View Single Post
  #3  
Old August 16th 14, 02:22 AM posted to alt.comp.periphs.mainboard.asus
B00ze/Empire
external usenet poster
 
Posts: 11
Default Absolute Computrace

Hi Paul.

Thanks for your research!

On 2014-08-14 02:24, Paul wrote:

I found an article here.
"Absolute Computrace revisited"
http://securelist.com/analysis/publi...ace-revisited/


Jesus, it's worst than the Sony rootkit...
and of course it's (was) running on my laptop (Fujitsu)...
This demanded immediate action, so here is what I came up with:

@ECHO OFF
REM $VER: Disable_AbsComputrace 1.0 B00ze/Empire
REM Disable Absolute Computrace on Windows systems
SETLOCAL ENABLEEXTENSIONS
SC Stop "rpcnet"
TIMEOUT /T 1
SC config "rpcnet" start= disabled
SC Stop "rpcnetp"
TIMEOUT /T 1
SC config "rpcnetp" start= disabled
Call oFile "C:\windows\System32\Upgrd.exe"
Call oFile "C:\windows\SysWOW64\Upgrd.exe"
Call oFile "C:\windows\System32\rpcnetp.exe"
Call oFile "C:\windows\SysWOW64\rpcnetp.exe"
Call oFile "C:\windows\System32\rpcnetp.dll"
Call oFile "C:\windows\SysWOW64\rpcnetp.dll"
Call oFile "C:\windows\System32\rpcnet.dll"
Call oFile "C:\windows\SysWOW64\rpcnet.dll"
Call oFile "C:\windows\System32\rpcnet.exe"
Call oFile "C:\windows\SysWOW64\rpcnet.exe"
Call oFile "C:\windows\System32\wceprv.dll"
Call oFile "C:\windows\SysWOW64\wceprv.dll"
Call oFile "C:\windows\System32\identprv.dll"
Call oFile "C:\windows\SysWOW64\identprv.dll"
Goto :EOF
oFile
if /i "%~1"=="" Goto :EOF
if NOT EXIST "%~1" Goto :EOF
TakeOwn /f "%~1" /a
icacls "%~1" /grant AdministratorsF)
icacls "%~1" /deny EveryoneRX)
Goto :EOF

I haven't touched AutoChk, but one could possibly prevent
modifications to the file via a DENY ACL. I figured I'd better
leave it alone, in case it gets updated legit by Microsoft.
The above of course works only once you've been infected...

*******

And a site search, as in...

site:asus.com computrace


Wow, it's everywhere in their advertising, its touted as a +

does find examples in their forums. It seems to show up
in the laptop forum. vip.asus.com includes retail motherboards by
model number, as well as some forums for laptops. The rog.asus.com
is the Republic Of Gamers forum, which is for computing products
designed for gaming.


http://vip.asus.com/forum/view.aspx?...Language=en-us
http://rog.asus.com/forum/archive/in...p/t-35469.html


As early as 2009 - Must be in every product by now.
Disappointing that it would make its way into Asus boards,
especially ROG boards! Here, someone apparently removed it
from his BIOS:

http://rog.asus.com/forum/showthread...utrace-Removed

But here's the weird part: the first thing that pops up is
AVG telling me that rpcnet.exe in system32 and syswow64 if a
trojan trying to **** with my system. This is bizarre ..."

That last example is particularly interesting. It seems to suggest
the mere replacement of the motherboard, likely running a different
BIOS version, was enough to activate Computrace (Lojack).

The above Securelist article shows it being in the PCI rom add-in
space. But with UEFI, who knows where it is hiding, as UEFI is
an order of magnitude more intrusive. Companies are just
beginning to use/abuse UEFI, which means a steep
learning curve for us out here.


Disassembling a BIOS image is beyond my current abilities
I'm afraid...

While I'd like to think Computrace is only on laptop motherboards,
there really isn't any way to be sure. If we were still in
legacy BIOS days, I'd recommend using mmtool or similar, and
picking apart the BIOS modules and identifying what they do.
I've never seen anything like that in the few motherboards
I've dissected the BIOS on. But with a UEFI BIOS, I wouldn't
even know where to begin, what tool to use.


The guy above claims he's done it and offers the rom image
for download, must be do'able. But really what we should
have is a menu choice in the BIOS UI to disable it...

I was always curious about LoJack as a product, as the
notion of adding code to a BIOS (while LoJack is being
installed) seemed dangerous. But if the bootstrap module
is always there, that makes the whole thing
seamless... and scary.

Paul


Ya, it's pretty scary, never know what it can be used for...

Best Regards,

--
! _\|/_ Sylvain /
! (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society-
oO-( )-Oo Oooh! Papa Smurf, nobody's ever touched me like THAT before!