by now i'm sure most security folks have heard about this but if you haven't yet, here's the US-CERT advisory, symantec's blog entry by liam murchu, a sophos blog post by graham cluley, a blog post at cybercrime & doing time by gary warner, a sunbelt blog post by tom kelchner, a zero day security blog post by ryan naraine, and that's just the tip of the iceberg.
now the reason i'm writing about this story that so many other people have written about when i normally eschew over-reported news events is because i have a personal stake in this - i actually have the offending device. worse still, i had the software in question installed on one of my computers since late march of last year. ouch! thanks to a tweet by mikko hypponen i found out about this early saturday morning (thanks mikko, that's just the way i wanted to start off my weekend) and proceeded to cuss up a storm because this is the first time in my 20+ years of computing that i have legitimately been been hit with malware - my perfect record is over.
oh well, enough of that. there are 2 things about this that i think deserve closer scrutiny. the first is that question of whether the malware shipped with the hardware device itself as many have stated, or whether the symantec blog is right and the software was only available as a download from the energizer website. i can't say conclusively one way or the other but i can offer some evidence that the software was only ever available from the energizer website.
- the device has no memory capacity. no drive appears in windows explorer when you plug the device in.
- when you plug it into a computer it asks to install drivers but can find no drivers to install.
- the package i got did not contain any separate media, and when i searched for the device on ebay, none of the packages there seemed to either.
- the instruction sheet (yes, i still have that too) informs you that you can see the charging status on your computer with free software from the energizer website
- the software is entirely optional. the device works without it (though the software does offer improved usability over the indicator LED). the device even ships with an AC->USB converter (which is what actually drew my attention in the first place) so that you can plug the device into the wall and bypass the computer (and thus any monitoring software) entirely.
- not only does the instruction sheet instruct you to get the software from the energizer website, but when you plug the device in, the device identifier displayed in both the new hardware notification bubble and driver installation wizard includes not just the product name but also the URL for downloading the software from energizer.
the second thing i think deserves examining is the question of what went wrong. as i said, i got hit with this, but could it reasonably have been avoided? that's a question i've been mulling over since saturday. let's go through the various failures and see if i acted unreasonably wrecklessly:
- anti-virus products didn't detect it back then. i scan everything and the software came up 'clean'. av failed to save me here.
- application whitelisting also failed me. it asked if i wanted to allow the software to run but this is software i intentionally installed - why wouldn't i allow it to run?
- of course there are reasons to disallow software you just installed - i did my due diligence and googled the file and everything told me that it was associated with the charger and nothing said there was anything untoward about it. as such the community intelligence, the nascent reputation system of the internet let me down also.
- the software firewall is an interesting case - in theory i could have made the connection and asked why battery charger software needs to open a port and listen for connections. on the other hand, i did research the file and found nothing to indicate it wasn't legitimately part of the software and therefore no reason not to trust that whatever it was trying to do was something it was supposed to do. maybe i could have been more suspicious, maybe i even was - the compromised system was a 10 year old clunker that isn't particular responsive to input at the best of times which, when combined with the occasional popup overload from the firewall/whitelist combo, has resulted in at least one instance of my clicking the accept button without seeing what i was accepting.
- could i have saved myself some headache (and saved a bit of face) by using sandboxing? given the particulars of the system there's no way i would use a full virtual machine on it, and besides that would have been overkill for this application. it also would have interfered with the rather desirable behaviour of automatically launching the monitor UI (application virtualization wouldn't have been much better in that regard). that sounds like a strange thing for me to say, but the PC is so old that launching anything on it is painfully slow so the automated behaviour was welcome at the time. i suppose the fact that i never had any intention of hooking it up to my main PC (which actually has power running through it far more often) means that at some level i actually was using a sandbox of sorts - a physical sandbox machine if you will - but really, i trusted the software and had no reason to think i needed to run it in a sandbox.
one thing to take away from this (or at least something that i'm taking away from it) is that a number of my security behaviours only help to protect me against the unknown. if i trust something, even though i'm wrong, there isn't much my defenses can do to help me. i will certainly be thinking about ways to overcome that weakness in the future.
of course, since i was behind a NAT-enabled router and wasn't forwarding port 7777 to the compromised machine, some of my defenses did work - but i was lucky. if it had been some other, more aggressive type of malware things might not have turned out so well for me. or, on the other hand, anything more than the passive listening for commands might have actually tipped me off to the presence of something malicious.
we can play "what if" until we're blue in the face - i've identified both the fact that my defenses have room for improvement and the nature that improvement must take. i've also been reminded that what they say really is true - it happens to everyone eventually. it took more than 20 years for me which is longer than most and i've been a little cocky about that, but in the end there's always some weakness, some way in, and if it hadn't been for my monitoring of security-related events i'd probably still be compromised right now. in the end the thing that helped me the most was my interest in security itself.