Energizer Introduces USB Battery Charger With Bonus Rootkit Feature [Update]

from the keeps-going-and-going-and-going dept

Update: As lots of folks are pointing out in the comments, this appears to have been included by some third party or disgruntled employee or something, rather than Energizer itself. Energizer has recalled the products and is investigating. Apologies for suggesting that this may have been intentional on Energizer's part. The original post follows: Someone, who prefers to remain anonymous, alerts us to the news that Symantec has discovered that a USB battery charger from Energizer installs a dangerous rootkit after installing the required driver. You would think that legit companies would know better than to install a secret rootkit after the Sony rootkit fiasco from a few years back. This particular rootkit constantly listens for commands that could allow a computer to secretly execute files or even send computer files to a remote computer. Not exactly the kind of stuff you want installed on your computer. The Energizer Bunny might keep going and going and going, but there are some things it's not supposed to do...


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Mar 12th, 2010 @ 6:43am

    The fun part

    Is that you don't need the proper drivers to draw energy from a usb port.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    :Lobo Santo (profile), Mar 12th, 2010 @ 6:45am

    Re: The fun part

    Correct! Man, people are just such suckers.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Mar 12th, 2010 @ 6:49am

    I think it's a case of the installer being infected, rather than intentionally put there by the company. It's not that Energizer wants to use their charger software to control your computer, it's that they're completely incompetent and got infected in production. "Never attribute to malice that which can be adequately explained by stupidity."

    More interesting, is the malevolent DLL (Arucer.dll) is almost an anagram of "Duracell"

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Mar 12th, 2010 @ 6:53am

    I wonder if this battery has a hidden camera that can be remotely activated?

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    NAMELESS.ONE, Mar 12th, 2010 @ 7:03am

    now think about rsa power cracking

    hrmmmm

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    senshikaze (profile), Mar 12th, 2010 @ 7:07am

    why?
    i mean, WHY?

    What the fuck is the point in this? are companies full of damned idiots?

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Spaceman Spiff (profile), Mar 12th, 2010 @ 7:14am

    @senshikaze
    "What the fuck is the point in this? are companies full of damned idiots?"

    The short answer? Yes.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    :Lobo Santo (profile), Mar 12th, 2010 @ 7:17am

    Re: "full of idiots?"

    Yeah, gotta agree with you there.

    Certainly there are a few bright, reliable, well-intentioned talented individuals who do good work repeatedly; but they are a definite minority.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    A Dan (profile), Mar 12th, 2010 @ 7:19am

    Re:

    The devices themselves aren't infected. This infection is in the driver package that you can (could?) download from the website. From the article:

    "We also saw from the manufacturer’s website that the software is not distributed with the physical USB charger itself and instead it must be downloaded separately from the site"

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Brooks (profile), Mar 12th, 2010 @ 7:21am

    Ugh. The Techdirt decline continues.

    Ok, I can deal with the constant breathless outrage over the stupid things media companies do. And I can deal with the sometimes over-clever hindsightical analysis of PR blunders that lawyers and companies make.

    But this? Really? A quality control and PR disaster for Energizer, sure. A lesson in the dangers of outsourcing software development? Sure.

    But an intentionally nefarious move designed to mess with consumers? A comparison to the Sony debacle? Really?

    That's just flat out dishonest, Mike. Either produce some evidence that it was intentional, which nobody but you has suggested, or take a deep breath and consider the possibility that not every corporate mistake is with malicious intent.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Mar 12th, 2010 @ 7:22am

    What evidence is there that this was intentional on the part of Energizer? I have seen none and the article linked doesn't seem to assign blame.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Mar 12th, 2010 @ 7:25am

    I don't think thats a "root kit" sounds more like a TROJAN to me. I'd at least like to think that a technology site at least knew how to classify their malicious software. This is old news btw.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    PaulT (profile), Mar 12th, 2010 @ 7:27am

    Re: Ugh. The Techdirt decline continues.

    Please explain. You said:

    "But an intentionally nefarious move designed to mess with consumers?"

    The article you're responding to says (backed up by the linked article):

    "This particular rootkit constantly listens for commands that could allow a computer to secretly execute files or even send computer files to a remote computer."

    How in blue f*ck is it not intentionally nefarious? What other possible reason could there be for remote command execution capability in a driver for a device that does not actively need to interact with the computer?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    rpk!!, Mar 12th, 2010 @ 7:28am

    Re: Ugh. The Techdirt decline continues.

    Is accidental release of a rootkit that much better? I don't enegizer as an innocent bystander whether the release was intentional or not! Don't they have some sort of obligation (if not moral, then an interest in not losing customers) to make sure their products are safe to use?

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Steve R. (profile), Mar 12th, 2010 @ 7:30am

    Belkin - Bad

    We had a Belkin UPS that went bad. The good news is that Belkin honored its warranty and replaced the unit. The BAD news, Belkin had modified the (new) UPS model so that you would have to use THEIR software instead of the regular windows power management software.

    It took several hours of frustrating tweaking before I figured it out. Of course the UPS documentation never mentioned the little detail that the ability of the UPS to work directly with Windows was "disabled".

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    sysadmn, Mar 12th, 2010 @ 7:33am

    Re: Re: Ugh. The Techdirt decline continues.

    The "intentionally nefarious" refers to Energizer's intentions. It doesn't seem likely that they slipped the trojan dll into the package. Sure, they're responsible, since they are distributing it, but there is a difference between negligence and "intentionally nefarious".

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Technopolitical (profile), Mar 12th, 2010 @ 7:49am

    Re: Ugh. The Techdirt decline continues.

    "But an intentionally nefarious move designed to mess with consumers? A comparison to the Sony debacle? Really?"

    Not the point of Mike's post as i see it .

    The point as stated in the source article:
    "I certainly wouldn’t want my USB charger to download and execute files without my knowledge, or indeed send my files to a remote location."

    That is the big deal.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    RD, Mar 12th, 2010 @ 7:55am

    Re: Re: Re: Ugh. The Techdirt decline continues.

    Sure, they're responsible, since they are distributing it, but there is a difference between negligence and "intentionally nefarious".

    Not from the perspective of the CONSUMER. To the consumer, who got this thing FROM Energizer, whether it was "intentional" or not is irrelevant. Its got a rootkit, it comes from Energizer itself, therefore its nefarious/unwanted/unneeded/bad. We can argue about how this happened, but its still Energizers FAULT from the point of view of the consumer.

    Period.

    Full stop.

    End of line.

    QED.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Chronno S. Trigger (profile), Mar 12th, 2010 @ 8:04am

    I stumbled upon this the other day

    I'll probably never find the article again so you can chose to believe or disbelieve anything I say.

    From what I read, the root kit wasn't suppose to be there, it was a hack and was only on a select few of the chargers. They have recalled the affected lots and will be replacing them with working ones. This was from a representative of Energizer, so I doubt it's the full truth, if any at all.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Mar 12th, 2010 @ 8:04am

    So is this from one of those useless software CD that comes in the package. Never ever, ever install any software from a hardware product! never!

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Lion XL, Mar 12th, 2010 @ 8:06am

    To be clear, the article makes no assertion that was a rootkit. It calls it what it is,a Trojan. Rootkit's and Trojans are very different, as everyone here should know by now.

    Mike are you reading???.....

    Not to say Energizer isn't a cluster fuck of company, for letting this out. But shit happens....

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Neil (SM), Mar 12th, 2010 @ 8:13am

    Not intentional

    This appears to be the work of a rogue employee somewhere along the parts chain. Energizer is recalling the devices and claims to have had no idea about problem.

    http://phx.corporate-ir.net/phoenix.zhtml?c=124138&p=irol-newsArticle&ID=1399675 &highlight=

    http://consumerist.com/2010/03/energizer-duo-exploit.html

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Mar 12th, 2010 @ 8:22am

    Sorry guys, you can't get one as a gift for your boss. It's discontinued :-(

    Energizer discontinued the device earlier this month. Still, it was introduced in 2007, and you have to think there may be a lot of vulnerable systems out there.

    http://www.prnewswire.com/news-releases/energizer-announces-duo-charger-and-usb-charger-so ftware-problem-86672072.html

    I'm off to eBay...

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    lavi d (profile), Mar 12th, 2010 @ 8:29am

    Who Owns Your Computer?

    ...you don't need the proper drivers to draw energy from a usb port.

    As a long time Linux user, I've never used the software that comes with USB devices - camera, printer, MP3 player.

    I was amused to find that every one of these applications, when properly installed on Windows machines, finds some way to spam the user. In the case of Kodak, it sends every picture the user emails wrapped in a big advertisement for Kodak products.

    Nice...

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    interval, Mar 12th, 2010 @ 8:31am

    Re:

    The exploit is a trojan, this story first appeared on /.

    You don't need the software to use the recharger. I don't really know much other than that; for an "informed opinion" I would guess that it went down like this: Energizer is populated with pre-internet execs; some bright star in the R&D group said "Hey, why don't pop out this usb recharger, it will cost almost nothing to develop, and we can include in all kinds of special projects, giveaways, promotions, etc." The execs said "Sure, anything that promotes Energizer is good." Then a sales man from a third party got involved with this "new project" from Energizer and said "Hey! We'd like to produce software for your new little dongle thingy there." And the execs thought "USB == pc == software. We need software for this new product. Ok." So the third part sniffed around E. Europe or Asia for anything they could quickly pack into the package because this particular dongle DOESN'T REQUIRE ANY. Doesn't matter what the software does. All they needed to do was deilver "software" to Energizer to make a buck. This bundle was no doubt in my mind almost 100% profit for them. Energizer, not being a software company, probably gave the bundle little (if any) QA, and viola! Trojan delivery system.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Jon B., Mar 12th, 2010 @ 8:50am

    Re:

    It is an anagram of Duracell®

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    Brooks (profile), Mar 12th, 2010 @ 8:53am

    Re: Re: Ugh. The Techdirt decline continues.

    As others have noted, while Energizer shipped the software, nobody thinks for a second that the inclusion of the rootkit was intentional or corporate policy. That's in contrast to Sony and other DRM abuse cases which were clearly designed and implemented as policy.

    The *rootkit* is malicious, of course. Energizer, as a company, was the victim of a sloppy or malicious contractor as well as their own negligence. Surely you can see the distinction there?

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    Brooks (profile), Mar 12th, 2010 @ 8:58am

    Re: Re: Re: Re: Ugh. The Techdirt decline continues.

    Nobody but you is talking about FAULT. This entire post (read it again) is about intent, and Mike ascribes intentionality ("you would think legit companies would have learned") where there is only negligence and clumsiness. It's sloppy thinking at best, and more than a little dishonest.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Mar 12th, 2010 @ 9:05am

    Re: Re: Ugh. The Techdirt decline continues.

    Finding malicious code isn't as easy as many people would like to believe. If you're building it yourself there are steps you can take (peer review, version control, etc) to minimize the chances of something slipping in, but this DLL was bought from someone else, which isn't surprising considering that Energizer isn't in the software business. And finding it afterwards is really hard -- there's a whole Industry built around doing just that. Energizer is responsible for alerting customers and removing the offending code (which they've done), but it's hard to even fault them with negligence here.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    cwbutler, Mar 12th, 2010 @ 9:10am

    Re:

    @senhikaze - why yes, yes they are.

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    SomeGuy (profile), Mar 12th, 2010 @ 9:17am

    Disappointed

    I have to say I'm really disappointed in this post, Mike, mostly because of the reference to the Sony Rootkit. With Sony, they intentionally placed software on their CDs to enforce DRM, and then hid it with a rootkit. Sony was fully aware of what they did and fully intended the software to function as it did. In Energizer's case, they've been the victim of a disgruntled or rogue employee (or a shady company, I'm not clear on that detail) and were unknowingly saddled with malicious code. Whether that code was "necessary" to run the device or not (it wasn't) is a moot point, Energizer is essentially innocent here, and is responsible only for alerting their customers and removing the offending code, which they've done.

    There was no malicious intention with Energizer, and missing that point (and in fact strongly implying otherwise) hurts your credibility.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    Mike Masnick (profile), Mar 12th, 2010 @ 9:58am

    Updated

    Hey guys, added an update explaining that it was not Energizer's official doing. Apologies for implying otherwise.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    ECA (profile), Mar 12th, 2010 @ 10:18am

    I looked at this device.

    1. the program is supposed to tell you when the Batteries are charged.
    2. Thats nothing, as its TIMED, not really a charge CONTROL program as you cant Vary the voltage or check tha battery.
    3. GET A REAL SMART CHARGER, they are $30 at amazon from La Crosse Tech..
    4. ANY of the chargers at the store are CRAP. They work on a timer for the charge. They cant even tell you if the battery is ALREADY charged.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    Pontifex (profile), Mar 12th, 2010 @ 10:41am

    The Symantec page mentioned that the name "Liu Hong" appeared several times in relation to the DLL; it's possible that this is the name of the person who wrote it. Or the name of someone they don't like.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Mr. Ambiguous, Mar 12th, 2010 @ 10:52am

    Re: I looked at this device.

    5. Don't buy rechargeable batteries from Energizer. I have quite a few that won't take a charge anymore. All my Eneloops still work perfectly.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    ChimpBush McHitlerBurton, Mar 12th, 2010 @ 11:07am

    Re: The fun part

    PEOPLE:

    SANDBOXIE.COM

    CHECK IT BEFORE YOU WRECK IT.

    ROOTKIT SHMOOTKIT.

    CBMHB

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Mar 12th, 2010 @ 11:28am

    Re: Updated

    ...Now if we could get you to stop calling it a Rootkit just to create a catchy title and make the association with Sony.

    It's not a rootkit. Hell, the word "rootkit" doesn't even appear on the page you linked to. It's simply a Trojan.

    Yes, there is a difference and it does matter. I guess it's just not as easy to link Energizer with the Sony rootkit with an accurate title like "Energizer lets malware slip into its software".

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Mar 12th, 2010 @ 11:32am

    Re: Updated

    Your article also implies that the USB device itself launches malware, which is incorrect. The software was not contained on the USB device, and is not necessary to use the product.

    Also very misleading.

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    Spaceman Spiff (profile), Mar 12th, 2010 @ 11:40am

    Ultimate responsibility

    Whether or not this was done purposely by Energizer, they are ultimately responsible for this fiasco, and should pay the price in cleanup of users' computers that got infected with this kit, and provide some tangible benefit (free batteries) for causing their customers to become at risk of serious security breaches.

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Anonymous Coward, Mar 12th, 2010 @ 1:49pm

    Re: Re: Re: Re: Re: Ugh. The Techdirt decline continues.

    The problem is that then any action done by any corporation can be deemed "sloppy behavior" by employees and not the corporation itself. How do we determine the difference?

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, Mar 12th, 2010 @ 1:54pm

    Re: Re: Re: Re: Re: Re: Ugh. The Techdirt decline continues.

    Where do we draw the line between, "it's the employees" vs "it's the corporation itself." Isn't the corporation composed of employees? I understand that sometimes employees do wrong things and that one shouldn't always directly criminalize top management for the actions of employees (and it's even worse to criminalize Google executives for the actions of their users), provided that management took reasonable steps to ensure malicious behavior isn't a problem and didn't contribute or encourage such behavior, but where do we draw the line between the corporation and its members? When the stock holders do something wrong? When the CEO? The CFO? When 5 percent of the corporation makes act maliciously towards their customers? 10 percent? Where exactly?

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    7ru7h, Mar 13th, 2010 @ 5:05pm

    Re: Re: The fun part

    That's all well and good if you have a 32bit system, but those of us with 64bit systems are SOL in that regard...

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    enrolled agent, Mar 13th, 2010 @ 5:42pm

    Re: Who Owns Your Computer?

    Is this true? I've used the Kodak EasyShare software myself in the past. I haven't noticed this though.

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    Anonymous Coward, Apr 2nd, 2010 @ 9:21am

    It's them damn chinese, they have been hacking-cloning-and stealing technology since way back!!

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    Anonymous Coward, Apr 2nd, 2010 @ 9:23am

    Hi Mom (grins real big)

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This