Deactivate the rootkit – Black Hat Vegas 2009

BlackHat 2009 - Vegas

BlackHat 2009 - Vegas

Has been a long time since my last post here… Alfred and I were working very hard for our last research/talk (the continuation of ‘Persistant BIOS Infection’) “Deactivate the rootkit” where we found that Computrace  (an Anti-Theft Technology system) comes by default on most of the laptops BIOSes and it can be controlled by an attacker compromising the whole system’s security mechanisms.

Im not going to explain all the research here… a lot has been said about this. We just did a turbo-talk at black hat ( a very long one, im really happy about that) and we didnt have the time to show all the proofs we gathered but we did it through Core. Here is all the stuff. Draw Your Own Conclusions

Slides: Black Hat – Las Vegas 2009

White Paper : Black Hat – Las Vegas 2009

Then, after some words of the computrace guys denying almost all our findings (here), we made public this page with all the proof, meaning: a tool to detect if your laptop has computrace in it, a network dump showing the first stage of the communication in plain text :S, several videos demonstrating what we said, and a tool to control and redirect computrace.

You can find the Core Security response here:

and the Core’s project page here.

A few pages who covered the talk:

Slashdot

ZDNet

SecurityFocus

Reddit

About these ads

~ by aLS -- on September 11, 2009.

32 Responses to “Deactivate the rootkit – Black Hat Vegas 2009”

  1. I am wondering why the general press does not seem to care much about the vulnerability, is it that there is really a low risk that this could compromise systems en masse? I also wonder if the claims are false as Absolute Software says, then why didn’t they file a lawsuit? They seem to be quite a litigious company, one would think that if you guys were making outragegous and unfounded claims that they would come after you legally.

  2. Oh, i missed your post. sorry.
    I wonder the same. Well, not… In fact, i think the answer is pretty obvious. I know that what we said is true. The proof is out there. So, if you have doubts and want to be sure, please check the tools and papers at Core Security web page.

  3. Great read, will come back for more soon, thanks

  4. I bought 5 days ago a dell notebook with computrace lojack installed. What can i do to remove this sotfware? Any tool to do it? The computrace guys told me they can remove the software with remote access. Is it really true? They remove completly software at bios?

  5. Well, i recommend you to read all the links in this post to fully understand the implications of having Computrace installed on your BIOS.

    Its almost impossible to remove the on-bios computrace stub in a safe way. I’m sure what the computrace guys told you was that they can remove the *software installed on the hard drive* and not the BIOS stub.

    I think your best option will be to check periodically if the computrace agent is installed and running on your system. Its fully explained in the white paper.

  6. From Spain:
    I read the white paper, the slides and some forums about this software. I understand the danger of this bios soft. I think Big Brother is looking inside our laptops and netbooks, and i dont like this at all. I know is difficult to erase the soft and the research team of computrace only will remove the soft at S.O. but not at Bios. So that the danger is here. I read about bios dell inspiron series in your papers, but i dont know it will work in a DELL STUDIO SERIES. I read too, about DCCU (of dell) and how to make a reset of NVRAM. It will work in a dell studio series model? I think a lot of responsible people dont want to have a danger like that inside his/her laptop. The most of them dont be programation experts. We need somebody to protect us (a thief is not a big problem, when somebody is looking inside your life). Could you give us any way to protect us ourselves? We dont need big corps controlling us. We need to be free users.

  7. You’re right my friend. Its not nice to realize that you have a monitoring piece of software deep inside your hardware’s laptop. Specially when its a so insecure badcoded software.

    The nvran just holds the flag which indicates if the agent is enabled or not in the OS. But a first stage rootkit can modify it in the same way as you. So, there isn’t too much you can do about it.

    Just be careful and take a look to the process you have running. Be aware of those rpcnet* process and services around there.

    I think it would be possible to develop a customized signature for your choice’s AV. Im gonna think a bit more about it…

  8. Thanks a lot for your words. Can i buy a new motherboard with clean bios or so? I dont want this software at all. Any possible way to have a secure laptop?
    Excuse me about my questions but im really angry with this software installed, vulnerable, spy, and no possible to erase it, inclusive before talking with dell consumer service and computrace lojack support.

  9. Mr. Sacco i have 3 options in my bios about computrace lojack. 1 says enable, another says disable, and another deactivate. Which one must to select to stop this service at bios? Deactivate?
    I put a password too for bios and for hdd and for administrative rights is enough to be safe of computrace security problems?

  10. Well… almost. As we showed in our presentation and on the released videos (http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Deactivate_the_Rootkit) The option on the BIOS setup can be modificated by an user with admin privileges.

    But, for a first step its ok. Do what i told you before: Be careful and take a look to the process you have running periodically. Be aware of those rpcnet* process and services around there.

    Hope to see you here again.

  11. Is it true that if you do not run a Windows operating system on your PC and instead run a Linux distro operating system you will not be affected by the rootkit?

  12. Exactly. The agent deployed by the Computrace stub is a windows binary. It tries to find the windows registry and some specific windows files. Therefore, it’s not gonna work when other OS is installed.

    But, take in mind that the BIOS stub gets executed every time, in every boot, and that part is completely OS undependant so you will never know if a further ‘update’ adds support for a different OS. :S

    Anywhay, by the time we did the research, the Linux users are safe.

    Thank you for visiting my blog. Hope to see you soon.

  13. Thanks aLS,

    I mostly use Linux Ubuntu on my Toshiba laptop vintage May 2005. The laptop is dual boot and I checked my Windows XP for the Remote Procedure Call (RPC) Net. It is not in the Services list. I guess that Toshiba did not build in the Computrace BIOS stub for this particular model. Maybe the Computrace BIOS stub is more common in laptops issued by large organisations to their employees. There have been some scandalous losses of laptops by large organisations here in the UK containing sensitive information including such for many thousands of people. Government bodies were some of the laptop owners. It has been a disgrace and I wonder if the organisations even bothered to make sure their laptops had the Computrace BIOS stub.

  14. Oh no no, as far as i know the buyer can’t ask for laptops with an infected BIOS. We found computrace in every kind of laptops (supermarkets, common computer stores, etc). It’s true that not every vendor is putting computrace in its laptops but it doesnt look as a targeted attack.

    Im glad to hear you’re using linux. We’ve made public a little tool to look for computrace in your BIOS. It’s entirely coded in python so you can check it first if you want. It only depends on ‘flashrom’ and ‘upx’ that are available on the ubuntu repositories.

    You can find it here: http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=researcher&page=Anibal_Sacco&file=publication%2FDeactivate_the_Rootkit%2FdumpComputrace.py

    I suggest you to test it and, if possible, let us know if that specific model is clean or not.

    Cheers.

  15. Ubuntu’s Synaptic package manager shows lots of BIOS tools. What’s the name of the tool you have made public please?

  16. The link on my previous comment. That is the tool.
    You have to install flashrom and upx before running it.

  17. Here is another command you can use in linux to detect Computrace:

    $ sudo dmidecode | grep ABSOLUTE

    And here is a funny google query revealing many “Computraced” BIOS information:
    http://www.google.com/search?q=BIOS+Information+%22ABSOLUTE(PHOENIX)%22

  18. What must one look for please? I get no visible output from sudo dmidecode | grep ABSOLUTE but for sudo dmidecode I get lots of output at the terminal.

  19. Ubuntu, you have nothing that the governments want. You have absolutely nothing to fear.

  20. Not quite true Alfred. They want me to pay more taxes, and some, to reduce Labour party’s legacy of a £700billion plus National/public debt.
    OTOH there is a recent scare here in the UK.
    ” Zeus V3 trojan.£675,000 stolen.3,000 customer bank accounts
    compromised”.
    http://www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf
    Clearly the cyber-criminals are raiding bank accounts.
    I wonder what Black Hat network security’s reaction is to ZEUS V3?

  21. Thats very little money. A Nigerian fishermen probably compromises that number of bank accounts per week. Nono, Wait! this is crazy!

  22. [...] showed that we were not alone in this. In 2009 Anibal Sacco and Alfredo Ortega presented their research on this product at Black Hat Vegas (which I attended, but missed this interesting talk) and [...]

  23. Just wondering – what might be the steps to use the detector on the bios if one doesn’t already have a Linux distro like Ubuntu installed? Is there a good way to do it with a LiveCD or live USB boot or similar?

    Can’t believe so many people are complacent about a rootkit installed with manufacturer collusion. Thanks for some great research!

  24. I bought a bulky laptop from a school, they were getting rid of old laptops, I paid 175, i3, 250gb, 2 gb ram, Its more than enough for me but I just went into the bios and found computrace.
    I have 3 options,
    deactivate
    disable
    activate

    to my understading , If I’m able to see these 3 options it means that nobody registered the laptop with the lojack company, but I still want to get rid of this thing, If i click disable the following windows pops up.

    “you will not be able to change the setting once the feature is activated of disabled ” are you sure you want to save the setting” ?

    Before I click Yes, , will I get rid of computrace ?? I want to have linux anyways but I also want Windows 7 and I would hate to have spyware on my system.

    I know the guys IT guys in this school Im going to ask them If they activated computrace, probably they have no clue lol.

    Thank you Als and everybody who posted / commented here.

    in my opinion , some good samaritan programmer needs to come up with an idea of some type of windows application to shutdown or hold computrace from working while windows is running.

    COMPUTRACE IS CREEPY YO!!!1

    (btw I believe in Lojacking shit up , ex. cars, expensive electronics.. but this is BS).

    Thanks again Als! hope you read my msg.

    • Hi Martino.
      You are right. Theoretically, you can disable computrace by choosing the “Disable” option in BIOS.
      Of course, as it is just a flag in CMOS and the computrace BIOS stub will still be in BIOS, there is no guarantee that it’s not gonna be activated through other ways.
      The only method to efectively remove the computrace BIOS stub is via a BIOS modification. Although, I think it’s almost impossible to develop a generic technique to do it. Leaving aside the fact that if you computer has a signed BIOS it cant be modified :(

      On the other hand, the computrace BIOS stub usually spawns a process named rcpnet.exe. Until they change this, you can use it to know if computrace is activated on your machine.
      Glad to see your interest on this topic. See you!

  25. Hello aLS, well I “disabled” it on my laptop,

    I will assumme (correct me if I’m right or wrong) that it cannot be activated or enabled through the internet and that who ever wants to enable it again will have to have physical access and mess with it like this guy
    http://www.youtube.com/watch?v=CZHl-yxGHUc
    (Activating Computrace Rootkit, CoreSecurityTech)

    btw is this you (video)?

    this should be on TV!! , here is the list from Absolute Software http://www.absolute.com/partners/bios-compatibility

    if more people know about this maybe they can sue , forcing companies like hp ,acer,sony to release bios updates to remove it.

    • Hey Martino, Your almost right. It can be activated if somebody gain access to your machine with admin privileges. He doesn’t need to have physical access.

      And yes, that’s our video. Both Alfredo and I made that video some time ago for a presentation. We did everything we could to spread our concerns. Actually, we presented this research in two of the biggest security conferences around there. BlackHat USA and Ekoparty but yes, much more can be done.

  26. 8-) interesting … and you search for computrace on youtube and only a dozen videos come up.

    sorry to bother ya but what did you mean by “gaining access with your machine with admin privileges”, you mean hacking into my laptop/windows and running the python program?

    If its now “disabled” is it possible for absolute to re-enable it without me knowing?

    I’m sure more peeps are reading this and have the same question.

    fuck computrace, and i thought I was in America.

  27. [...] pa je v tem, da se je leta 2009 na konferenci Black Hat Briefings izkazalo, da ta nadzorna tehnologija vsebuje resno napako, zaradi katere je mogoče to tehnologijo obrniti [...]

  28. What you published made a bunch of sense. However, think on this, what if you
    added a little information? I ain’t suggesting your information is not solid., but what if
    you added a title that grabbed a person’s attention? I mean Deactivate the rootkit – Black
    Hat Vegas 2009 | Exploiting Stuff. is kinda vanilla.
    You should glance at Yahoo’s front page and watch
    how they create post headlines to get viewers interested.
    You might add a video or a related pic or two to get readers interested about everything’ve got
    to say. In my opinion, it would make your posts a little bit more interesting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: