The Energizer Duo USB battery charger has been hiding a backdoor Trojan in its software that affects computers using Windows. According to Symantec the Trojan has probably been there since 10th May 2007.

Energizer has now taken the software for the model CHUSB charger off the market and removed the site from which it could be downloaded, and the company is asking customers who downloaded the Windows version to uninstall it. There are easy steps to fight the Trojan in affected machines, and Macintosh users are not affected.

Symantec’s Director of Global Intelligence, Dean Turner, said it’s impossible to be certain the Trojan has always been in the software that monitors the Duo USB charger, but the Trojan’s binary header states it was created in May 2007. It is not known how the Trojan came to be in the software, but malware has previously been found to be hidden inside products. Energizer is working with the US Computer Emergency Readiness Team (US-CERT) and the US government to try to find out how the code found its way into the software.

The Trojan allows an attacker to operate with the same privileges as the user who is logged in, and to remotely control the system via connections on 7777/tcp to send and receive files, run programs, and list the contents of directories.

US-CERT advises that to fix the problem, users can delete the Arucer.dll file from the Windows system32 directory, and then restart the system. An alternative fix is to remove the USB charger software. The Trojan Arucer.dll file will still be present but the code cannot be executed in the absence of the charger software. It is also advisable to block access to port 7777 using a firewall or via network perimeter devices.

Energizer’s Duo USB battery chargers have been available in the US, Europe, Asia, and Latin America since 2007. They allow computer users to recharge the Nickel Metal Hydride (NiMH) batteries either from a wall outlet or a USB connection. It also enabled the user to monitor the status of charging on the PC.

Source

In the world of energy, the Holy Grail is a power source that’s inexpensive and clean, with no emissions. Well over 100 start-ups in Silicon Valley are working on it, and one of them, Bloom Energy, is about to make public its invention: a little power-plant-in-a-box they want to put literally in your backyard.

You’ll generate your own electricity with the box and it’ll be wireless. The idea is to one day replace the big power plants and transmission line grid, the way the laptop moved in on the desktop and cell phones supplanted landlines.

It has a lot of smart people believing and buzzing, even though the company has been unusually secretive–until now.

K.R. Sridhar invited “60 Minutes” correspondent Lesley Stahl for a first look at the innards of the Bloom box that he has been toiling on for nearly a decade.

Source

Though it is not yet in use, Apple has added a category for developers to label their applications as “explicit” software in the App Store for the iPhone and iPod touch.

A developer revealed to Cult of Mac that the new category is available for selection on the iTunesConnect Web site. However, applications with the “explicit” distinction have not yet appeared in the App Store.

The change could signal that Apple is preparing to launch an adults-only section of the App Store that would segregate potentially offensive content from the remainder of applications.

The move follows Apple’s removal of more than 5,000 applications the company said were “overtly sexual.” The change in policy came after the company received numerous complaints from users who were concerned children would be able to access inappropriate content from the App Store on their iPhone or iPod touch. Whether those applications removed in the last week would be allowed in to the App Store under the new “explicit” category is unknown.

Apple is also preparing to launch its iPad device, a new form factor the company will pitch as a multimedia accessory that can serve as an e-reader of novels and textbooks. The new hardware will also have access to the App Store and its library of more than 140,000 applications. Its potential adoption in the education market could have played a part in Apple’s decision to remove sexual content.

Though Apple purged a number of applications (including some mistakenly), other adult oriented content remained on the App Store, including applications from Playboy and Phil Schiller, head of worldwide product marketing for Apple, told The New York Times that his company had decided that well-known, established brands would be allowed to remain on the App Store.

Source

Angry customers blame MS10-015 for Blue Screen of Death and XP reboot hell Tuesday’s security updates from Microsoft have crippled Windows XP PCs with the notorious Blue Screen of Death (BSOD), users have reported on the company’s support forum.

Complaints began early yesterday, and gained momentum throughout the day.

“I updated 11 Windows XP updates today and restarted my PC like it asked me to,” said a user identified as “tansenroy” who kicked off a growing support thread . “From then on, Windows cannot restart again! It is stopping at the blue screen with the following message: ‘A problem has been detected and Windows has been shutdown to prevent damage to your computer.’”

Others joined in with similar reports. “There is something seriously wrong with the update. I can’t even open in safe mode,” said “Ghellow,” referring to Windows diagnostic mode that’s often a last-chance way to boot a PC.

“I am not very happy with Microsoft as I got to work this morning to find my helpdesk flooded with messages that the PC has the famous Blue Screen,” said “brawfab.”

“I had to go to work and use my Mac to get online to find out what is going on with the XP updates last night,” complained “moosewalk” on the same thread. “I am this much closer to switching over to a Mac for good.”

The support thread, which was first noticed by security blogger Brian Krebs , contained more than 120 messages as of early Thursday, making it the third-longest on the Windows Update support forum. The thread had been viewed more than 2,800 times since its inception.

Several users posted solutions, but the one laid out by “maxyimus” was marked by a Microsoft support engineer as the way out of the perpetual blue screens. To regain control of their PCs, users were told to boot from their Windows XP installation disc, launch the Recovery Console and enter a series of commands.

Unfortunately, that left netbook users out of luck, since most of the lightweight, inexpensive laptops lack an optical drive, and so can’t boot from an XP installation disc. “Are there any fixes for netbooks, or am I essentially screwed for the time being?” asked “HimDen.”

Several users tentatively identified the MS10-015 update as the one which triggered the BSOD, and claimed that uninstalling that security fix — which was labeled as KB977165 — returned their PC to working condition.

MS10-015 , one of 13 security updates Microsoft issued Tuesday, patched a 17-year-old kernel bug in all 32-bit versions of Windows. The vulnerability went public three weeks ago when a Google engineer disclosed the bug and posted proof-of-concept attack code.

This was not the first time that a Microsoft update has incapacitated Windows PCs. Two years ago, a set of updates for Vista sent an unknown number of machines into an endless series of reboots . Similar problems stymied users who tried to upgrade to Windows XP Service Pack 3 (SP3) in May 2008, and others attempting to upgrade from Vista to Windows 7 last October.

Microsoft was not immediately available for comment early Thursday.

We thought Zillow’s 2011 IPO was a good sign for the tech and Internet market. Intel has not only just confirmed that notion, but blown everybody’s expectations right out of the water.

The world’s largest chipmaker just wowed Wall Street and the tech world with its latest earnings report. The publicly-traded company reported a net income of $2.3 billion in the fourth quarter of 2009, up an amazing 875% from its $234 million earnings in the fourth quarter of 2008. This more than beat Wall Street expectations.

While we won’t go into detail over the financial numbers (you can do that here PDF ), we do want to highlight some of the key stats:

- Revenues in Q4 2009 rose to $10.6 billion, a climb of 28% from $8.3 billion last year.

- However, if you look at the big picture, Intel had a better 2008 than 2009. 2009 revenues were $35.1 billion, while 2008 revenues reached $37.6 billion. That’s a 7% difference.

- Intel predicts revenues of approximately $9.7 billion in Q1 2010, above Wall Street estimates.

- Around a year ago, at the heart of the economic collapse, Intel decided to invest $7 billion into new chip plants. It looks to be paying off.

Intel’s Q4 report is one of the first to come out this year, but it won’t be the last. If Intel’s numbers are any indication though, we’re nearing the light at the end of the tunnel.

Source

Back at the dawn of the Web, the most popular account password was “12345.”

Today, it’s one digit longer but hardly safer: “123456.”

Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.

According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)

The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.

“This was the mother lode,” said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.

Imperva found that nearly 1 percent of the 32 million people it studied had used “123456″ as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123″ and “princess.”

More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.

“We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations,” Mr. Shulman said. “The reality is that you can be very effective by choosing a small number of common passwords.”

Some Web sites try to thwart the attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to trick the system, by making guesses at an acceptable rate, for instance.

To improve security, some Web sites are forcing users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.

Still, researchers say, social networking and entertainment Web sites often try to make life simpler for their users and are reluctant to put too many controls in place.

Even commercial sites like eBay must weigh the consequences of freezing accounts, since a hacker could, say, try to win an auction by freezing the accounts of other bidders.

Overusing simple passwords is not a new phenomenon. A similar survey examined computer passwords used in the mid-1990s and found that the most popular ones at that time were “12345,” “abc123″ and “password.”

Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks?

Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.

“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”

In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.

But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.

Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.

“It’s like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy,” Mr. Moss said. “You just want to run that bit faster.”

Source

Four antivirus makers have weighed in on the release of Microsoft Security Essentials, and their opinions are all over the place. We asked various security companies for their opinion on MSE, which launched yesterday, and Symantec, ESET, Avast, and AVG responded with their thoughts.

Microsoft claims it is targeting consumers who currently don’t have any protection on their Windows PC, but of course MSE will end up on many computers that already have third-party security software installed. Since MSE is free, the software security market is going to get a serious shake-up, and here’s what Microsoft’s new competitors think about what’s about to happen.

Symantec, maker of the Norton line of products, says MSE doesn’t stand a chance in today’s market: “While we applaud any vendor that heightens consumer awareness of the need for computer security, it’s clear that the threat landscape has moved on from the product Microsoft is launching,” a Symantec spokesperson told Ars. “Microsoft Security Essentials (MSE) is a stripped down version of their old OneCare product which was poorly rated by industry experts and users alike. From a security perspective, this Microsoft tool offers reduced defenses at a critical point in the battle against cybercrime. Unique malware and social engineering tricks fly under the radar of traditional signature-based technology alone—which is what is employed by free security tools such as Microsoft’s”

ESET, maker of the NOD32 line of products, is unfazed by the product’s launch: “Certainly basic, but free, protection is better than no protection,” Christopher Dale, Public Relations Manager of ESET, told Ars. “For those whose primary concern is price, we would imagine MSE will hold great appeal while making the freeware market more competitive. The product doesn’t directly impact ESET as we offer a full-featured security solution w/ more configuration choices and free phone support.”

Avast is perfectly fine with Microsoft entering the market: “We are glad to see Microsoft joining us in offering free anti-virus/security protection to users,” Vince Steckler, CEO of Avast, told Ars. “We have long believed that top notch security protection should be freely available—that is why nearly 100 million users around the world protect their computers and data with our free avast! antivirus. Around the world there are about 500 million home computer users that need [to be] protected while using the Internet. We believe only around 20 percent of these users are using a traditional paid security product while 250 million are using avast! or one of the other high-quality free products. Users have already decided that security should be free—there are more users of free avast! than users of all paid products combined. But, free users should not be subjected to inferior or ‘basic’ protection.”

AVG, on the other hand, thinks Microsoft will push its product via as many anticompetitive ways as possible: “Microsoft will likely push MSE out via every automated channel available to them—which in and of itself poses all sorts of interesting anti-trust questions,” Siobhan MacDermott, VP Head of Public Policy, Corporate Communications, and Investor Relations for AVG Technologies, told Ars. “They will focus on gaining consumers through the simplicity of installing the product via routine channels of connection. On paper it makes sense, but in reality, we believe this will force consumers to unwittingly enter into a situation that makes them more vulnerable. Experts agree that the biggest nemesis to Windows was not the vulnerability of its code but rather the popularity of the operating system. It is a law of numbers; large communities create large pools of opportunities for thieves. If Microsoft leverages the power of its OS market to rapidly create a large community of MSE users, we believe those customers will be doubly vulnerable.”

There you have it; two antivirus makers are fine with Microsoft Security Essentials and the other two aren’t. We’re more surprised with the ones that are fine with it, since MSE can potentially steal customers away from them (in fact, many of our readers and users on other forums have already declared they are switching). In our first look at MSE yesterday, we were impressed with what Microsoft was offering as a free download for Windows XP, Windows Vista, and Windows 7. For those who have had a chance to install it, how do your thoughts compare to the above statements?

Source

LAS VEGAS -

The company behind the magicJack, the cheap Internet phone gadget that’s been heavily promoted on TV, has made a new version of the device that allows free calls from cell phones in the home, in a fashion that’s sure to draw protest from cellular carriers.

The new magicJack uses, without permission, radio frequencies for which cellular carriers have paid billions of dollars for exclusive licenses.

YMax Corp., which is based in Palm Beach, Fla., said this week at the International Consumers Electronics Show that it plans to start selling the device in about four months for $40, the same price as the original magicJack. As before, it will provide free calls to the U.S. and Canada for one year.

The device is, in essence, a very small cellular tower for the home.

The size of a deck of cards, it plugs into a PC, which needs a broadband Internet connection. The device then detects when a compatible cell phone comes within 8 feet, and places a call to it. The user enters a short code on the phone. The phone is then linked to the magicJack, and as long as it’s within range (YMax said it will cover a 3,000-square-foot home) magicJack routes the call itself, over the Internet, rather than going through the carrier’s cellular tower. No minutes are subtracted from the user’s account with the carrier. Any extra fees for international calls are subtracted from the user’s account with magicJack, not the carrier.

According to YMax CEO Dan Borislow, the device will connect to any phone that uses the GSM standard, which in the U.S. includes phones from AT&T Inc. and T-Mobile USA. At a demonstration at CES, a visitor’s phone with a T-Mobile account successfully placed and received calls through the magicJack. Most phones from Verizon Wireless and Sprint Nextel Corp. won’t connect to the device.

Borislow said the device is legal because wireless spectrum licenses don’t extend into the home.

AT&T, T-Mobile and the Federal Communications Commission had no immediate comment on whether they believe the device is legal, but said they were looking into the issue. CTIA — The Wireless Association, a trade group, said it was declining comment for now. None of them had heard of YMax’s plans.

Borislow said YMax has sold 5 million magicJacks for landline phones in the last two years, and that roughly 3 million are in active use. That would give YMax a bigger customer base than Internet phone pioneer Vonage Holdings Corp., which has been selling service for $25 per month for the better part of a decade. Privately held YMax had revenue of $110 million last year, it says.

U.S. carriers have been selling and experimenting with devices that act similarly to the wireless magicJack. They’re called “femtocells.” Like the magicJack, they use the carrier’s licensed spectrum to connect to a phone, then route the calls over a home broadband connection. They improve coverage inside the home and offload capacity from the carrier’s towers.

But femtocells are complex products, because they’re designed to mesh with the carrier’s external network. They cost the carriers more than $200, though some sell them cheaper, recouping the cost through added service fees. YMax’s magicJack is a much smaller, simpler design.

Source

There are many ways to measure how Windows 7 is doing. There are reports on new PC sales, tallies of boxed copy sales, and surveys of planned enterprise adoption, to name a few.

But one of the most encouraging signs for Microsoft is the lack of phone calls it is getting from people with problems. Overall, Microsoft said the volume of calls to its support lines is half of what it expected.

“Overall we are finding our call center volume is down significantly more than we expected,” said Barbara Gordon, vice president of customer support for Microsoft.

The drop in calls isn’t just due to the fact that Windows 7 appears less problem-plagued than its predecessor, though. In the weeks leading up to and following the operating system’s release, Microsoft also added two new ways to get help–through an online forum called Microsoft Answers and via the Microsoft Helps feed on Twitter.

“What we have found is we are seeing far more take-up of self-service…forums and Twitter to get responses,” Gordon said in an interview this week.

With the Microsoft Answers forums, which launched late last year, users submit questions and experienced community members offer answers that Microsoft workers later validate to make sure they are correct.

So far, Microsoft has validated some 60,000 solutions. The company says that 83 percent of English-language queries are answered within seven days. Those in other languages have a slightly lower rate, but even of those 78 percent are taken care of within a week.

Meanwhile, Microsoft went live with its Twitter help site in October. Users can post a tweet with “@microsofthelps” in the message and Microsoft will respond. A team of seven employees dedicated full time to the project work with the broader support organization to respond to the many tweets. The goal is to either answer simple questions or to point people to a place where they can get a more detailed answer.

“It’s hard to answer (most questions) in 140 characters,” Gordon said.

But, she said, social networks like Twitter, Gordon said, allow the company to realize a problem that could be affecting thousands of people via a single short message.

“It’s really like a customer megaphone,” Gordon said.

Gordon hopes the new online options will not only cut down on call center expenses, but ultimately improve overall customer satisfaction with Windows. Customer satisfaction an area where the Mac has traditionally outpaced the various PC brands.

But Gordon says she hopes to see Windows gain ground. “We are really working on this,” she said.

Although Apple touts its personal touch with its stores, Gordon suggests Microsoft’s high-tech approach might ultimately win it more fans. “If I can help myself without having to go to the mall and sit at a geek bar I will be happier,” she said.

Nonetheless, one of the main features of Microsoft’s two retail stores is an answer desk very similar to the “Genius Bar” found in Apple stores.

As for the questions people ask on Twitter, they range from the expected range of bugs and problems to inquiries about future versions of products. This week, for example, one user asked when to expect Windows 8. Although vague, the answer was at least as direct as anything a reporter would get by asking Redmond.

“It will be a few years until the next official version comes out,” Microsoft replied on the Twitter feed. “Keep an eye out on microsoft.com for future updates.”

In addition to building goodwill and cutting costs, the online forums also allow Microsoft to quickly see when a problem is affecting a significant number of users. Such mechanisms helped Microsoft to recognize and then solve a video driver problem that was causing some users to have their systems hang when they reached 62 percent completion on an upgrade to Windows 7.

Within a week, Microsoft had a solution on its Website and shortly thereafter it posted an automated “Fix It,” essentially a script that a user can click on to have the proper steps done automatically. The Windows 7 upgrade fix has already been used more than 35,000 times, Microsoft said.

“We’re getting people able to meet their needs themselves,” Gordon said.

Source

For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients’ networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from de­­fense to offense. And Mega-D–a powerful, resilient botnet that had forced 250,000 PCs to do its bidding–went down.

Targeting Controllers

Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure. A botnet’s first wave of attack uses e-mail attachments, Web-based offensives, and other distribution methods to infect huge numbers of PCs with malicious bot programs.

The bots receive marching orders from online command and control (C&C) servers, but those servers are the botnet’s Achilles’ heel: Isolate them, and the undirected bots will sit idle. Mega-D’s controllers used a far-flung array of C&C servers, however, and every bot in its army had been assigned a list of additional destinations to try if it couldn’t reach its primary command server. So taking down Mega-D would require a carefully coordinated attack.

Synchronized Assault

Mushtaq’s team first contacted Internet service providers that unwittingly hosted Mega-D control servers; his research showed that most of the servers were based in the United States, with one in Turkey and another in Israel.

The FireEye group received positive responses except from the overseas ISPs. The domestic C&C servers went down.

Next, Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to no­­where. By cutting off the botnet’s pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down.

Finally, FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming. The controllers intended to register and use one or more of the spare do­­mains if the existing domains went down–so FireEye picked them up and pointed them to “sinkholes” (servers it had set up to sit quietly and log efforts by Mega-D bots to check in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.
Down Goes Mega-D

MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had “consistently been in the top 10 spam bots” for the previous year (find.pcworld.com/64165). The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw.
Three days later, FireEye’s action had reduced Mega-D’s market share of Internet spam to less than 0.1 percent, MessageLabs says.

FireEye plans to hand off the anti-Mega-D effort to ShadowServer.org, a volunteer group that will track the IP addresses of infected machines and contact affected ISPs and businesses. Business network or ISP administrators can register for the free notification service.
Continuing the Battle

Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive.

“FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks. “The question is, will it have a long-term impact?”

Like FireEye, Stewart’s security company protects client networks from botnets and other threats; and like Mushtaq, Stewart has spent years combating criminal enterprises. In 2009, Stewart outlined a proposal to create volunteer groups dedicated to making botnets unprofitable to run. But few security professionals could commit to such a time-consuming volunteer activity.

“It takes time and resources and money to do this day after day,” Stewart says. Other, under-the-radar strikes at various botnets and criminal organizations have occurred, he says, but these laudable efforts are “not going to stop the business model of the spammer.”

Mushtaq, Stewart, and other security pros agree that federal law enforcement needs to step in with full-time coordination efforts. According to Stewart, regulators haven’t begun drawing up serious plans to make that happen, but Mushtaq says that FireEye is sharing its method with domestic and international law enforcement, and he’s hopeful.

Until that happens, “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”

Source