Absolute Computrance Rootkit

I initially wanted to post it on Wednesday, but I figured I might as well push it ahead a day because the problem is interesting, and there is not much publicity about it out there.

Dan, a buddy of mine emailed me yesterday about an interesting discovery he made while packet sniffing his own network. He found a Lenovo machine that was secretly calling home at regular time intervals, and the software responsible for this callback was not something the user installed or was aware off. I know what you think – a machine got owned by some malware, not a big deal. Well, it turns out it was no the case. It was something far more sinister.

Here is the story in his own words:

I came across a major “conspiracy” or sorts when a friend had her Lenovo laptop on my network while I was whiresharking the line. Anyway, during my sniffing, I found some odd unsolicited traffic on port 80 coming from her machine to a company called Absolute Software. The name of this “product” is computrace lojack. You may know about this already but I have found that the majority of my techie friends did not understand the scope or seriousness of this technology.

Without writing you a novel let me summarize my findings: 80% of new laptops and many desktops from companies like HP, Dell, Lenovo, Toshiba, even Asus come with this software installed. It is a persistent BIOS level ROOTKIT which gives “Absolute” access to a machine if it is marked as stolen. This includes keylogging, webcam access with the indicator light off, GPS tracking ( if the chip is there ) and skyhook wifi triangulation of the suspected “thief.” Of course, a POC exists whereby an attack can exploit this “feature” and installed a BIOS level rootkit which is impossible to remove without a BIOS edit and a standard flash will not work. And this “feature” is hardly known by people who own the hardware.

In some systems, a second or third chip on the mobo and the NIC will even rewrite the BIOS if altered. Talk about persistent spyware!

Now. the information is all verifiable. You likely have this software running on some of your own windows systems as rpcnet.exe or via svchost.exe -rpcss, there are many variants and this works on OSX too. So far none on linux, but an attacker could easily add scripts to load in linux.

Please spend a day or week looking at your own wire, the wire at your office, etc. This is a major thing and the youtube videos from Absolute only have about 3000 hits so it seems as if nobody even knows. I am currently attempting to make a utility that can remove the software from many BIOS versions but as you know, messing with a BIOS the wrong way can brick a machine so it will not be easy. We need to get this into the COMMON KNOWLEDGE file and get this thing off of machines. It claims to be theft protection but it is so exploitable.

Now I have heard of these “Computer LowJack” things, seen them advertised in brochures but I never really paid attention. It was not something I would use, and I assumed that even if I bought a machine with such a feature, it would be strictly opt-in and a complete wipe and clean OS installation (more or less my standard practice) would be enough to exorcise it from the machine. I did not realize it hooked so deeply into the hardware. This is the kind of shit that RMS always rants about when we don’t listen.

Just to show that Dan has not made it up, here are some other corroborating sources out there. This technology has been around for years. Security community has known about it for a while. But there is little public outcry about it. Few people seem to care or even realize how many machines are affected. No one is really making any noise about it.

Why should we be making noise? Because it is exploitable. It’s not foolproof – there is no software that is immune to tampering. Ask DRM makers – they have been trying to develop tamper free systems for decades now and made absolutely no headway. If you subvert the low level Absolute Software rootkit, you get full control over the machine for free. Even worse, in order to make this “LowJack” thing work, most major AV suites have learned to ignore all the processes involved in this shady business.

Do you remember the Sony Rootkit scandal from few years ago? This is actually worse. It goes deeper, it is harder to remove, and if exploited offers attacker much more power. Its essentially a ticking time bomb, and if someone produces malware that can successfully subvert it, it will have huge implications to global security. Just think about it – right now we have thousands if not millions of computers out there with remote access trojans baked right into their BIOS and ignored by most AV suites. Someone merely needs to figure out an easily repeatable way to point it at their own server, and then make it a payload of some potent viral delivery mechanism. And then boom – instant low level control of the affected machines. Who knows if there are no botnets of this type out there already. Think what you could do if you could build a large enough collection of infected machines that give you access to everything – including the webcam and GPS. Industrial espionage, identity theft, mega stalking – the possibilities are endless.

Sony fucked up by using a very underhanded stealth-install method which blew up in their face. That’s actually why there even was a scandal. Absolute Software is actually doing this the right way. Their software is a part of the OEM package. You get it with your computer, enabled by default, and probably agree to having it installed as part of the purchase process. It is not as scandalous, but still quite dangerous. It wouldn’t be the first time that a “software security feature” turns into a gaping security hole because of a small flaw in the design.

If you are wondering if your machine is infested with Absolute Software goodies, check the compatibility list on the vendors own website. It seems that they ship their software with a wide range of models including Dell, HP, Acer, Samsung, Tochiba and etc…

I don’t think I currently own or have access to any of the listed models so I can’t say much beyond this. If you do maybe you can mess around, run some tests and share your results. How hard is it to exploit it. How hard is it to remove it?

I’ve been talking to Dan about setting up some sort of a Wiki where we could pool some knowledge about this issue, unless one exists already. If you know of one, let me know. If you have worked on this issue in the past, we would love to hear your findings. Useful things would be:

  1. Easy ways to identify the Absolute Software LowJack is installed and active on your system (other than packet sniffing – something end users could do)
  2. Patterns to look for in wireshark logs so that admins can identify and flag and block this traffic on their networks. Are there different variants? Is it always calling home on port 80? Does it have fall-back method of communicating wit the base?
  3. Possible removal methods – is there an official opt-out setting? Can you manually prevent it from executing? Can you modify the BIOS to get rid of it?
  4. Etc..

If this is old and stale news for you, then I apologize. I will have fresh content on Friday.

This entry was posted in sysadmin notes. Bookmark the permalink.



12 Responses to Absolute Computrance Rootkit

  1. Gothmog UNITED STATES Google Chrome Windows Terminalist says:

    Holy fuck. We’ve just deployed 100+ of the HP Elitebook 8440p. And we’re a healthcare shop with HIPAA concerns. My IT director is going to FREAK.

    Reply  |  Quote
  2. Luke Maciak UNITED STATES Google Chrome Linux Terminalist says:

    @ Gothmog:

    Damn. Well, the good news is that there seems to be no published exploit code out there yet. The vulnerability has been known since 2009 but I was unable to find any legit proof-of-concept code showing it can be easily owned.

    How does HIPPA handle cases in which your machines have been pre-rooted by a manufacturer?

    Reply  |  Quote
  3. Dan Mozilla Firefox Windows says:

    Looks like it is already exploitable.

    Please see my wiki , I added some of the many links that explain how the security group CORE exploited it already.

    http://computracerootkit.wikia.com

    Look under the “links” page for more info.

    It might be old news but many machines are still affected.

    Beyond this if you are using Intel® vPro™ Technology at all you have what is known as a hardware rootkit, which is impossible to uninstall without damaging the machine.

    Spread the word!

    Reply  |  Quote
  4. Morghan Safari Linux says:

    I have an HP DV6 and was looking in to a Panasonic CF31, both are on the list. I’m sure that killing it in the BIOS, which I did on day one with the HP, won’t keep it from being triggered. If that would work it wouldn’t do you much good for the official purpose.

    Reply  |  Quote
  5. Mike Mozilla Firefox Linux says:

    Note that while certainly not a panacea, open rulesets (VRT, ET) for IDS like Snort and Surricata have matchers to detect this (among gozillion of others) crapware since 2011 in exactly the same way Dan did, by looking at the traffic.
    Could be a better general suggestion than digging pcap dumps with your own eyeballs.

    Reply  |  Quote
  6. Alphast GREECE Mozilla Firefox Windows Terminalist says:

    I am also interested about one issue there: Lenovo is a Chinese company and most PC’s are made in China. Software companies are usually US based. Does that mean that this rootkit (which has been specifically designed to allow gov agencies to look into PC’s, according to the patent) allows the US or the Chinese government to control our laptops? I know it sounds paranoid, but we are talking about cameras, keyboard recording and so on…

    Reply  |  Quote
  7. Luke Maciak UNITED STATES Google Chrome Linux Terminalist says:

    @ Dan:

    Thanks. I’ll see if I can contribute some stuff to it if I get a chance.

    @ Morghan:

    Well, yes and no. There should be a legit way to disable it so that the owners could prevent tracking/spying if they wanted to. A criminal could use that feature too, but the logic is that a dude who burglarizes your house or your car is probably not going to bother to do that. But yeah… It could be that they don’t provide an actual off switch for legit customers.

    @ Mike:

    Good point. Maybe we could link up actual products and/or rulesets that do this on the wiki.

    @ Alphast:

    Well, we’re getting into spy movie territory here but this is technically a possibility. I bet that’s not what they are doing though. It’s probably wiser to instead develop a state sponsored malware that exploits the computrace rootkit and uses it to mask it’s activity. The Stuxnet hoopla proved that this is perfectly doable, and deniable because it’s indirect.

    Reply  |  Quote
  8. dan Mozilla Firefox Ubuntu Linux says:

    @ Alphast:

    You got that information from the patent? Please post that here?

    Reply  |  Quote
  9. dan Mozilla Firefox Ubuntu Linux says:

    @ Morghan:

    It is really hard to believe. The vPro chip also has a hardware rootkit built into it. If you guys could look into the patents and such on that technology maybe we can shed light on exactly what all these new technologies are meant to do. Anti-theft tech should be a legimate consumer option, not a baked in FORCED “feature.” This is a huge privacy issue. I found no response from the ACLU and EFF and I think there should have been. My two cents.

    Reply  |  Quote
  10. Dan UNITED STATES Google Chrome Linux says:

    http://it.slashdot.org/story/09/07/31/1337202/bios-rootkit-preloaded-i n-60-of-new-laptops

    Well this is old news but it is still happening now with many new variants and I am still stunned by the lack of people who know about this threat and some of the hardware rootkits.

    Hopefully this gets more attention. Maybe the nature of the threat makes people feel overwhelmed. I am not sure. I wish there was more discussion.

    Reply  |  Quote
  11. Mike Welsh Mozilla Firefox Ubuntu Linux says:

    I don’t run a Windows system on my ASUS netbook. I run Linux/Ubuntu. Does that mean that my netbook will not be affected?

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>