first time consumer electronics devices have reached consumers with malicious software. Digital music players have shipped with Windows viruses. New hard drives come with trojans. Digital picture frames get bundled with trojans. Compact discs intentionally sold with rootkits. It is important to remember that any device or removable media could be used to store malicious code.