Modernizing Authentication — What It Takes to Transform Secure Access
The United States Computer Emergency Readiness Team (CERT) is warning consumers that downloadable software commonly used with the Energizer DUO USB battery charger contains a Trojan that hackers can exploit to commandeer Windows-based PCs.
The installer for the Energizer DUO software, which lets users view the battery's charging status, places the file UsbCharger.dll in the application's directory and Arucer.dll in the Windows system32 directory. According to the CERT advisory posted Friday, the Arucer.dll file is a backdoor that can be used remotely for unauthorized access to the user's PC.
CERT officials said this backdoor vulnerability makes it possible for hackers to list directories, send and receive files, and execute programs.
"The backdoor operates with the privileges of the logged-on user," CERT said in the warning.https://l1.cdn.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Energizer has discontinued sale of this product and has removed the site to download the software," the battery-maker said in a statement. "Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software."
Energizer added that it is also advising customers who downloaded the Windows version of the software to uninstall or otherwise remove the software from their computers.
Security software vendor Symantec said it appears users who opted to download the battery charging status software were vulnerable to attack since the product was first released in 2007.
"This may mean that fewer people installed it than bought the charger," Symantec said in a blog posting "Whether this Trojan functionality was intended or not is unclear, but if it is intended behavior it would be very suspicious; I certainly wouldnt want my USB charger to download and execute files without my knowledge, or indeed send my files to a remote location."
This isn't the first time that hackers have discovered an entrée to users' machines via a device connecting to USB ports and drives.
In December, Symantec competitor McAfee released three new applications designed to shore up defenses against attacks using mobile phones, USB sticks, and laptops to access enterprise data networks.