Software that can be downloaded for use with the Energizer DUO USB battery charger contains a backdoor that could allow an attacker to remotely take control of a Windows-based PC, Energizer and US-CERT is warning.

"The installer for the Energizer DUO software places the file UsbCharger.dll in the application's directory and Arucer.dll in the Windows system32 directory," the US-CERT said in an advisory on Friday. "Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Its capabilities include the ability to list directories, send and receive files, and execute programs."

http://www.pcworld.com/article/190990/the_energizer_duo_trojan_what_you_need_to_know.htm l

http://news.cnet.com/8301-27080_3-10465429-245.html

BM

Did they really need software to show how much power was in the batteries? Surely some lights on the charger would do the same? Just more bloatware really

Yea, its awesome not knowing what software is up to isnt it.

http://www.pcworld.com/article/190990/the_energizer_duo_trojan_what_you_need_to_know.htm l

http://news.cnet.com/8301-27080_3-10465429-245.html

BM

Woop de doo(!)

Well, I prefer open source, but let's not overgeneralize here. Everybody makes mistakes.

Well, I prefer open source, but let's not overgeneralize here. Everybody makes mistakes.
I think we all know the first mistake is trusting anything on a Windows computer. You were being facitious ?;) Every day something new pops up that implicates a vendor screwing up or just plain being negligent or devious with executable Windows programs. There just doesn't seem to be any control over this aspect of a Microsoft OS.

Did they really need software to show how much power was in the batteries? Surely some lights on the charger would do the same? Just more bloatware reallyI think it would be cool to know if it's done charging without having to look at it, like I can with my phone.

Funny, I hear that you can't accurately predict how much power standard AA batteries have (My Go Max (http://bestwikiever.wikidot.com/Go_Max) makes my PSP always say 100% because they claim it can't tell the real value)

Well, I prefer open source, but let's not overgeneralize here. Everybody makes mistakes.

Slipping in a backdoor is a bit more then a mistake.

Here's some food for thought:


The Trojan may have been in the software since it was first offered three years ago, according to Symantec.

Nothing like having your barn door wide open for three years and not even knowing it.

Slipping in a backdoor is a bit more then a mistake.

That's the frustrating bit right there. You install software from what you think are *trusted* sources, but how do you ever know? I would have just thought energizer was a trustworthy company. Maybe they had a disgruntled employee looking at a way to hurt the company, or to make a few bucks stealing personal information from random people.

Whenever you install closed source software- you NEVER know what you are really installing. I personally my not know what all the open source software on my computer is doing either, but I trust that there are enough random people looking at the source code that someone would blow the whistle before something malicious can make its rounds.

BM

Funny, I hear that you can't accurately predict how much power standard AA batteries have...
This is not true as such. Radio mics, for instance, have very usable power level indicators. They nearly all use standard AA batteries or rechargeables.

Well that explains why they are so cheap. I picked up a couple for $2 each. But I don't use them on windows, just for charging off of my ubuntu machines.

I hope the hardware doesn't contain a USB trojan!

Whenever you install closed source software- you NEVER know what you are really installing.Wierd because open source seems like it would be vulnerable because if a hacker has the code to a program, they can know it's vulnerability. But ya I guess it works the other way around too...


This is not true as such. Radio mics, for instance, have very usable power level indicators. They nearly all use standard AA batteries or rechargeables.Ya, I have MP3 players that have power meters. They are mostly accurate (Sometimes if I have dead batteries at 1 bar and then I turn it on again after a while I'll have two bars again). Datel could have atleast made a guess...


Well that explains why they are so cheap. I picked up a couple for $2 each. But I don't use them on windows, just for charging off of my ubuntu machines.

I hope the hardware doesn't contain a USB trojan!I don't think a Trojan in the software would lower the cost of the hardware. Like I said I think it would be cool to have it display the battery life on the computer screen...

Let's not forget that the architechture of certain OS's make such software "extras" more easy to install.

Wierd because open source seems like it would be vulnerable because if a hacker has the code to a program, they can know it's vulnerability. But ya I guess it works the other way around too...


The thing is EVERBODY has access to the source code, not just black but also white hat. In this way vulnerabilities get spotted and patched much quicker and its nearly impossible to slip in unnoticed malicious content without the community catching it. If you do manage to slip something in there, its a very big risk of your reputation because its only a matter of time before somebody looks over your code. With closed source software developers often rely soely on security through obscurity.

Let's not forget that the architechture of certain OS's make such software "extras" more easy to install.

Not true. Every time you enter your password to install a program on ubuntu you're giving the setup full admin privileges. Read: It can do whatever the heck it wants.

I would have just thought energizer was a trustworthy company.
There's no such thing. Ford Pinto memo, anyone? ;-)

---

And on topic: that's hardly surprising. What else would you expect from unnecessary bloatware that comes with nearly every device you buy? I only install drivers and only if they're absolutely necessary. The rest goes right to the trash can.

I have used the Energizer Duo charger. It is nice in concept, but the product is low quality. I hoped it would be essentially two volt-meters with a USB interface. It is actually a half-dumb charger: the first position must be filled, and IF a second cell is inserted, it will be blindly charged parallel to the first. Half of the time, the program for Windows would not detect the charger. When the charger was recognised, a very inaccurate estimate of time to charge completion would be displayed. That is all the program did. I found the product very disappointing.


And on topic: that's hardly surprising. What else would you expect from unnecessary bloatware that comes with nearly every device you buy?

The software does not come in the blisterplastic, it is only downloadable from their Webpage. It was a small widget that did one thing, but did a bad job. The program might be trash, but it is not what I would call 'bloatware'.

The program might be trash, but it is not what I would call 'bloatware'.
That's an exception because backdoors have to be small. ;-) Usually you get some useless 100MB+ app with an ugly custom GUI. Bad programmers love custom GUIs.

http://www.pcworld.com/article/190990/the_energizer_duo_trojan_what_you_need_to_know.htm l

http://news.cnet.com/8301-27080_3-10465429-245.html

BM

Why would it be better if it was open source? One could just give 'innocent' source code along with an infected binary (and since almost nobody compiles from source...).

Yea, its awesome not knowing what software is up to isnt it.

Do you read the source code to everything you install (I bet not).

;)

These things happen, that's what internet gateways and host firewalls are for.

Let's not forget that the architechture of certain OS's make such software "extras" more easy to install.

You mean Ubuntu (any distro) doesn't let code running in userland open listening sockets above 1024?

Oh wait, yes it does.

So, do you mean that Ubuntu (any distro) doesn't let you execute binaries in /home and /tmp by default?

Oh wait, yes it does.

So, do you mean that Ubuntu (any distro) doesn't let you install binaries to ~/bin?

Oh wait, yes it does.

So, do you mean that Ubuntu (any distro) prevents userland code from altering binaries executed at startup?

Oh wait, no it doesn't.

So, do you mean that Ubuntu (any distro) protects your system from code running as your user account that picks up your files and ships them to any random entity on any random outbound port or protocol?

Wait, no it doesn't.

So, do you mean that Ubuntu (any distro) protects your system from code running as your user account that destroys all of your personal data?

Wait, no it doesn't.

I hate to burst your bubble but modern Linux is far more dangerous than that other OS. That other OS has had a significant amount of R&D money spent on security, not to mention all of the third party companies that do nothing but analyze and protect against vulnerabilities.

Security through obscurity? That's the argument that LY make when they claim they are secure because they use Linux.

Just how easy is it? Convince a user to execute something, anything. Maybe a new forum thread to run a script.

Check it out, its a new version of winetricks I promise *WINK* it'll give you the kitchen sink, delivered.

Users look at the script and it checks out because they don't happen to see http://www.micr0soft.com/dotnetfx.exe.

When it's executed it places its payload in say .purple or .gnome2, hooks it to .config/autostart, and starts it for the first time. Now your files are being shipped to bad people, and you won't ever know.

The thing is EVERBODY has access to the source code, not just black but also white hat. In this way vulnerabilities get spotted and patched much quicker.. With closed source software developers often rely soely on security through obscurity.

Are you sure about that?

http://www.ubuntu.com/usn/usn-612-2

I'd love to see your information source about closed source developers not using safe coding practices. I know for a fact that many of them use tools to analyze their code for vulnerabilities.

Google it.

Do you read the source code to everything you install (I bet not).


No, but many others are looking at it. You don't see people getting raped in the middle of the atrium at the mall, do you? The software is wide open, and everyone can see inside. It makes it much more difficult to do anything malicious.

No, but many others are looking at it. You don't see people getting raped in the middle of the atrium at the mall, do you? The software is wide open, and everyone can see inside. It makes it much more difficult to do anything malicious.

How do you know others are looking at it? Why is it that we find vulnerabilities all the time that are sometimes more than a year old if "many others" are looking at it.

Statistics please, lets not make assumptions here.

Are you sure about that?


That was patched as soon as it was discovered. Doesn't that go against your argument. Many closed source vulnerabilities are discovered, announced to the world, then left that way forever.

That was patched as soon as it was discovered. Doesn't that go against your argument. Many closed source vulnerabilities are discovered, announced to the world, then left that way forever.

No because it was around for a LONG TIME before it was "noticed". It's a silly and an absolutely false assumption to think that there is no risk or that people just sit around reading the source code to every OSS app on the internet.

How do you know others are looking at it? Why is it that we find vulnerabilities all the time that are sometimes more than a year old if "many others" are looking at it.

Statistics please, lets not make assumptions here.

How do I know? This is obviously trolling, and I will not respond to you anymore. If you think the open source model is a security problem, why are you using it? If your not using it, why are you here?

How do I know? This is obviously trolling, and I will not respond to you anymore. If you think the open source model is a security problem, why are you using it? If your not using it, why are you here?

Yes, I must be a troll because I know a thing or two about Linux security (and the default lack thereof).

I'm only a troll because you cannot defeat the argument that is isn't more secure than any other OS.

And with that, the thread is closed.