Monday, March 08, 2010

the energizer bunny looks more like a RAT

that's RAT as in remote access trojan, for the uninitiated.

by now i'm sure most security folks have heard about this but if you haven't yet, here's the US-CERT advisory, symantec's blog entry by liam murchu, a sophos blog post by graham cluley, a blog post at cybercrime & doing time by gary warner, a sunbelt blog post by tom kelchner, a zero day security blog post by ryan naraine, and that's just the tip of the iceberg.

now the reason i'm writing about this story that so many other people have written about when i normally eschew over-reported news events is because i have a personal stake in this - i actually have the offending device. worse still, i had the software in question installed on one of my computers since late march of last year. ouch! thanks to a tweet by mikko hypponen i found out about this early saturday morning (thanks mikko, that's just the way i wanted to start off my weekend) and proceeded to cuss up a storm because this is the first time in my 20+ years of computing that i have legitimately been been hit with malware - my perfect record is over.

oh well, enough of that. there are 2 things about this that i think deserve closer scrutiny. the first is that question of whether the malware shipped with the hardware device itself as many have stated, or whether the symantec blog is right and the software was only available as a download from the energizer website. i can't say conclusively one way or the other but i can offer some evidence that the software was only ever available from the energizer website.
  1. the device has no memory capacity. no drive appears in windows explorer when you plug the device in.
  2. when you plug it into a computer it asks to install drivers but can find no drivers to install.
  3. the package i got did not contain any separate media, and when i searched for the device on ebay, none of the packages there seemed to either.
  4. the instruction sheet (yes, i still have that too) informs you that you can see the charging status on your computer with free software from the energizer website
  5. the software is entirely optional. the device works without it (though the software does offer improved usability over the indicator LED). the device even ships with an AC->USB converter (which is what actually drew my attention in the first place) so that you can plug the device into the wall and bypass the computer (and thus any monitoring software) entirely.
  6. not only does the instruction sheet instruct you to get the software from the energizer website, but when you plug the device in, the device identifier displayed in both the new hardware notification bubble and driver installation wizard includes not just the product name but also the URL for downloading the software from energizer.
perhaps there was alternate packaging that included the compromised software, but when even the hardware tells you to download the software from the web then it hardly seems necessary for there to ever have been software packaged with it.

the second thing i think deserves examining is the question of what went wrong. as i said, i got hit with this, but could it reasonably have been avoided? that's a question i've been mulling over since saturday. let's go through the various failures and see if i acted unreasonably wrecklessly:
  • anti-virus products didn't detect it back then. i scan everything and the software came up 'clean'. av failed to save me here.
  • application whitelisting also failed me. it asked if i wanted to allow the software to run but this is software i intentionally installed - why wouldn't i allow it to run?
  • of course there are reasons to disallow software you just installed - i did my due diligence and googled the file and everything told me that it was associated with the charger and nothing said there was anything untoward about it. as such the community intelligence, the nascent reputation system of the internet let me down also.
  • the software firewall is an interesting case - in theory i could have made the connection and asked why battery charger software needs to open a port and listen for connections. on the other hand, i did research the file and found nothing to indicate it wasn't legitimately part of the software and therefore no reason not to trust that whatever it was trying to do was something it was supposed to do. maybe i could have been more suspicious, maybe i even was - the compromised system was a 10 year old clunker that isn't particular responsive to input at the best of times which, when combined with the occasional popup overload from the firewall/whitelist combo, has resulted in at least one instance of my clicking the accept button without seeing what i was accepting.
  • could i have saved myself some headache (and saved a bit of face) by using sandboxing? given the particulars of the system there's no way i would use a full virtual machine on it, and besides that would have been overkill for this application. it also would have interfered with the rather desirable behaviour of automatically launching the monitor UI (application virtualization wouldn't have been much better in that regard). that sounds like a strange thing for me to say, but the PC is so old that launching anything on it is painfully slow so the automated behaviour was welcome at the time. i suppose the fact that i never had any intention of hooking it up to my main PC (which actually has power running through it far more often) means that at some level i actually was using a sandbox of sorts - a physical sandbox machine if you will - but really, i trusted the software and had no reason to think i needed to run it in a sandbox.
trust seems to be the recurring theme here. i trusted the software. maybe i shouldn't have trusted it, but you can't get very far in computing without trusting at least some software, and there wasn't a compelling reason not to trust this software.

one thing to take away from this (or at least something that i'm taking away from it) is that a number of my security behaviours only help to protect me against the unknown. if i trust something, even though i'm wrong, there isn't much my defenses can do to help me. i will certainly be thinking about ways to overcome that weakness in the future.

of course, since i was behind a NAT-enabled router and wasn't forwarding port 7777 to the compromised machine, some of my defenses did work - but i was lucky. if it had been some other, more aggressive type of malware things might not have turned out so well for me. or, on the other hand, anything more than the passive listening for commands might have actually tipped me off to the presence of something malicious.

we can play "what if" until we're blue in the face - i've identified both the fact that my defenses have room for improvement and the nature that improvement must take. i've also been reminded that what they say really is true - it happens to everyone eventually. it took more than 20 years for me which is longer than most and i've been a little cocky about that, but in the end there's always some weakness, some way in, and if it hadn't been for my monitoring of security-related events i'd probably still be compromised right now. in the end the thing that helped me the most was my interest in security itself.


Rob said...

Of course, even the router safety net (my last line of defence too) is helpless against outgoing botnet type connections to irc. The firewall prompt might be a little more obvious there though.

Anonymous said...

You do know that RAT stands for Remote Administration Tool and not Remote Access Trojan. Right?

kurt wismer said...

agreed - there's really only so much any particular layer can do on it's own. my router's logs would probably have shown the outgoing connection activity, however, and i do inspect those from time to time.

it actually stands for both things. you should have followed my first link and read my definition.

Anonymous said...

I say "trust, but verify." If I had installed this Energizer software, I would have wondered why it adds a Run key to load a dll that then proceeds to open a port to listen for traffic. That is very, very suspicious action. Then, I would have examined the arucer.dll file more closely. Discovering simple malware like this is easy. :) If it had been a sophisticated rootkit, it might have been more difficult...

kurt wismer said...

the Run key is not that unusual given the proper behaviour of the software (it auto-detects when the device is plugged in and brings up the monitor UI) but the port listening is something that should have clued me in (assuming i actually saw that warning from my firewall - as mentioned, there is at least one instance i can recall where i missed the message due to UI latency).

as for examining the dll more closely - that's something the average person simply cannot do. could i pull apart programs before allowing them to run on my systems? perhaps, but then i would be taking steps that ordinary people simply can't and i wouldn't have been able to use myself as an example of how safe people can keep themselves. also, that's more work than i care to do. i already avoid new software most of the time in order to minimize risks - if i had to pick apart programs too then i'd never install anything at all.

i suppose that highlights another failure though - i could have simply avoided the software. i didn't need it, the charger works perfectly fine without it. the monitor software does give a time-until-fully-charged estimate that the single LED on the device cannot convey, but in practice the estimate wasn't particularly accurate (though i wouldn't have known that without using it).

i just keep going back and forth on this. not getting suspicious over the open port seems the most likely place where i failed, though.

oh, and by the way - if discovering this had actually been easy it wouldn't have taken us collectively 3 years to discover something was wrong.