Software Engineering Institute

Energizer DUO is a USB battery charger. An optional Windows application that allows the user to view the battery charging status has been available on the Energizer website. The installer for the Energizer DUO software places the file UsbCharger.dll in the application's directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Note that Windows XP SP2 and later systems include a firewall by default. Upon running the Energizer UsbCharger software for the first time, a dialog similar to the following is displayed:

If the user selects "Unblock," then the system will be at risk. Also note that if the application is unblocked, this will cause Windows to add rundll32.exe to the Windows Firewall exceptions list. This means that any DLL that is executed through the rundll32.exe mechanism will be excluded from the Windows Firewall, regardless of the DLL or port used.

The backdoor capabilities include the ability to list directories, send and receive files, and execute programs. The hash information for the file is
MD5: 1070be3e60a1868d2cd62fc90d76c861
SHA1: d102b1d2538d8771be85403272e5a22a4b3f81ad

The file details for Arucer.dll are

--a-- W32i   DLL CHS         1.0.0.1 shp     28,672 05-10-2007 arucer.dll
        Language        0x0804 (Chinese (PRC))
        CharSet         0x04b0 Unicode
        OleSelfRegister Disabled
        CompanyName
        FileDescription Arucer DLL
        InternalName    Arucer
        OriginalFilenam Arucer.DLL
        ProductName     Arucer Dynamic Link Library
        ProductVersion  1, 0, 0, 1
        FileVersion     1, 0, 0, 1
        LegalCopyright  ???? (C) 2006
        LegalTrademarks

        VS_FIXEDFILEINFO:
        Signature:      feef04bd
        Struc Ver:      00010000
        FileVer:        00010000:00000001 (1.0:0.1)
        ProdVer:        00010000:00000001 (1.0:0.1)
        FlagMask:       0000003f
        Flags:          00000000
        OS:             00000004 Win32
        FileType:       00000002 Dll
        SubType:        00000000
        FileDate:       00000000:00000000

An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.

Remove the Energizer UsbCharger software

Removing the Energizer UsbCharger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts. The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present.

Remove the Arucer.dll file

The backdoor component of the Energizer UsbCharger software can be removed by deleting the Arucer.dll file from the Windows system32 directory. Because the backdoor hosted by rundll32.exe continues to run after the software has been uninstalled, Windows may need to be restarted before this file can be removed.

Remove "Run DLL as an App" exclusion from the Windows Firewall

If the user unblocks Run DLL as an App (rundll32.exe) from the Windows Firewall, the exclusion will remain after the Energizer UsbCharger software has been uninstalled. To restore the firewall to the previous state, the "Run a DLL as an App" entry should be removed from the exclusions list.

Block or restrict network access

Blocking access to 7777/tcp can mitigate this vulnerability by preventing network connectivity to the backdoor. This may be achieved with network perimeter devices or host-based software firewalls. The Energizer UsbCharger software does not automatically add an exception to the Windows Firewall for 7777/tcp or the backdoor application. Therefore, the first time that Energizer UsbCharger is executed, the user will be prompted that "Run a DLL as an APP" has been blocked by the Windows Firewall.

The following Snort rules can be used to detect network traffic related to this backdoor:

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; classtype:trojan-activity; sid:1000004; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; classtype:trojan-activity; sid:1000005; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; classtype:trojan-activity; sid:1000006; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; classtype:trojan-activity; sid:1000007; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer NOP Command"; flow:established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; classtype:trojan-activity; sid:1000008; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; classtype:trojan-activity; sid:1000009; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; classtype:trojan-activity; sid:1000010; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; classtype:trojan-activity; sid:1000011; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; classtype:trojan-activity; sid:1000012; rev:2;