Energizer DUO USB battery charger software allows unauthorized remote system access
Vulnerability Note VU#154421
Original Release Date: 2010-03-05 | Last Revised: 2010-04-15
The software available for the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.
Energizer DUO is a USB battery charger. An optional Windows application that allows the user to view the battery charging status has been available on the Energizer website. The installer for the Energizer DUO software places the file UsbCharger.dll in the application's directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.
Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Note that Windows XP SP2 and later systems include a firewall by default. Upon running the Energizer UsbCharger software for the first time, a dialog similar to the following is displayed:
If the user selects "Unblock," then the system will be at risk. Also note that if the application is unblocked, this will cause Windows to add rundll32.exe to the Windows Firewall exceptions list. This means that any DLL that is executed through the rundll32.exe mechanism will be excluded from the Windows Firewall, regardless of the DLL or port used.
The backdoor capabilities include the ability to list directories, send and receive files, and execute programs. The hash information for the file is MD5: 1070be3e60a1868d2cd62fc90d76c861 SHA1: d102b1d2538d8771be85403272e5a22a4b3f81ad
An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.
Remove the Energizer UsbCharger software
Removing the Energizer UsbCharger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts. The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present.
Remove the Arucer.dll file
The backdoor component of the Energizer UsbCharger software can be removed by deleting the Arucer.dll file from the Windows system32 directory. Because the backdoor hosted by rundll32.exe continues to run after the software has been uninstalled, Windows may need to be restarted before this file can be removed.
Remove "Run DLL as an App" exclusion from the Windows Firewall
If the user unblocks Run DLL as an App (rundll32.exe) from the Windows Firewall, the exclusion will remain after the Energizer UsbCharger software has been uninstalled. To restore the firewall to the previous state, the "Run a DLL as an App" entry should be removed from the exclusions list.
Block or restrict network access
Blocking access to 7777/tcp can mitigate this vulnerability by preventing network connectivity to the backdoor. This may be achieved with network perimeter devices or host-based software firewalls. The Energizer UsbCharger software does not automatically add an exception to the Windows Firewall for 7777/tcp or the backdoor application. Therefore, the first time that Energizer UsbCharger is executed, the user will be prompted that "Run a DLL as an APP" has been blocked by the Windows Firewall.
The following Snort rules can be used to detect network traffic related to this backdoor: