|
|
Absolute Computrace
Good day.
Anyone know if ASUS BIOS'es contain "Absolute Computrace" module? "Absolute Computrace allows organizations to persistently track and secure all of their endpoints within a single cloud-based console. Computers and ultra-portable devices such as netbooks, tablets, and smart phones can be remotely managed and secured to ensure—and most importantly prove—that endpoint IT compliance processes are properly implemented and enforced." http://www.absolute.com/en/products/absolute-computrace ========================== Computrace back door could make millions of PCs vulnerable Almost all recent PCs have Absolute Computrace embedded in their BIOS. It's a product designed to allow companies to track and secure all of their PCs from a single cloud-based console. But researchers at Kaspersky lab have revealed that it often runs without user-consent, persistently activates itself at system boot, and can be exploited to perform various attacks and to take complete control of an affected machine. Kaspersky Lab researchers Vitaly Kamluk and Sergey Belov along with Annibal Sacco of Core Security demonstrated the flaw in a presentation at the Black Hat 2014 conference. Kamluk first described Comutrace's vulnerability at a Kaspersky Security Analyst Summit in February, "The software is extremely flexible. It's a tiny piece of code which is a part of the BIOS. As far as it is a piece of the BIOS, it is not very easy to update the software as often. So they made it very extensible. It can do nearly anything. It can run every type of code. You can do to the system whatever you want. Considering that the software is running on these local system privileges, you have full access to the machine. You can wipe the machine, you can monitor it, you can look through the webcam, you can actually copy any files, you can start new processes. You can do absolutely anything". Six months on Computrace is still exploitable and once it has been activated it's very persistent and difficult to turn off. It also doesn’t enforce encryption when it communicates and doesn't verify the identity of servers from which it receives commands, so could expose users to attacks. The mystery is, who or what is activating Computrace? The researchers believe it may be down to manufacturers' testing of new machines to check for Computrace compatibility. Because it's a legitimate piece of code it's white listed by many antivirus programs. They conclude that whilst there's no reason to believe Absolute Software or PC manufacturers are deliberately activating Computrace in secret, they do need to notify users of its presence and issue instructions on how to turn it off if users don't want Absolute's services. http://betanews.com/2014/08/12/compu...pcs-vulnerable Thank you. Best Regards, -- ! _\|/_ Sylvain / ! (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society- oO-( )-Oo I'm cleverly disguised as a responsible adult. |
Absolute Computrace
B00ze wrote:
Good day. Anyone know if ASUS BIOS'es contain "Absolute Computrace" module? I found an article here. "Absolute Computrace revisited" http://securelist.com/analysis/publi...ace-revisited/ That should give you some good starting materials. ******* And a site search, as in... site:asus.com computrace does find examples in their forums. It seems to show up in the laptop forum. vip.asus.com includes retail motherboards by model number, as well as some forums for laptops. The rog.asus.com is the Republic Of Gamers forum, which is for computing products designed for gaming. http://vip.asus.com/forum/view.aspx?...Language=en-us "This model comes with Computrace in Bios. Difficult to eradicate, but tries to access internet at least daily regardless of what you are doing to trace your location (Big brother is watching). Can not eliminate since BIOS rewrites to disk if delete files. Best trick I have seen is to READ protect computrace files against all users in Vista security. Therefore, present, but can not access to run." http://rog.asus.com/forum/archive/in...p/t-35469.html "So I just received back my g750jw after over a month of repeated RMA orders. They replaced the motherboard and as of now it is able to turn on and runs ok. But here's the weird part: the first thing that pops up is AVG telling me that rpcnet.exe in system32 and syswow64 if a trojan trying to **** with my system. This is bizarre ..." That last example is particularly interesting. It seems to suggest the mere replacement of the motherboard, likely running a different BIOS version, was enough to activate Computrace (Lojack). The above Securelist article shows it being in the PCI rom add-in space. But with UEFI, who knows where it is hiding, as UEFI is an order of magnitude more intrusive. Companies are just beginning to use/abuse UEFI, which means a steep learning curve for us out here. While I'd like to think Computrace is only on laptop motherboards, there really isn't any way to be sure. If we were still in legacy BIOS days, I'd recommend using mmtool or similar, and picking apart the BIOS modules and identifying what they do. I've never seen anything like that in the few motherboards I've dissected the BIOS on. But with a UEFI BIOS, I wouldn't even know where to begin, what tool to use. I was always curious about LoJack as a product, as the notion of adding code to a BIOS (while LoJack is being installed) seemed dangerous. But if the bootstrap module is always there, that makes the whole thing seamless... and scary. Paul |
Absolute Computrace
Hi Paul.
Thanks for your research! On 2014-08-14 02:24, Paul wrote: I found an article here. "Absolute Computrace revisited" http://securelist.com/analysis/publi...ace-revisited/ Jesus, it's worst than the Sony rootkit... and of course it's (was) running on my laptop (Fujitsu)... This demanded immediate action, so here is what I came up with: @ECHO OFF REM $VER: Disable_AbsComputrace 1.0 B00ze/Empire REM Disable Absolute Computrace on Windows systems SETLOCAL ENABLEEXTENSIONS SC Stop "rpcnet" TIMEOUT /T 1 SC config "rpcnet" start= disabled SC Stop "rpcnetp" TIMEOUT /T 1 SC config "rpcnetp" start= disabled Call :DoFile "C:\windows\System32\Upgrd.exe" Call :DoFile "C:\windows\SysWOW64\Upgrd.exe" Call :DoFile "C:\windows\System32\rpcnetp.exe" Call :DoFile "C:\windows\SysWOW64\rpcnetp.exe" Call :DoFile "C:\windows\System32\rpcnetp.dll" Call :DoFile "C:\windows\SysWOW64\rpcnetp.dll" Call :DoFile "C:\windows\System32\rpcnet.dll" Call :DoFile "C:\windows\SysWOW64\rpcnet.dll" Call :DoFile "C:\windows\System32\rpcnet.exe" Call :DoFile "C:\windows\SysWOW64\rpcnet.exe" Call :DoFile "C:\windows\System32\wceprv.dll" Call :DoFile "C:\windows\SysWOW64\wceprv.dll" Call :DoFile "C:\windows\System32\identprv.dll" Call :DoFile "C:\windows\SysWOW64\identprv.dll" Goto :EOF :DoFile if /i "%~1"=="" Goto :EOF if NOT EXIST "%~1" Goto :EOF TakeOwn /f "%~1" /a icacls "%~1" /grant Administrators:(F) icacls "%~1" /deny Everyone:(RX) Goto :EOF I haven't touched AutoChk, but one could possibly prevent modifications to the file via a DENY ACL. I figured I'd better leave it alone, in case it gets updated legit by Microsoft. The above of course works only once you've been infected... ******* And a site search, as in... site:asus.com computrace Wow, it's everywhere in their advertising, its touted as a + does find examples in their forums. It seems to show up in the laptop forum. vip.asus.com includes retail motherboards by model number, as well as some forums for laptops. The rog.asus.com is the Republic Of Gamers forum, which is for computing products designed for gaming. http://vip.asus.com/forum/view.aspx?...Language=en-us http://rog.asus.com/forum/archive/in...p/t-35469.html As early as 2009 - Must be in every product by now. Disappointing that it would make its way into Asus boards, especially ROG boards! Here, someone apparently removed it from his BIOS: http://rog.asus.com/forum/showthread...utrace-Removed But here's the weird part: the first thing that pops up is AVG telling me that rpcnet.exe in system32 and syswow64 if a trojan trying to **** with my system. This is bizarre ..." That last example is particularly interesting. It seems to suggest the mere replacement of the motherboard, likely running a different BIOS version, was enough to activate Computrace (Lojack). The above Securelist article shows it being in the PCI rom add-in space. But with UEFI, who knows where it is hiding, as UEFI is an order of magnitude more intrusive. Companies are just beginning to use/abuse UEFI, which means a steep learning curve for us out here. Disassembling a BIOS image is beyond my current abilities I'm afraid... While I'd like to think Computrace is only on laptop motherboards, there really isn't any way to be sure. If we were still in legacy BIOS days, I'd recommend using mmtool or similar, and picking apart the BIOS modules and identifying what they do. I've never seen anything like that in the few motherboards I've dissected the BIOS on. But with a UEFI BIOS, I wouldn't even know where to begin, what tool to use. The guy above claims he's done it and offers the rom image for download, must be do'able. But really what we should have is a menu choice in the BIOS UI to disable it... I was always curious about LoJack as a product, as the notion of adding code to a BIOS (while LoJack is being installed) seemed dangerous. But if the bootstrap module is always there, that makes the whole thing seamless... and scary. Paul Ya, it's pretty scary, never know what it can be used for... Best Regards, -- ! _\|/_ Sylvain / ! (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society- oO-( )-Oo Oooh! Papa Smurf, nobody's ever touched me like THAT before! |
Absolute Computrace
B00ze/Empire wrote:
Ya, it's pretty scary, never know what it can be used for... Best Regards, Another example of someone blocking it in Windows, via permissions. They decided to stop WLAN service, to give time for their defenses to be ready. So networking must be activated manually in essence, so no monkey business at T=0. You could also unplug the Ethernet cable, but that would wear out the connector :-) http://www.tomshardware.com/forum/24...olute-software The references still seem to be to laptops. Paul |
Absolute Computrace
On 2014-08-15 22:25, Paul wrote:
Another example of someone blocking it in Windows, via permissions. They decided to stop WLAN service, to give time for their defenses to be ready. So networking must be activated manually in essence, so no monkey business at T=0. You could also unplug the Ethernet cable, but that would wear out the connector :-) http://www.tomshardware.com/forum/24...olute-software The references still seem to be to laptops. Paul http://www.absolute.com/en/partners/...atibility.aspx Arrg! It's in my phone too! At least if the list is accurate, it's not in ASUS motherboards (woohoo, I've been eyeing a ROG board), only notebooks... Regards, -- ! _\|/_ Sylvain / ! (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society- oO-( )-Oo Ewoks make better burgers! |
| All times are GMT +1. The time now is 09:29 AM. |
Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
HardwareBanter.com