A computer components & hardware forum. HardwareBanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » HardwareBanter forum » Motherboards » Asus Motherboards
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Absolute Computrace



 
 
Thread Tools Display Modes
  #1  
Old August 13th 14, 11:56 PM posted to alt.comp.periphs.mainboard.asus
B00ze
external usenet poster
 
Posts: 67
Default Absolute Computrace

Good day.

Anyone know if ASUS BIOS'es contain "Absolute Computrace" module?



"Absolute Computrace allows organizations to persistently track
and secure all of their endpoints within a single cloud-based
console. Computers and ultra-portable devices such as netbooks,
tablets, and smart phones can be remotely managed and secured
to ensure—and most importantly prove—that endpoint IT compliance
processes are properly implemented and enforced."

http://www.absolute.com/en/products/absolute-computrace

==========================

Computrace back door could make millions of PCs vulnerable

Almost all recent PCs have Absolute Computrace embedded in their BIOS.
It's a product designed to allow companies to track and secure all of
their PCs from a single cloud-based console.

But researchers at Kaspersky lab have revealed that it often runs
without user-consent, persistently activates itself at system boot, and
can be exploited to perform various attacks and to take complete control
of an affected machine.

Kaspersky Lab researchers Vitaly Kamluk and Sergey Belov along with
Annibal Sacco of Core Security demonstrated the flaw in a presentation
at the Black Hat 2014 conference.

Kamluk first described Comutrace's vulnerability at a Kaspersky Security
Analyst Summit in February, "The software is extremely flexible. It's a
tiny piece of code which is a part of the BIOS. As far as it is a piece
of the BIOS, it is not very easy to update the software as often. So
they made it very extensible. It can do nearly anything. It can run
every type of code. You can do to the system whatever you want.
Considering that the software is running on these local system
privileges, you have full access to the machine. You can wipe the
machine, you can monitor it, you can look through the webcam, you can
actually copy any files, you can start new processes. You can do
absolutely anything".

Six months on Computrace is still exploitable and once it has been
activated it's very persistent and difficult to turn off. It also
doesn’t enforce encryption when it communicates and doesn't verify the
identity of servers from which it receives commands, so could expose
users to attacks.

The mystery is, who or what is activating Computrace? The researchers
believe it may be down to manufacturers' testing of new machines to
check for Computrace compatibility. Because it's a legitimate piece of
code it's white listed by many antivirus programs.

They conclude that whilst there's no reason to believe Absolute Software
or PC manufacturers are deliberately activating Computrace in secret,
they do need to notify users of its presence and issue instructions on
how to turn it off if users don't want Absolute's services.

http://betanews.com/2014/08/12/compu...pcs-vulnerable

Thank you.
Best Regards,

--
! _\|/_ Sylvain /
! (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society-
oO-( )-Oo I'm cleverly disguised as a responsible adult.

  #2  
Old August 14th 14, 07:24 AM posted to alt.comp.periphs.mainboard.asus
Paul
external usenet poster
 
Posts: 13,364
Default Absolute Computrace

B00ze wrote:
Good day.

Anyone know if ASUS BIOS'es contain "Absolute Computrace" module?


I found an article here.

"Absolute Computrace revisited"

http://securelist.com/analysis/publi...ace-revisited/

That should give you some good starting materials.

*******

And a site search, as in...

site:asus.com computrace

does find examples in their forums. It seems to show up
in the laptop forum. vip.asus.com includes retail motherboards by
model number, as well as some forums for laptops. The rog.asus.com
is the Republic Of Gamers forum, which is for computing products
designed for gaming.

http://vip.asus.com/forum/view.aspx?...Language=en-us

"This model comes with Computrace in Bios. Difficult to
eradicate, but tries to access internet at least daily
regardless of what you are doing to trace your location
(Big brother is watching). Can not eliminate since BIOS
rewrites to disk if delete files. Best trick I have seen
is to READ protect computrace files against all users in
Vista security. Therefore, present, but can not access to run."

http://rog.asus.com/forum/archive/in...p/t-35469.html

"So I just received back my g750jw after over a month of repeated RMA orders.

They replaced the motherboard and as of now it is able to turn on and runs ok.

But here's the weird part: the first thing that pops up is
AVG telling me that rpcnet.exe in system32 and syswow64 if a
trojan trying to **** with my system. This is bizarre ..."

That last example is particularly interesting. It seems to suggest
the mere replacement of the motherboard, likely running a different
BIOS version, was enough to activate Computrace (Lojack).

The above Securelist article shows it being in the PCI rom add-in space.
But with UEFI, who knows where it is hiding, as UEFI is
an order of magnitude more intrusive. Companies are just
beginning to use/abuse UEFI, which means a steep
learning curve for us out here.

While I'd like to think Computrace is only on laptop motherboards,
there really isn't any way to be sure. If we were still in
legacy BIOS days, I'd recommend using mmtool or similar, and
picking apart the BIOS modules and identifying what they do.
I've never seen anything like that in the few motherboards
I've dissected the BIOS on. But with a UEFI BIOS, I wouldn't
even know where to begin, what tool to use.

I was always curious about LoJack as a product, as the
notion of adding code to a BIOS (while LoJack is being
installed) seemed dangerous. But if the bootstrap module
is always there, that makes the whole thing
seamless... and scary.

Paul
  #3  
Old August 16th 14, 02:22 AM posted to alt.comp.periphs.mainboard.asus
B00ze/Empire
external usenet poster
 
Posts: 11
Default Absolute Computrace

Hi Paul.

Thanks for your research!

On 2014-08-14 02:24, Paul wrote:

I found an article here.
"Absolute Computrace revisited"
http://securelist.com/analysis/publi...ace-revisited/


Jesus, it's worst than the Sony rootkit...
and of course it's (was) running on my laptop (Fujitsu)...
This demanded immediate action, so here is what I came up with:

@ECHO OFF
REM $VER: Disable_AbsComputrace 1.0 B00ze/Empire
REM Disable Absolute Computrace on Windows systems
SETLOCAL ENABLEEXTENSIONS
SC Stop "rpcnet"
TIMEOUT /T 1
SC config "rpcnet" start= disabled
SC Stop "rpcnetp"
TIMEOUT /T 1
SC config "rpcnetp" start= disabled
Call oFile "C:\windows\System32\Upgrd.exe"
Call oFile "C:\windows\SysWOW64\Upgrd.exe"
Call oFile "C:\windows\System32\rpcnetp.exe"
Call oFile "C:\windows\SysWOW64\rpcnetp.exe"
Call oFile "C:\windows\System32\rpcnetp.dll"
Call oFile "C:\windows\SysWOW64\rpcnetp.dll"
Call oFile "C:\windows\System32\rpcnet.dll"
Call oFile "C:\windows\SysWOW64\rpcnet.dll"
Call oFile "C:\windows\System32\rpcnet.exe"
Call oFile "C:\windows\SysWOW64\rpcnet.exe"
Call oFile "C:\windows\System32\wceprv.dll"
Call oFile "C:\windows\SysWOW64\wceprv.dll"
Call oFile "C:\windows\System32\identprv.dll"
Call oFile "C:\windows\SysWOW64\identprv.dll"
Goto :EOF
oFile
if /i "%~1"=="" Goto :EOF
if NOT EXIST "%~1" Goto :EOF
TakeOwn /f "%~1" /a
icacls "%~1" /grant AdministratorsF)
icacls "%~1" /deny EveryoneRX)
Goto :EOF

I haven't touched AutoChk, but one could possibly prevent
modifications to the file via a DENY ACL. I figured I'd better
leave it alone, in case it gets updated legit by Microsoft.
The above of course works only once you've been infected...

*******

And a site search, as in...

site:asus.com computrace


Wow, it's everywhere in their advertising, its touted as a +

does find examples in their forums. It seems to show up
in the laptop forum. vip.asus.com includes retail motherboards by
model number, as well as some forums for laptops. The rog.asus.com
is the Republic Of Gamers forum, which is for computing products
designed for gaming.


http://vip.asus.com/forum/view.aspx?...Language=en-us
http://rog.asus.com/forum/archive/in...p/t-35469.html


As early as 2009 - Must be in every product by now.
Disappointing that it would make its way into Asus boards,
especially ROG boards! Here, someone apparently removed it
from his BIOS:

http://rog.asus.com/forum/showthread...utrace-Removed

But here's the weird part: the first thing that pops up is
AVG telling me that rpcnet.exe in system32 and syswow64 if a
trojan trying to **** with my system. This is bizarre ..."

That last example is particularly interesting. It seems to suggest
the mere replacement of the motherboard, likely running a different
BIOS version, was enough to activate Computrace (Lojack).

The above Securelist article shows it being in the PCI rom add-in
space. But with UEFI, who knows where it is hiding, as UEFI is
an order of magnitude more intrusive. Companies are just
beginning to use/abuse UEFI, which means a steep
learning curve for us out here.


Disassembling a BIOS image is beyond my current abilities
I'm afraid...

While I'd like to think Computrace is only on laptop motherboards,
there really isn't any way to be sure. If we were still in
legacy BIOS days, I'd recommend using mmtool or similar, and
picking apart the BIOS modules and identifying what they do.
I've never seen anything like that in the few motherboards
I've dissected the BIOS on. But with a UEFI BIOS, I wouldn't
even know where to begin, what tool to use.


The guy above claims he's done it and offers the rom image
for download, must be do'able. But really what we should
have is a menu choice in the BIOS UI to disable it...

I was always curious about LoJack as a product, as the
notion of adding code to a BIOS (while LoJack is being
installed) seemed dangerous. But if the bootstrap module
is always there, that makes the whole thing
seamless... and scary.

Paul


Ya, it's pretty scary, never know what it can be used for...

Best Regards,

--
! _\|/_ Sylvain /
! (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society-
oO-( )-Oo Oooh! Papa Smurf, nobody's ever touched me like THAT before!

  #4  
Old August 16th 14, 03:25 AM posted to alt.comp.periphs.mainboard.asus
Paul
external usenet poster
 
Posts: 13,364
Default Absolute Computrace

B00ze/Empire wrote:


Ya, it's pretty scary, never know what it can be used for...

Best Regards,


Another example of someone blocking it in Windows, via permissions.
They decided to stop WLAN service, to give time for their
defenses to be ready. So networking must be activated manually
in essence, so no monkey business at T=0. You could also
unplug the Ethernet cable, but that would wear out the
connector :-)

http://www.tomshardware.com/forum/24...olute-software

The references still seem to be to laptops.

Paul
  #5  
Old August 16th 14, 04:00 AM posted to alt.comp.periphs.mainboard.asus
B00ze/Empire
external usenet poster
 
Posts: 11
Default Absolute Computrace

On 2014-08-15 22:25, Paul wrote:

Another example of someone blocking it in Windows, via permissions.
They decided to stop WLAN service, to give time for their
defenses to be ready. So networking must be activated manually
in essence, so no monkey business at T=0. You could also
unplug the Ethernet cable, but that would wear out the
connector :-)

http://www.tomshardware.com/forum/24...olute-software

The references still seem to be to laptops.

Paul


http://www.absolute.com/en/partners/...atibility.aspx

Arrg! It's in my phone too! At least if the list is accurate, it's not
in ASUS motherboards (woohoo, I've been eyeing a ROG board), only
notebooks...

Regards,

--
! _\|/_ Sylvain /
! (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society-
oO-( )-Oo Ewoks make better burgers!

 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Exceeding maximum absolute voltage larry moe 'n curly Homebuilt PC's 15 September 22nd 10 06:50 PM
Factor 5's "Lair" on PS3 has an absolute DOG SHIT framerate thanks to the lowend Nvidia GPU AirRaid[_3_] Nvidia Videocards 6 August 3rd 07 05:52 PM
Absolute Horrible Day Today for my PC. Need desperate help. Shinnokxz Homebuilt PC's 2 August 26th 05 08:44 AM


All times are GMT +1. The time now is 01:26 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 HardwareBanter.
The comments are property of their posters.