Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Absolute Computrace
247 views
Skip to first unread message
B00ze
Aug 13, 2014, 6:56:49 PM8/13/14
to
Good day.
Anyone know if ASUS BIOS'es contain "Absolute Computrace" module?
RE:
"Absolute Computrace allows organizations to persistently track
and secure all of their endpoints within a single cloud-based
console. Computers and ultra-portable devices such as netbooks,
tablets, and smart phones can be remotely managed and secured
to ensure�and most importantly prove�that endpoint IT compliance
processes are properly implemented and enforced."
http://www.absolute.com/en/products/absolute-computrace
==========================
Computrace back door could make millions of PCs vulnerable
Almost all recent PCs have Absolute Computrace embedded in their BIOS.
It's a product designed to allow companies to track and secure all of
their PCs from a single cloud-based console.
But researchers at Kaspersky lab have revealed that it often runs
without user-consent, persistently activates itself at system boot, and
can be exploited to perform various attacks and to take complete control
of an affected machine.
Kaspersky Lab researchers Vitaly Kamluk and Sergey Belov along with
Annibal Sacco of Core Security demonstrated the flaw in a presentation
at the Black Hat 2014 conference.
Kamluk first described Comutrace's vulnerability at a Kaspersky Security
Analyst Summit in February, "The software is extremely flexible. It's a
tiny piece of code which is a part of the BIOS. As far as it is a piece
of the BIOS, it is not very easy to update the software as often. So
they made it very extensible. It can do nearly anything. It can run
every type of code. You can do to the system whatever you want.
Considering that the software is running on these local system
privileges, you have full access to the machine. You can wipe the
machine, you can monitor it, you can look through the webcam, you can
actually copy any files, you can start new processes. You can do
absolutely anything".
Six months on Computrace is still exploitable and once it has been
activated it's very persistent and difficult to turn off. It also
doesn�t enforce encryption when it communicates and doesn't verify the
identity of servers from which it receives commands, so could expose
users to attacks.
The mystery is, who or what is activating Computrace? The researchers
believe it may be down to manufacturers' testing of new machines to
check for Computrace compatibility. Because it's a legitimate piece of
code it's white listed by many antivirus programs.
They conclude that whilst there's no reason to believe Absolute Software
or PC manufacturers are deliberately activating Computrace in secret,
they do need to notify users of its presence and issue instructions on
how to turn it off if users don't want Absolute's services.
http://betanews.com/2014/08/12/computrace-back-door-could-make-millions-of-pcs-vulnerable
Thank you.
Best Regards,
--
! _\|/_ Sylvain / B00...@hotmail.com
! (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society-
oO-( )-Oo I'm cleverly disguised as a responsible adult.
Anyone know if ASUS BIOS'es contain "Absolute Computrace" module?
RE:
"Absolute Computrace allows organizations to persistently track
and secure all of their endpoints within a single cloud-based
console. Computers and ultra-portable devices such as netbooks,
tablets, and smart phones can be remotely managed and secured
to ensure�and most importantly prove�that endpoint IT compliance
processes are properly implemented and enforced."
http://www.absolute.com/en/products/absolute-computrace
==========================
Computrace back door could make millions of PCs vulnerable
Almost all recent PCs have Absolute Computrace embedded in their BIOS.
It's a product designed to allow companies to track and secure all of
their PCs from a single cloud-based console.
But researchers at Kaspersky lab have revealed that it often runs
without user-consent, persistently activates itself at system boot, and
can be exploited to perform various attacks and to take complete control
of an affected machine.
Kaspersky Lab researchers Vitaly Kamluk and Sergey Belov along with
Annibal Sacco of Core Security demonstrated the flaw in a presentation
at the Black Hat 2014 conference.
Kamluk first described Comutrace's vulnerability at a Kaspersky Security
Analyst Summit in February, "The software is extremely flexible. It's a
tiny piece of code which is a part of the BIOS. As far as it is a piece
of the BIOS, it is not very easy to update the software as often. So
they made it very extensible. It can do nearly anything. It can run
every type of code. You can do to the system whatever you want.
Considering that the software is running on these local system
privileges, you have full access to the machine. You can wipe the
machine, you can monitor it, you can look through the webcam, you can
actually copy any files, you can start new processes. You can do
absolutely anything".
Six months on Computrace is still exploitable and once it has been
activated it's very persistent and difficult to turn off. It also
doesn�t enforce encryption when it communicates and doesn't verify the
identity of servers from which it receives commands, so could expose
users to attacks.
The mystery is, who or what is activating Computrace? The researchers
believe it may be down to manufacturers' testing of new machines to
check for Computrace compatibility. Because it's a legitimate piece of
code it's white listed by many antivirus programs.
They conclude that whilst there's no reason to believe Absolute Software
or PC manufacturers are deliberately activating Computrace in secret,
they do need to notify users of its presence and issue instructions on
how to turn it off if users don't want Absolute's services.
http://betanews.com/2014/08/12/computrace-back-door-could-make-millions-of-pcs-vulnerable
Thank you.
Best Regards,
--
! _\|/_ Sylvain / B00...@hotmail.com
! (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society-
oO-( )-Oo I'm cleverly disguised as a responsible adult.
Paul
Aug 14, 2014, 2:24:08 AM8/14/14
to
B00ze wrote:
> Good day.
>
> Anyone know if ASUS BIOS'es contain "Absolute Computrace" module?
>
I found an article here.
> Good day.
>
> Anyone know if ASUS BIOS'es contain "Absolute Computrace" module?
>
"Absolute Computrace revisited"
http://securelist.com/analysis/publications/58278/absolute-computrace-revisited/
That should give you some good starting materials.
*******
And a site search, as in...
site:asus.com computrace
does find examples in their forums. It seems to show up
in the laptop forum. vip.asus.com includes retail motherboards by
model number, as well as some forums for laptops. The rog.asus.com
is the Republic Of Gamers forum, which is for computing products
designed for gaming.
http://vip.asus.com/forum/view.aspx?id=20081227015043831&board_id=3&model=G50Vt&page=1&SLanguage=en-us
"This model comes with Computrace in Bios. Difficult to
eradicate, but tries to access internet at least daily
regardless of what you are doing to trace your location
(Big brother is watching). Can not eliminate since BIOS
rewrites to disk if delete files. Best trick I have seen
is to READ protect computrace files against all users in
Vista security. Therefore, present, but can not access to run."
http://rog.asus.com/forum/archive/index.php/t-35469.html
"So I just received back my g750jw after over a month of repeated RMA orders.
They replaced the motherboard and as of now it is able to turn on and runs ok.
But here's the weird part: the first thing that pops up is
AVG telling me that rpcnet.exe in system32 and syswow64 if a
trojan trying to **** with my system. This is bizarre ..."
That last example is particularly interesting. It seems to suggest
the mere replacement of the motherboard, likely running a different
BIOS version, was enough to activate Computrace (Lojack).
The above Securelist article shows it being in the PCI rom add-in space.
But with UEFI, who knows where it is hiding, as UEFI is
an order of magnitude more intrusive. Companies are just
beginning to use/abuse UEFI, which means a steep
learning curve for us out here.
While I'd like to think Computrace is only on laptop motherboards,
there really isn't any way to be sure. If we were still in
legacy BIOS days, I'd recommend using mmtool or similar, and
picking apart the BIOS modules and identifying what they do.
I've never seen anything like that in the few motherboards
I've dissected the BIOS on. But with a UEFI BIOS, I wouldn't
even know where to begin, what tool to use.
I was always curious about LoJack as a product, as the
notion of adding code to a BIOS (while LoJack is being
installed) seemed dangerous. But if the bootstrap module
is always there, that makes the whole thing
seamless... and scary.
Paul
B00ze/Empire
Aug 15, 2014, 9:22:15 PM8/15/14
to
Hi Paul.
Thanks for your research!
On 2014-08-14 02:24, Paul <nos...@needed.com> wrote:
> I found an article here.
> "Absolute Computrace revisited"
> http://securelist.com/analysis/publications/58278/absolute-computrace-revisited/
Jesus, it's worst than the Sony rootkit...
and of course it's (was) running on my laptop (Fujitsu)...
This demanded immediate action, so here is what I came up with:
@ECHO OFF
REM $VER: Disable_AbsComputrace 1.0 B00ze/Empire
REM Disable Absolute Computrace on Windows systems
SETLOCAL ENABLEEXTENSIONS
SC Stop "rpcnet"
TIMEOUT /T 1
SC config "rpcnet" start= disabled
SC Stop "rpcnetp"
TIMEOUT /T 1
SC config "rpcnetp" start= disabled
Call :DoFile "C:\windows\System32\Upgrd.exe"
Call :DoFile "C:\windows\SysWOW64\Upgrd.exe"
Call :DoFile "C:\windows\System32\rpcnetp.exe"
Call :DoFile "C:\windows\SysWOW64\rpcnetp.exe"
Call :DoFile "C:\windows\System32\rpcnetp.dll"
Call :DoFile "C:\windows\SysWOW64\rpcnetp.dll"
Call :DoFile "C:\windows\System32\rpcnet.dll"
Call :DoFile "C:\windows\SysWOW64\rpcnet.dll"
Call :DoFile "C:\windows\System32\rpcnet.exe"
Call :DoFile "C:\windows\SysWOW64\rpcnet.exe"
Call :DoFile "C:\windows\System32\wceprv.dll"
Call :DoFile "C:\windows\SysWOW64\wceprv.dll"
Call :DoFile "C:\windows\System32\identprv.dll"
Call :DoFile "C:\windows\SysWOW64\identprv.dll"
Goto :EOF
:DoFile
if /i "%~1"=="" Goto :EOF
if NOT EXIST "%~1" Goto :EOF
TakeOwn /f "%~1" /a
icacls "%~1" /grant Administrators:(F)
icacls "%~1" /deny Everyone:(RX)
Goto :EOF
I haven't touched AutoChk, but one could possibly prevent
modifications to the file via a DENY ACL. I figured I'd better
leave it alone, in case it gets updated legit by Microsoft.
The above of course works only once you've been infected...
Wow, it's everywhere in their advertising, its touted as a +
> does find examples in their forums. It seems to show up
> in the laptop forum. vip.asus.com includes retail motherboards by
> model number, as well as some forums for laptops. The rog.asus.com
> is the Republic Of Gamers forum, which is for computing products
> designed for gaming.
> http://vip.asus.com/forum/view.aspx?id=20081227015043831&board_id=3&model=G50Vt&page=1&SLanguage=en-us
> http://rog.asus.com/forum/archive/index.php/t-35469.html
As early as 2009 - Must be in every product by now.
Disappointing that it would make its way into Asus boards,
especially ROG boards! Here, someone apparently removed it
from his BIOS:
http://rog.asus.com/forum/showthread.php?49130-Request-Bios-with-Computrace-Removed
> But here's the weird part: the first thing that pops up is
> AVG telling me that rpcnet.exe in system32 and syswow64 if a
> trojan trying to **** with my system. This is bizarre ..."
>
> That last example is particularly interesting. It seems to suggest
> the mere replacement of the motherboard, likely running a different
> BIOS version, was enough to activate Computrace (Lojack).
>
> The above Securelist article shows it being in the PCI rom add-in
> space. But with UEFI, who knows where it is hiding, as UEFI is
> an order of magnitude more intrusive. Companies are just
> beginning to use/abuse UEFI, which means a steep
> learning curve for us out here.
Disassembling a BIOS image is beyond my current abilities
I'm afraid...
> While I'd like to think Computrace is only on laptop motherboards,
> there really isn't any way to be sure. If we were still in
> legacy BIOS days, I'd recommend using mmtool or similar, and
> picking apart the BIOS modules and identifying what they do.
> I've never seen anything like that in the few motherboards
> I've dissected the BIOS on. But with a UEFI BIOS, I wouldn't
> even know where to begin, what tool to use.
The guy above claims he's done it and offers the rom image
for download, must be do'able. But really what we should
have is a menu choice in the BIOS UI to disable it...
> I was always curious about LoJack as a product, as the
> notion of adding code to a BIOS (while LoJack is being
> installed) seemed dangerous. But if the bootstrap module
> is always there, that makes the whole thing
> seamless... and scary.
>
> Paul
Ya, it's pretty scary, never know what it can be used for...
Best Regards,
--
! _\|/_ Sylvain / B00...@hotmail.com
! (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society-
oO-( )-Oo Oooh! Papa Smurf, nobody's ever touched me like THAT before!
Thanks for your research!
On 2014-08-14 02:24, Paul <nos...@needed.com> wrote:
> I found an article here.
> "Absolute Computrace revisited"
> http://securelist.com/analysis/publications/58278/absolute-computrace-revisited/
and of course it's (was) running on my laptop (Fujitsu)...
This demanded immediate action, so here is what I came up with:
@ECHO OFF
REM $VER: Disable_AbsComputrace 1.0 B00ze/Empire
REM Disable Absolute Computrace on Windows systems
SETLOCAL ENABLEEXTENSIONS
SC Stop "rpcnet"
TIMEOUT /T 1
SC config "rpcnet" start= disabled
SC Stop "rpcnetp"
TIMEOUT /T 1
SC config "rpcnetp" start= disabled
Call :DoFile "C:\windows\System32\Upgrd.exe"
Call :DoFile "C:\windows\SysWOW64\Upgrd.exe"
Call :DoFile "C:\windows\System32\rpcnetp.exe"
Call :DoFile "C:\windows\SysWOW64\rpcnetp.exe"
Call :DoFile "C:\windows\System32\rpcnetp.dll"
Call :DoFile "C:\windows\SysWOW64\rpcnetp.dll"
Call :DoFile "C:\windows\System32\rpcnet.dll"
Call :DoFile "C:\windows\SysWOW64\rpcnet.dll"
Call :DoFile "C:\windows\System32\rpcnet.exe"
Call :DoFile "C:\windows\SysWOW64\rpcnet.exe"
Call :DoFile "C:\windows\System32\wceprv.dll"
Call :DoFile "C:\windows\SysWOW64\wceprv.dll"
Call :DoFile "C:\windows\System32\identprv.dll"
Call :DoFile "C:\windows\SysWOW64\identprv.dll"
Goto :EOF
:DoFile
if /i "%~1"=="" Goto :EOF
if NOT EXIST "%~1" Goto :EOF
TakeOwn /f "%~1" /a
icacls "%~1" /grant Administrators:(F)
icacls "%~1" /deny Everyone:(RX)
Goto :EOF
I haven't touched AutoChk, but one could possibly prevent
modifications to the file via a DENY ACL. I figured I'd better
leave it alone, in case it gets updated legit by Microsoft.
The above of course works only once you've been infected...
Wow, it's everywhere in their advertising, its touted as a +
> does find examples in their forums. It seems to show up
> in the laptop forum. vip.asus.com includes retail motherboards by
> model number, as well as some forums for laptops. The rog.asus.com
> is the Republic Of Gamers forum, which is for computing products
> designed for gaming.
> http://vip.asus.com/forum/view.aspx?id=20081227015043831&board_id=3&model=G50Vt&page=1&SLanguage=en-us
As early as 2009 - Must be in every product by now.
Disappointing that it would make its way into Asus boards,
especially ROG boards! Here, someone apparently removed it
from his BIOS:
http://rog.asus.com/forum/showthread.php?49130-Request-Bios-with-Computrace-Removed
> But here's the weird part: the first thing that pops up is
> AVG telling me that rpcnet.exe in system32 and syswow64 if a
> trojan trying to **** with my system. This is bizarre ..."
>
> That last example is particularly interesting. It seems to suggest
> the mere replacement of the motherboard, likely running a different
> BIOS version, was enough to activate Computrace (Lojack).
>
> The above Securelist article shows it being in the PCI rom add-in
> space. But with UEFI, who knows where it is hiding, as UEFI is
> an order of magnitude more intrusive. Companies are just
> beginning to use/abuse UEFI, which means a steep
> learning curve for us out here.
I'm afraid...
> While I'd like to think Computrace is only on laptop motherboards,
> there really isn't any way to be sure. If we were still in
> legacy BIOS days, I'd recommend using mmtool or similar, and
> picking apart the BIOS modules and identifying what they do.
> I've never seen anything like that in the few motherboards
> I've dissected the BIOS on. But with a UEFI BIOS, I wouldn't
> even know where to begin, what tool to use.
for download, must be do'able. But really what we should
have is a menu choice in the BIOS UI to disable it...
> I was always curious about LoJack as a product, as the
> notion of adding code to a BIOS (while LoJack is being
> installed) seemed dangerous. But if the bootstrap module
> is always there, that makes the whole thing
> seamless... and scary.
>
> Paul
Best Regards,
--
! _\|/_ Sylvain / B00...@hotmail.com
! (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society-
Paul
Aug 15, 2014, 10:25:21 PM8/15/14
to
B00ze/Empire wrote:
>
> Ya, it's pretty scary, never know what it can be used for...
>
> Best Regards,
>
Another example of someone blocking it in Windows, via permissions.
>
> Ya, it's pretty scary, never know what it can be used for...
>
> Best Regards,
>
They decided to stop WLAN service, to give time for their
defenses to be ready. So networking must be activated manually
in essence, so no monkey business at T=0. You could also
unplug the Ethernet cable, but that would wear out the
connector :-)
http://www.tomshardware.com/forum/241587-49-computrace-absolute-software
The references still seem to be to laptops.
Paul
B00ze/Empire
Aug 15, 2014, 11:00:33 PM8/15/14
to
On 2014-08-15 22:25, Paul <nos...@needed.com> wrote:
> Another example of someone blocking it in Windows, via permissions.
> They decided to stop WLAN service, to give time for their
> defenses to be ready. So networking must be activated manually
> in essence, so no monkey business at T=0. You could also
> unplug the Ethernet cable, but that would wear out the
> connector :-)
>
> http://www.tomshardware.com/forum/241587-49-computrace-absolute-software
>
> The references still seem to be to laptops.
>
> Paul
http://www.absolute.com/en/partners/bios-compatibility.aspx
> Another example of someone blocking it in Windows, via permissions.
> They decided to stop WLAN service, to give time for their
> defenses to be ready. So networking must be activated manually
> in essence, so no monkey business at T=0. You could also
> unplug the Ethernet cable, but that would wear out the
> connector :-)
>
> http://www.tomshardware.com/forum/241587-49-computrace-absolute-software
>
> The references still seem to be to laptops.
>
> Paul
Arrg! It's in my phone too! At least if the list is accurate, it's not
in ASUS motherboards (woohoo, I've been eyeing a ROG board), only
notebooks...
Regards,
--
! _\|/_ Sylvain / B00...@hotmail.com
! (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society-
0 new messages