Deactivate the rootkit – Black Hat Vegas 2009
Has been a long time since my last post here… Alfred and I were working very hard for our last research/talk (the continuation of ‘Persistant BIOS Infection’) “Deactivate the rootkit” where we found that Computrace (an Anti-Theft Technology system) comes by default on most of the laptops BIOSes and it can be controlled by an attacker compromising the whole system’s security mechanisms.
Im not going to explain all the research here… a lot has been said about this. We just did a turbo-talk at black hat ( a very long one, im really happy about that) and we didnt have the time to show all the proofs we gathered but we did it through Core. Here is all the stuff. Draw Your Own Conclusions
Then, after some words of the computrace guys denying almost all our findings (here), we made public this page with all the proof, meaning: a tool to detect if your laptop has computrace in it, a network dump showing the first stage of the communication in plain text :S, several videos demonstrating what we said, and a tool to control and redirect computrace.
You can find the Core Security response here:
and the Core’s project page here.
A few pages who covered the talk: