Energizer Introduces USB Battery Charger With Bonus Rootkit Feature [Update]

from the keeps-going-and-going-and-going dept

Fri, Mar 12th 2010 6:38am — Mike Masnick

Update: As lots of folks are pointing out in the comments, this appears to have been included by some third party or disgruntled employee or something, rather than Energizer itself. Energizer has recalled the products and is investigating. Apologies for suggesting that this may have been intentional on Energizer's part. The original post follows: Someone, who prefers to remain anonymous, alerts us to the news that Symantec has discovered that a USB battery charger from Energizer installs a dangerous rootkit after installing the required driver. You would think that legit companies would know better than to install a secret rootkit after the Sony rootkit fiasco from a few years back. This particular rootkit constantly listens for commands that could allow a computer to secretly execute files or even send computer files to a remote computer. Not exactly the kind of stuff you want installed on your computer. The Energizer Bunny might keep going and going and going, but there are some things it's not supposed to do...

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: rootkit, security, usb battery charger
Companies: energizer

45 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 12 Mar 2010 @ 6:43am

The fun part
Is that you don't need the proper drivers to draw energy from a usb port.
[ link to this | view in chronology ]
- :Lobo Santo (profile), 12 Mar 2010 @ 6:45am
  
  Re: The fun part
  Correct! Man, people are just such suckers.
  [ link to this | view in chronology ]
  - lavi d (profile), 12 Mar 2010 @ 8:29am
    
    Who Owns Your Computer?
    ...you don't need the proper drivers to draw energy from a usb port.
    
    As a long time Linux user, I've never used the software that comes with USB devices - camera, printer, MP3 player.
    
    I was amused to find that every one of these applications, when properly installed on Windows machines, finds some way to spam the user. In the case of Kodak, it sends every picture the user emails wrapped in a big advertisement for Kodak products.
    
    Nice...
    [ link to this | view in chronology ]
    - enrolled agent, 13 Mar 2010 @ 5:42pm
      
      Re: Who Owns Your Computer?
      Is this true? I've used the Kodak EasyShare software myself in the past. I haven't noticed this though.
      [ link to this | view in chronology ]
- ChimpBush McHitlerBurton, 12 Mar 2010 @ 11:07am
  
  Re: The fun part
  PEOPLE:
  
  SANDBOXIE.COM
  
  CHECK IT BEFORE YOU WRECK IT.
  
  ROOTKIT SHMOOTKIT.
  
  CBMHB
  [ link to this | view in chronology ]
  - 7ru7h, 13 Mar 2010 @ 5:05pm
    
    Re: Re: The fun part
    That's all well and good if you have a 32bit system, but those of us with 64bit systems are SOL in that regard...
    [ link to this | view in chronology ]
Anonymous Coward, 12 Mar 2010 @ 6:49am

I think it's a case of the installer being infected, rather than intentionally put there by the company. It's not that Energizer wants to use their charger software to control your computer, it's that they're completely incompetent and got infected in production. "Never attribute to malice that which can be adequately explained by stupidity."

More interesting, is the malevolent DLL (Arucer.dll) is almost an anagram of "Duracell"
[ link to this | view in chronology ]
- A Dan (profile), 12 Mar 2010 @ 7:19am
  
  Re:
  The devices themselves aren't infected. This infection is in the driver package that you can (could?) download from the website. From the article:
  
  "We also saw from the manufacturer’s website that the software is not distributed with the physical USB charger itself and instead it must be downloaded separately from the site"
  [ link to this | view in chronology ]
- Jon B., 12 Mar 2010 @ 8:50am
  
  Re:
  It is an anagram of Duracell®
  [ link to this | view in chronology ]
Anonymous Coward, 12 Mar 2010 @ 6:53am

I wonder if this battery has a hidden camera that can be remotely activated?
[ link to this | view in chronology ]
NAMELESS.ONE, 12 Mar 2010 @ 7:03am

now think about rsa power cracking
hrmmmm
[ link to this | view in chronology ]
senshikaze (profile), 12 Mar 2010 @ 7:07am

why?
i mean, WHY?

What the fuck is the point in this? are companies full of damned idiots?
[ link to this | view in chronology ]
- cwbutler, 12 Mar 2010 @ 9:10am
  
  Re:
  @senhikaze - why yes, yes they are.
  [ link to this | view in chronology ]
Spaceman Spiff (profile), 12 Mar 2010 @ 7:14am

@senshikaze
"What the fuck is the point in this? are companies full of damned idiots?"

The short answer? Yes.
[ link to this | view in chronology ]
- :Lobo Santo (profile), 12 Mar 2010 @ 7:17am
  
  Re: "full of idiots?"
  Yeah, gotta agree with you there.
  
  Certainly there are a few bright, reliable, well-intentioned talented individuals who do good work repeatedly; but they are a definite minority.
  [ link to this | view in chronology ]
Brooks (profile), 12 Mar 2010 @ 7:21am

Ugh. The Techdirt decline continues.
Ok, I can deal with the constant breathless outrage over the stupid things media companies do. And I can deal with the sometimes over-clever hindsightical analysis of PR blunders that lawyers and companies make.

But this? Really? A quality control and PR disaster for Energizer, sure. A lesson in the dangers of outsourcing software development? Sure.

But an intentionally nefarious move designed to mess with consumers? A comparison to the Sony debacle? Really?

That's just flat out dishonest, Mike. Either produce some evidence that it was intentional, which nobody but you has suggested, or take a deep breath and consider the possibility that not every corporate mistake is with malicious intent.
[ link to this | view in chronology ]
- PaulT (profile), 12 Mar 2010 @ 7:27am
  
  Re: Ugh. The Techdirt decline continues.
  Please explain. You said:
  
  "But an intentionally nefarious move designed to mess with consumers?"
  
  The article you're responding to says (backed up by the linked article):
  
  "This particular rootkit constantly listens for commands that could allow a computer to secretly execute files or even send computer files to a remote computer."
  
  How in blue f*ck is it not intentionally nefarious? What other possible reason could there be for remote command execution capability in a driver for a device that does not actively need to interact with the computer?
  [ link to this | view in chronology ]
  - sysadmn, 12 Mar 2010 @ 7:33am
    
    Re: Re: Ugh. The Techdirt decline continues.
    The "intentionally nefarious" refers to Energizer's intentions. It doesn't seem likely that they slipped the trojan dll into the package. Sure, they're responsible, since they are distributing it, but there is a difference between negligence and "intentionally nefarious".
    [ link to this | view in chronology ]
    - RD, 12 Mar 2010 @ 7:55am
      
      Re: Re: Re: Ugh. The Techdirt decline continues.
      Sure, they're responsible, since they are distributing it, but there is a difference between negligence and "intentionally nefarious".
      
      Not from the perspective of the CONSUMER. To the consumer, who got this thing FROM Energizer, whether it was "intentional" or not is irrelevant. Its got a rootkit, it comes from Energizer itself, therefore its nefarious/unwanted/unneeded/bad. We can argue about how this happened, but its still Energizers FAULT from the point of view of the consumer.
      
      Period.
      
      Full stop.
      
      End of line.
      
      QED.
      [ link to this | view in chronology ]
      - Brooks (profile), 12 Mar 2010 @ 8:58am
        
        Re: Re: Re: Re: Ugh. The Techdirt decline continues.
        Nobody but you is talking about FAULT. This entire post (read it again) is about intent, and Mike ascribes intentionality ("you would think legit companies would have learned") where there is only negligence and clumsiness. It's sloppy thinking at best, and more than a little dishonest.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 12 Mar 2010 @ 1:49pm
        
        Re: Re: Re: Re: Re: Ugh. The Techdirt decline continues.
        The problem is that then any action done by any corporation can be deemed "sloppy behavior" by employees and not the corporation itself. How do we determine the difference?
        [ link to this | view in chronology ]
        
        Anonymous Coward, 12 Mar 2010 @ 1:54pm
        
        Re: Re: Re: Re: Re: Re: Ugh. The Techdirt decline continues.
        Where do we draw the line between, "it's the employees" vs "it's the corporation itself." Isn't the corporation composed of employees? I understand that sometimes employees do wrong things and that one shouldn't always directly criminalize top management for the actions of employees (and it's even worse to criminalize Google executives for the actions of their users), provided that management took reasonable steps to ensure malicious behavior isn't a problem and didn't contribute or encourage such behavior, but where do we draw the line between the corporation and its members? When the stock holders do something wrong? When the CEO? The CFO? When 5 percent of the corporation makes act maliciously towards their customers? 10 percent? Where exactly?
        [ link to this | view in chronology ]
  - Brooks (profile), 12 Mar 2010 @ 8:53am
    
    Re: Re: Ugh. The Techdirt decline continues.
    As others have noted, while Energizer shipped the software, nobody thinks for a second that the inclusion of the rootkit was intentional or corporate policy. That's in contrast to Sony and other DRM abuse cases which were clearly designed and implemented as policy.
    
    The *rootkit* is malicious, of course. Energizer, as a company, was the victim of a sloppy or malicious contractor as well as their own negligence. Surely you can see the distinction there?
    [ link to this | view in chronology ]
- rpk!!, 12 Mar 2010 @ 7:28am
  
  Re: Ugh. The Techdirt decline continues.
  Is accidental release of a rootkit that much better? I don't enegizer as an innocent bystander whether the release was intentional or not! Don't they have some sort of obligation (if not moral, then an interest in not losing customers) to make sure their products are safe to use?
  [ link to this | view in chronology ]
  - Anonymous Coward, 12 Mar 2010 @ 9:05am
    
    Re: Re: Ugh. The Techdirt decline continues.
    Finding malicious code isn't as easy as many people would like to believe. If you're building it yourself there are steps you can take (peer review, version control, etc) to minimize the chances of something slipping in, but this DLL was bought from someone else, which isn't surprising considering that Energizer isn't in the software business. And finding it afterwards is really hard -- there's a whole Industry built around doing just that. Energizer is responsible for alerting customers and removing the offending code (which they've done), but it's hard to even fault them with negligence here.
    [ link to this | view in chronology ]
- Technopolitical (profile), 12 Mar 2010 @ 7:49am
  
  Re: Ugh. The Techdirt decline continues.
  "But an intentionally nefarious move designed to mess with consumers? A comparison to the Sony debacle? Really?"
  
  Not the point of Mike's post as i see it .
  
  The point as stated in the source article:
  "I certainly wouldn’t want my USB charger to download and execute files without my knowledge, or indeed send my files to a remote location."
  
  That is the big deal.
  [ link to this | view in chronology ]
Anonymous Coward, 12 Mar 2010 @ 7:22am

What evidence is there that this was intentional on the part of Energizer? I have seen none and the article linked doesn't seem to assign blame.
[ link to this | view in chronology ]
Anonymous Coward, 12 Mar 2010 @ 7:25am

I don't think thats a "root kit" sounds more like a TROJAN to me. I'd at least like to think that a technology site at least knew how to classify their malicious software. This is old news btw.
[ link to this | view in chronology ]
- interval, 12 Mar 2010 @ 8:31am
  
  Re:
  The exploit is a trojan, this story first appeared on /.
  
  You don't need the software to use the recharger. I don't really know much other than that; for an "informed opinion" I would guess that it went down like this: Energizer is populated with pre-internet execs; some bright star in the R&D group said "Hey, why don't pop out this usb recharger, it will cost almost nothing to develop, and we can include in all kinds of special projects, giveaways, promotions, etc." The execs said "Sure, anything that promotes Energizer is good." Then a sales man from a third party got involved with this "new project" from Energizer and said "Hey! We'd like to produce software for your new little dongle thingy there." And the execs thought "USB == pc == software. We need software for this new product. Ok." So the third part sniffed around E. Europe or Asia for anything they could quickly pack into the package because this particular dongle DOESN'T REQUIRE ANY. Doesn't matter what the software does. All they needed to do was deilver "software" to Energizer to make a buck. This bundle was no doubt in my mind almost 100% profit for them. Energizer, not being a software company, probably gave the bundle little (if any) QA, and viola! Trojan delivery system.
  [ link to this | view in chronology ]
Steve R. (profile), 12 Mar 2010 @ 7:30am

Belkin - Bad
We had a Belkin UPS that went bad. The good news is that Belkin honored its warranty and replaced the unit. The BAD news, Belkin had modified the (new) UPS model so that you would have to use THEIR software instead of the regular windows power management software.

It took several hours of frustrating tweaking before I figured it out. Of course the UPS documentation never mentioned the little detail that the ability of the UPS to work directly with Windows was "disabled".
[ link to this | view in chronology ]
Chronno S. Trigger (profile), 12 Mar 2010 @ 8:04am

I stumbled upon this the other day
I'll probably never find the article again so you can chose to believe or disbelieve anything I say.

From what I read, the root kit wasn't suppose to be there, it was a hack and was only on a select few of the chargers. They have recalled the affected lots and will be replacing them with working ones. This was from a representative of Energizer, so I doubt it's the full truth, if any at all.
[ link to this | view in chronology ]
Anonymous Coward, 12 Mar 2010 @ 8:04am

So is this from one of those useless software CD that comes in the package. Never ever, ever install any software from a hardware product! never!
[ link to this | view in chronology ]
Lion XL, 12 Mar 2010 @ 8:06am

To be clear, the article makes no assertion that was a rootkit. It calls it what it is,a Trojan. Rootkit's and Trojans are very different, as everyone here should know by now.

Mike are you reading???.....

Not to say Energizer isn't a cluster fuck of company, for letting this out. But shit happens....
[ link to this | view in chronology ]
Neil (SM), 12 Mar 2010 @ 8:13am

Not intentional
This appears to be the work of a rogue employee somewhere along the parts chain. Energizer is recalling the devices and claims to have had no idea about problem.

http://phx.corporate-ir.net/phoenix.zhtml?c=124138&p=irol-newsArticle&ID=1399675 &highlight=

http://consumerist.com/2010/03/energizer-duo-exploit.html
[ link to this | view in chronology ]
Anonymous Coward, 12 Mar 2010 @ 8:22am

Sorry guys, you can't get one as a gift for your boss. It's discontinued :-(
Energizer discontinued the device earlier this month. Still, it was introduced in 2007, and you have to think there may be a lot of vulnerable systems out there.

http://www.prnewswire.com/news-releases/energizer-announces-duo-charger-and-usb-charger-so ftware-problem-86672072.html

I'm off to eBay...
[ link to this | view in chronology ]
SomeGuy (profile), 12 Mar 2010 @ 9:17am

Disappointed
I have to say I'm really disappointed in this post, Mike, mostly because of the reference to the Sony Rootkit. With Sony, they intentionally placed software on their CDs to enforce DRM, and then hid it with a rootkit. Sony was fully aware of what they did and fully intended the software to function as it did. In Energizer's case, they've been the victim of a disgruntled or rogue employee (or a shady company, I'm not clear on that detail) and were unknowingly saddled with malicious code. Whether that code was "necessary" to run the device or not (it wasn't) is a moot point, Energizer is essentially innocent here, and is responsible only for alerting their customers and removing the offending code, which they've done.

There was no malicious intention with Energizer, and missing that point (and in fact strongly implying otherwise) hurts your credibility.
[ link to this | view in chronology ]
Mike Masnick (profile), 12 Mar 2010 @ 9:58am

Updated
Hey guys, added an update explaining that it was not Energizer's official doing. Apologies for implying otherwise.
[ link to this | view in chronology ]
- Anonymous Coward, 12 Mar 2010 @ 11:28am
  
  Re: Updated
  ...Now if we could get you to stop calling it a Rootkit just to create a catchy title and make the association with Sony.
  
  It's not a rootkit. Hell, the word "rootkit" doesn't even appear on the page you linked to. It's simply a Trojan.
  
  Yes, there is a difference and it does matter. I guess it's just not as easy to link Energizer with the Sony rootkit with an accurate title like "Energizer lets malware slip into its software".
  [ link to this | view in chronology ]
- Anonymous Coward, 12 Mar 2010 @ 11:32am
  
  Re: Updated
  Your article also implies that the USB device itself launches malware, which is incorrect. The software was not contained on the USB device, and is not necessary to use the product.
  
  Also very misleading.
  [ link to this | view in chronology ]
ECA (profile), 12 Mar 2010 @ 10:18am

I looked at this device.
1. the program is supposed to tell you when the Batteries are charged.
2. Thats nothing, as its TIMED, not really a charge CONTROL program as you cant Vary the voltage or check tha battery.
3. GET A REAL SMART CHARGER, they are $30 at amazon from La Crosse Tech..
4. ANY of the chargers at the store are CRAP. They work on a timer for the charge. They cant even tell you if the battery is ALREADY charged.
[ link to this | view in chronology ]
- Mr. Ambiguous, 12 Mar 2010 @ 10:52am
  
  Re: I looked at this device.
  5. Don't buy rechargeable batteries from Energizer. I have quite a few that won't take a charge anymore. All my Eneloops still work perfectly.
  [ link to this | view in chronology ]
Pontifex (profile), 12 Mar 2010 @ 10:41am

The Symantec page mentioned that the name "Liu Hong" appeared several times in relation to the DLL; it's possible that this is the name of the person who wrote it. Or the name of someone they don't like.
[ link to this | view in chronology ]
Spaceman Spiff (profile), 12 Mar 2010 @ 11:40am

Ultimate responsibility
Whether or not this was done purposely by Energizer, they are ultimately responsible for this fiasco, and should pay the price in cleanup of users' computers that got infected with this kit, and provide some tangible benefit (free batteries) for causing their customers to become at risk of serious security breaches.
[ link to this | view in chronology ]
Anonymous Coward, 2 Apr 2010 @ 9:21am

It's them damn chinese, they have been hacking-cloning-and stealing technology since way back!!
[ link to this | view in chronology ]
Anonymous Coward, 2 Apr 2010 @ 9:23am

Hi Mom (grins real big)
[ link to this | view in chronology ]