Did you grant permission for a LoJack-like software to establish secret communications and connect to a server each time you boot up your laptop or PC? That answer is probably not, but most PCs have the anti-theft software Absolute Computrace embedded in their BIOS/UEFI. Although it’s legitimate software, it behaves a lot like malware, leaving a “backdoor” that could allow attackers to execute remote code. In fact, at Black Hat USA, researchers used Computrace vulnerabilities to remotely wipe a brand new out-of-the-box Windows 8 x64 laptop.
"Absolute Backdoor Revisted" was presented by Kaspersky Lab's Vitaly Kamluk and Sergey Belov, along with Anibal Sacco from Cubica Labs. During their presentation (pdf), they abused Computrace in multiple live demos to show how an attacker could take complete control of a PC. They are not certain if Computrace was enabled by default on most PCs by human error or unintentionally turned on by manufacturers, but they don’t believe it was introduced with malicious intentions. “Computrace was designed with good intentions, but our research shows that vulnerabilities in this software can turn a useful tool into a powerful weapon for cybercriminals.”
The behaviors of the software include “many tricks that are popular in actual malware” such as:
It has specific anti-debugging and anti-reverse engineering techniques, injects into the memory of other processes, establishes secret communication, patches system files on disk (autochk.exe), keeps configuration files encrypted, and finally drops a Windows executable directly from BIOS/UEFI. Such aggressive behavior by Computrace Agent was the reason it was detected as malware in the past.
Yet the flagging of Computrace as malware that didn’t last long as detection was “later removed by Microsoft and some AV vendors. Computrace executables are currently whitelisted by most AV companies.”
The researchers added (pdf):
We believe that such a powerful tool needs to have powerful authentication and encryption mechanisms to continue fighting the good fight. We have no reasons to think that Absolute Software or any PC manufacturers secretly activate persistence, but it's clear that if there are a lot of computers with activated Computrace agents, it is the responsibility of the manufacturers and Absolute Software to notify those users and explain how they can deactivate it if they don't want to use Absolute Software services. Otherwise, these orphaned agents will keep on running unnoticed and provide opportunities for remote exploitation.
Earlier this year, Kaspersky's Kamluk said of Computrace:
The software is extremely flexible. It’s a tiny piece of code which is a part of the BIOS. As far as it is a piece of the BIOS, it is not very easy to update the software as often. So they made it very extensible. It can do nearly anything. It can run every type of code. You can do to the system whatever you want. Considering that the software is running on these local system privileges, you have full access to the machine. You can wipe the machine, you can monitor it, you can look through the webcam, you can actually copy any files, you can start new processes. You can do absolutely anything.
You can see if you have Computrace on your machine by checking out the process list and searching for “rpcnetp.exe” or “rpcnet.exe.” If an attacker has renamed it and is using it as a backdoor, the researchers suggested scanning the hard drive with a specific YARA rule. Their presentation also listed ways that Computrace can be detected on the network.
Unlike a lot of bloatware that comes preinstalled on new PCs, but can be uninstalled, there isn’t a one-answer-fits-all way to get rid of Computrace. The suggested mitigation is that you can attempt to deactivate it, but that sometimes isn’t even possible. They said this is how the story began, when they tried to deactivate Computrace on a laptop and failed. Then the security researchers wanted to know “who or what activated the BIOS dropper” in their systems.
More threat mitigation details are listed in the accompanying research paper (pdf).
The researchers contacted the vendor Absolute Software about the vulnerabilities. Although the “vendor has denied existence of vulnerabilities in its products,” the company “promised that these ‘security issues’ will be addressed.”