Deactivate the rootkit – Black Hat Vegas 2009

BlackHat 2009 - Vegas

BlackHat 2009 - Vegas

Has been a long time since my last post here… Alfred and I were working very hard for our last research/talk (the continuation of ‘Persistant BIOS Infection’) “Deactivate the rootkit” where we found that Computrace  (an Anti-Theft Technology system) comes by default on most of the laptops BIOSes and it can be controlled by an attacker compromising the whole system’s security mechanisms.

Im not going to explain all the research here… a lot has been said about this. We just did a turbo-talk at black hat ( a very long one, im really happy about that) and we didnt have the time to show all the proofs we gathered but we did it through Core. Here is all the stuff. Draw Your Own Conclusions

Slides: Black Hat – Las Vegas 2009

White Paper : Black Hat – Las Vegas 2009

Then, after some words of the computrace guys denying almost all our findings (here), we made public this page with all the proof, meaning: a tool to detect if your laptop has computrace in it, a network dump showing the first stage of the communication in plain text :S, several videos demonstrating what we said, and a tool to control and redirect computrace.

You can find the Core Security response here:

and the Core’s project page here.

A few pages who covered the talk:

Slashdot

ZDNet

SecurityFocus

Reddit

~ by aLS -- on September 11, 2009.

Posted in Main()
Tags: , , , , , , ,

3 Responses to “Deactivate the rootkit – Black Hat Vegas 2009”

  1. I am wondering why the general press does not seem to care much about the vulnerability, is it that there is really a low risk that this could compromise systems en masse? I also wonder if the claims are false as Absolute Software says, then why didn’t they file a lawsuit? They seem to be quite a litigious company, one would think that if you guys were making outragegous and unfounded claims that they would come after you legally.

    Sydney X said this on September 12, 2009 at 3:11 am | Reply

  2. Oh, i missed your post. sorry.
    I wonder the same. Well, not… In fact, i think the answer is pretty obvious. I know that what we said is true. The proof is out there. So, if you have doubts and want to be sure, please check the tools and papers at Core Security web page.

    aLS -- said this on October 14, 2009 at 1:49 pm | Reply

  3. Great read, will come back for more soon, thanks

    Goran Cobanovic said this on December 6, 2009 at 2:34 am | Reply

Leave a Reply