|
By Cara Garretson
Malware can find its way onto PCs from some pretty surprising places.
In December, the maker of a webcam delivered CDs with the device that sent customers to Web sites infected with malware parading as antivirus software. Last Friday, the Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) issued a bulletin warning of a vulnerability found in a USB battery charger made by Energizer that, once connected to a PC, allows for remote access.
Energizer's DUO battery charger includes a USB connection to a PC and lets customers download a Windows application for viewing the battery's charging status. When this application is installed, a file called Arucer.dll is placed in the Windows system32 directory, among other files that are placed in other directories. According to US-CERT, that file -- which is configured to automatically run when Windows is launched -- contains a backdoor that allows unauthorized access from remote systems.
Arucer.dll listens for commands on port 7777 and can list directories, send and receive files, and execute programs, the US-CERT bulletin says. An intruder using this backdoor for unauthorized access to a system would have the same user rights as the person logged in to the PC.
US-CERT says that removing the USB charger software will remove the registry value causing the backdoor to execute whenever Windows starts. The Arucer.dll file will remain in the system32 directory, but the code-executing mechanisms will no longer be present.
Symantec says the Arucer.dll file is a Trojan that starts every time the infected PC is booted, and has added it to its detection profiles as Trojan.Arugizer. The security vendor, which analyzed the file it received from US-CERT, suspects the Trojan has been a part of Energizer's DUO battery charger software for quite a while.
"We were interested in finding out how long this file had been available to the public. The compile time for the file is May 10, 2007. It is impossible to say for sure that this Trojan has always been in this software, but from our initial inspection it appears so," says a March 5 blog post on the Symantec site. "We also suspected that the entire file may have been inserted into the package without the creator's knowledge, but upon closer inspection we discovered the DLL checks" specifically for the Energizer charger.
Symantec also notes that the Trojan operates whether or not the device is attached to the USB connection, meaning that even when the battery charger is unplugged the backdoor is open.
On the brighter side, Symantec points out that since the malicious software is a separate download from the USB charger, perhaps not everyone who bought the device has also installed the application and made themselves vulnerable. The security vendor also questions whether or not that backdoor was intended.
"Whether this Trojan functionality was intended or not is unclear, but if it is intended behavior it would be very suspicious; I certainly wouldn't want my USB charger to download and execute files without my knowledge, or indeed send my files to a remote location," says Symantec.
Only registered users can write comments.
Please login or register. |
