Absolute Computrance Rootkit

I initially wanted to post it on Wednesday, but I figured I might as well push it ahead a day because the problem is interesting, and there is not much publicity about it out there.

Dan, a buddy of mine emailed me yesterday about an interesting discovery he made while packet sniffing his own network. He found a Lenovo machine that was secretly calling home at regular time intervals, and the software responsible for this callback was not something the user installed or was aware off. I know what you think – a machine got owned by some malware, not a big deal. Well, it turns out it was no the case. It was something far more sinister.

Here is the story in his own words:

I came across a major “conspiracy” or sorts when a friend had her Lenovo laptop on my network while I was whiresharking the line. Anyway, during my sniffing, I found some odd unsolicited traffic on port 80 coming from her machine to a company called Absolute Software. The name of this “product” is computrace lojack. You may know about this already but I have found that the majority of my techie friends did not understand the scope or seriousness of this technology.

Without writing you a novel let me summarize my findings: 80% of new laptops and many desktops from companies like HP, Dell, Lenovo, Toshiba, even Asus come with this software installed. It is a persistent BIOS level ROOTKIT which gives “Absolute” access to a machine if it is marked as stolen. This includes keylogging, webcam access with the indicator light off, GPS tracking ( if the chip is there ) and skyhook wifi triangulation of the suspected “thief.” Of course, a POC exists whereby an attack can exploit this “feature” and installed a BIOS level rootkit which is impossible to remove without a BIOS edit and a standard flash will not work. And this “feature” is hardly known by people who own the hardware.

In some systems, a second or third chip on the mobo and the NIC will even rewrite the BIOS if altered. Talk about persistent spyware!

Now. the information is all verifiable. You likely have this software running on some of your own windows systems as rpcnet.exe or via svchost.exe -rpcss, there are many variants and this works on OSX too. So far none on linux, but an attacker could easily add scripts to load in linux.

Please spend a day or week looking at your own wire, the wire at your office, etc. This is a major thing and the youtube videos from Absolute only have about 3000 hits so it seems as if nobody even knows. I am currently attempting to make a utility that can remove the software from many BIOS versions but as you know, messing with a BIOS the wrong way can brick a machine so it will not be easy. We need to get this into the COMMON KNOWLEDGE file and get this thing off of machines. It claims to be theft protection but it is so exploitable.

Now I have heard of these “Computer LowJack” things, seen them advertised in brochures but I never really paid attention. It was not something I would use, and I assumed that even if I bought a machine with such a feature, it would be strictly opt-in and a complete wipe and clean OS installation (more or less my standard practice) would be enough to exorcise it from the machine. I did not realize it hooked so deeply into the hardware. This is the kind of shit that RMS always rants about when we don’t listen.

Just to show that Dan has not made it up, here are some other corroborating sources out there. This technology has been around for years. Security community has known about it for a while. But there is little public outcry about it. Few people seem to care or even realize how many machines are affected. No one is really making any noise about it.

Why should we be making noise? Because it is exploitable. It’s not foolproof – there is no software that is immune to tampering. Ask DRM makers – they have been trying to develop tamper free systems for decades now and made absolutely no headway. If you subvert the low level Absolute Software rootkit, you get full control over the machine for free. Even worse, in order to make this “LowJack” thing work, most major AV suites have learned to ignore all the processes involved in this shady business.

Do you remember the Sony Rootkit scandal from few years ago? This is actually worse. It goes deeper, it is harder to remove, and if exploited offers attacker much more power. Its essentially a ticking time bomb, and if someone produces malware that can successfully subvert it, it will have huge implications to global security. Just think about it – right now we have thousands if not millions of computers out there with remote access trojans baked right into their BIOS and ignored by most AV suites. Someone merely needs to figure out an easily repeatable way to point it at their own server, and then make it a payload of some potent viral delivery mechanism. And then boom – instant low level control of the affected machines. Who knows if there are no botnets of this type out there already. Think what you could do if you could build a large enough collection of infected machines that give you access to everything – including the webcam and GPS. Industrial espionage, identity theft, mega stalking – the possibilities are endless.

Sony fucked up by using a very underhanded stealth-install method which blew up in their face. That’s actually why there even was a scandal. Absolute Software is actually doing this the right way. Their software is a part of the OEM package. You get it with your computer, enabled by default, and probably agree to having it installed as part of the purchase process. It is not as scandalous, but still quite dangerous. It wouldn’t be the first time that a “software security feature” turns into a gaping security hole because of a small flaw in the design.

If you are wondering if your machine is infested with Absolute Software goodies, check the compatibility list on the vendors own website. It seems that they ship their software with a wide range of models including Dell, HP, Acer, Samsung, Tochiba and etc…

I don’t think I currently own or have access to any of the listed models so I can’t say much beyond this. If you do maybe you can mess around, run some tests and share your results. How hard is it to exploit it. How hard is it to remove it?

I’ve been talking to Dan about setting up some sort of a Wiki where we could pool some knowledge about this issue, unless one exists already. If you know of one, let me know. If you have worked on this issue in the past, we would love to hear your findings. Useful things would be:

1. Easy ways to identify the Absolute Software LowJack is installed and active on your system (other than packet sniffing – something end users could do)
2. Patterns to look for in wireshark logs so that admins can identify and flag and block this traffic on their networks. Are there different variants? Is it always calling home on port 80? Does it have fall-back method of communicating wit the base?
3. Possible removal methods – is there an official opt-out setting? Can you manually prevent it from executing? Can you modify the BIOS to get rid of it?
4. Etc..

If this is old and stale news for you, then I apologize. I will have fresh content on Friday.