We recently received a file (from CERT) for analysis. We found that the file was a Trojan that opens a back door on a compromised computer and listens for commands on port 7777. This by itself is not very unusual, but what surprised us was that this file was being distributed by Energizer Inc as part of a USB charger-monitoring software package. When we checked the manufacturer’s website, the file was still available as part of the USB charger software package. As part of the installation process for the USB charger software, the file “Arucer.dll” is created and added to the registry run key. We discovered that this file is the Trojan and added detection for it as Trojan.Arugizer. Since the file is added to the run key, the Trojan starts every time the computer starts. The Trojan listens for commands from anyone who connects and can perform various actions, such as the following: • Download a file • Execute a file • Send a directory listing to the remote attacker • Send files to the remote attacker • Modify the following registry entry: - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”svchost” Any data that Trojan.Arugizer receives on this port is XOR’d with the value 0xE5 before it is processed further. The threat continuously listens for commands. Commands are sent to the threat in the form of CLSIDs. The threat waits for any of the following CLSIDs to be sent: • {E2AC5089-3820-43fe-8A4D-A7028FAD8C28} • {F6C43E1A-1551-4000-A483-C361969AEC41} • {EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3} • {783EACBF-EF8B-498e-A059-F0B5BD12641E} • {0174D2FC-7CB6-4a22-87C7-7BB72A32F19F} • {98D958FC-D0A2-4f1c-B841-232AB357E7C8} • {4F4F0D88-E715-4b1f-B311-61E530C2C8FC} • {384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13} • {8AF1C164-EBD6-4b2b-BC1F-64674E98A710} Some of these CLSIDs/commands take further parameters that must be sent after the CLSID. Each communication sequence consists of a 4 bytes size value, then the command, then (optionally) the size of the parameters and the actual parameters. The first command checked for is {E2AC5089-3820-43fe-8A4D-A7028FAD8C28}. This command checks that everything is OK with the Trojan. If the command is received and executed correctly by the Trojan, the text “Yes” is sent back to the attacker. The responses sent by the Trojan are also XOR’d with 0xE5. Next, the Trojan checks for {783EACBF-EF8B-498e-A059-F0B5BD12641E}. This is a ‘do nothing’ command and is skipped. The command {0174D2FC-7CB6-4a22-87C7-7BB72A32F19F} sends the remote attacker information about the drives on the computer. The Trojan creates a file in the %Temp% folder with the prefix “liu” and uses that to store information about the drives and then it sends that file to the attacker. The command {EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3} can take in, as a parameter, a folder name and will recursively follow the subfolders and send the name and contents of each file it finds back to the attacker. (This is a very large response if no folder name is given and the command runs from the root of the C: drive!) As an example of a command that can take a parameter, the command {F6C43E1A-1551-4000-A483-C361969AEC41} is used to send a file from the Trojan to the remote attacker. The command takes in one parameter: the name of the file to be sent. The format of the data to be sent is: “command length”,“command”,“file name length”,“file name” In the example below, the Trojan is running on the localhost and it is listening on port 7777. In the file CLSID_2_SendFile.bin, I have the sequence of bytes needed to successfully retrieve a file called c:\test.txt from the Trojan. Using netcat, the control bytes are sent to the Trojan. In the first case shown, the test .txt file contained the text “this is a test!!!!!!!!!” The Trojan responded with the text of the file encoded with 0xE5. In the second instance, I XOR’d the text in test.txt with 0xE5. As you can see, the Trojan reads the content of the test.txt file and XORs it with 0xE5 before sending it back; therefore, in the second response we can see the plain text of the file returned: The command {98D958FC-D0A2-4f1c-B841-232AB357E7C8} allows the remote user to create a file on the compromised computer. It takes in two additional parameters: the file name and the file contents. So, the command sequence would be: “Command Length”,”Command”,”File name length”,”File name”,”FileSize”,”FileContents” The command {4F4F0D88-E715-4b1f-B311-61E530C2C8FC} allows the remote user to delete a specified file from the compromised computer. The command {384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13} allows the remote user to set the following registry entry to a file of their choosing: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost =”file name” Finally, the last command {8AF1C164-EBD6-4b2b-BC1F-64674E98A710} allows the remote user to download a file onto the compromised computer and execute it. The fact that the temp file created by one of the commands has the prefix “liu” is interesting, since the name “Liu hong” appears elsewhere in the code. Not only that, but other programs that are part of the installation package for the USB Charger software also take in the parameter “-liuhong”. Could it be that he was the creator of the installation package? We were interested in finding out how long this file had been available to the public. The compile time for the file is May 10, 2007. It is impossible to say for sure that this Trojan has always been in this software, but from our initial inspection it appears so. We also suspected that the entire file may have been inserted into the package without the creator’s knowledge, but upon closer inspection we discovered the DLL checks for the following USB device: \\\\?\\USB#Vid_1B47&Pid_0001#\ {a5dcbf10-6530-11d2-901f-00c04fb951ed} This is specific to the charger itself. Although the DLL checks for this device, the Trojan still operates whether this device is found or not, so a USB charger doesn’t need to be plugged in for the Trojan to be functioning. The other purpose of the .dll is to listen for new devices that are connected and if the device matches the device name shown above, it will execute a program that displays a graphical representation of how much charge is left in the batteries contained in the USB charger: However, as well as starting this graphic program it also starts the Trojan. We also saw from the manufacturer’s website that the software is not distributed with the physical USB charger itself and instead it must be downloaded separately from the site. This may mean that fewer people installed it than bought the charger. Whether this Trojan functionality was intended or not is unclear, but if it is intended behavior it would be very suspicious; I certainly wouldn’t want my USB charger to download and execute files without my knowledge, or indeed send my files to a remote location.