back to article Devs angrily dismiss Absolute Computrace rootkit accusation

Developers have denied accusations that their Computrace anti-theft software poses a remote wipe risk for the computers the program is designed to protect. However security researchers at Kaspersky Lab are standing by their warning that Absolute Software's Computrace anti-theft technology poses a hidden threat that might be …

COMMENTS

This topic is closed for new posts.

Do you ever really know what you are buying?

I found out about the embedded Computrace application late last year. I checked up on one vendor and found that they didn't hide the fact that this was part of their package, they just didn't broadcast it.

Haven't read the small print, but this should be in the large print on any product that you are purchasing. It falls right into the sort of embedded capability that the Snowden leaks revealed and really begs the question as to who is funding this.

Would be really interesting to see an analysis of what it can potentially do.

12
0

Insidious menace

Damned thing is a pain in the ass.

My Dell came with it, just the BIOS part, and even though I've disabled it in the BIOS, it still keeps installing its evil sneaky service and drivers.

I say evil and sneaky because it tries to disguise itself as part of Windows, using a service name similar to the RPC service.

9
0
Bronze badge

Re: Insidious menace

Ugh... Tell me about it. We repurposed an old Toshiba laptop recently at work. Not even a business model - just a mid-range home model. Damn thing keeps popping up virus warnings because Absolute keep sneaking their malware back in.

I sent an email to Toshiba and Absolute. Standard waste of time replies - Toshiba would love to help me put the factory image back on, and Absolute more or less told me it was there for my own good, so shut up and go away.

0
0
Silver badge

I've googled this, and may have a neat fix: While there may be some alternate roms out there that have this disabled (or at least non-functional), you can do the following that'll work on any windows box.

Create a batch file with these contents:

TASKKILL /F /IM "rpcnetp.exe"

TASKKILL /F /IM "rpcnet.exe"

TASKKILL /F /IM "upgrd.exe"

del "C:\Windows\System32\UPGRD.exe"

del "C:\Windows\System32\rpcnet.exe"

del "C:\Windows\System32\rpcnetp.exe"

del "C:\Windows\System32\rpcnetp.dll"

del "C:\Windows\System32\rpcnet.dll"

md "C:\Windows\System32\UPGRD.exe"

md "C:\Windows\System32\rpcnet.exe"

md "C:\Windows\System32\rpcnetp.exe"

md "C:\Windows\System32\rpcnetp.dll"

md "C:\Windows\System32\rpcnet.dll"

Run the batch file once. It stops the processes, it deletes the files (which normally come back at reboot), it creates folders named the same as the files.

The files can't come back, because you can't create a file if there is a folder of the same name. And it stays like that, because the offending code that creates the files is usually not smart enough to realise it's a rougue folder that's preventing the file creation.

Let me know if it works.

0
0
Anonymous Coward

Possible but be prepared for bricking

For most bios' it is possible to unpack the bios remove the computrace option rom and repack it, as an example in the Dell precision 490 its module 00-15-34.bin which looks like:

00000000 55 AA 2A EB 15 43 6F 6D 70 75 54 72 61 63 65 20 Uª*ë.CompuTrace

00000010 56 38 30 2E 38 34 35 A1 1D 00 E9 5C 01 50 43 49 V80.845¡..é\.PCI

Its probably a bit OTT for your average user and its not without risk of bricking, but it can be gotten rid of.

2
0
Silver badge

This is something I've not seen before.

Although there is an obvious security issue here (i.e. if someone can pretend to be that C&C IP address / domain then they can easily take out PC's with CompuTrace enabled with a remote-root exploit as simple as replacing the .exe they try to download), the biggest problem to me?

The BIOS tries to insert an executable into Windows internals, in place of an existing executable. This just SCREAMS potential problem with Windows updates that affect that file, Windows integrity checks, 32/64-bit (and newer similar technology) issues, forensics issues, and just the potential to blue-screen thousands of machines with NO HOPE of adequately repairing them without upgrading the firmware if they make a simple mistake or assumption.

I mean, just imagine if Windows 8.2 / 9 has a different file in the place of the one they replace, that does slightly more/less than the one they hijack? That could spell disaster. And do you have a way to turn off that BIOS function that is MODIFYING YOUR FILESYSTEM (probably without due regard for non-standard configurations? In work, I once had an AMI BIOS for two models of laptop that refused to boot if the byte at a certain offset on the first partition wasn't zero - makes your computer useless if you want to boot Linux, not use NTFS with that particular assumption intact (so good luck for the next NTFS version) and/or encrypt the filesystem. Had to fight to get an updated BIOS, which had "Alpha" and "DO NOT USE" written all over it)? No, you can't turn it off because it's a "security feature".

Sorry, they can play it down as much as they like but a BIOS should NOT be modifying the filesystem. Ever. At all. Certainly not to interfere with a particular Windows executable, insert itself at startup and/or provide SYSTEM access to a download that it grabs off the Internet or out of a BIOS that doesn't get updated for years at a time.

Reason enough that I'm glad that I've NEVER activated such security functions.

5
0
Bronze badge
Devil

"we were able to make a live demo of Computrace hijacking"

If that is the case then it appears to be "case closed" and it doesn't matter how benign or safe they say their product is. Kaspersky aren't falsely crying wolf if they can actually show the wolf.

https://www.securelist.com/en/analysis/204792325/Absolute_Computrace_Revisited

10
0
Bronze badge

Re: "we were able to make a live demo of Computrace hijacking"

+1 for that link, it's a good read and hard not to find for Kaspersky. It's clearly vulnerable to an arp or DNS poisoning attack. And WTF is up with the obfuscation, given it's apparently installed willingly by its users?

0
0
Anonymous Coward

Is anything we buy these days truly ours? You buy a game or movie on disc, you're simply paying for the physical item the data on it is just rented. You buy a phone, a tablet, a laptop or a PC and it's technically owned by someone else and by the looks of it possible to have it shut down on a whim. As more tech gets into our fridges, TVs and other household appliances it looks like the days of ownership are fast disappearing. Then again "good book" bleats on about "ashes to ashes, dust to dust and funk to funky" so I suppose nothing you say, touch, think, eat, breathe or crap was never really yours.

3
0
Silver badge

Only if we let it.

Surely, that's the whole point of the open software / hardware movement? It's hardly a new thing.

Gimme a PC whose BIOS is open and Linux installed any day. It's just that we're not really there yet and people are prepared to sell out a percentage of their property to someone else. One large incident and it could easily turn around the other way and we'll need something to replace all this stuff with.

1
0

Firewall

Don't use internet without it. And I don't mean software/firmware firewall, I mean a standalone box. Good luck sending those packets to bios.

0
0
Silver badge

Don't Want

This is something quite new to me, and highly disturbing. How on earth do we find out if our machines have this 'feature' and if some nasty cretin has activated it?

1
0
Silver badge

Re: Don't Want

Read the link posted by Jason Bloomberg further up, it's not just interesting and scary, it also names the files installed by computrace.

0
0
Silver badge

And I thought UEFI bios was scummy.

hahaha I googled computrace, turns out this filth is both installed in Uncle Sams laptops AND licensed for use in China. I wonder who is using it to spy on whom?

2
0

Where does Computrace agent reside?

Assuming you totally wipe the harddrive and BIOS, where does Computrace agent reside?

0
0
Silver badge

Re: Where does Computrace agent reside?

If you actually wipe disk + bios it's gone, but then your computer is dead too. What you'd need is to flash the computer with a new or modified bios where Computrace is disabled. This is difficult and possibly illegal (if you modify the bios yourself) and risky (if you download the bios from some random site on the internet). Possibly your best bet is to nag your computer vendor for a BIOS with computrace turned off. That is what I'm going to do for my Lenovo laptop, which I've now determined is infected.

1
0
Anonymous Coward

Computrace uses malware tricks ..

"When we first found and analyzed Computrace we mistakenly thought it was malicious software, because it used so many of the tricks that are popular in current malware. It has specific anti-debugging and anti-reverse engineering techniques, injects into the memory of other processes, establishes secret communication, patches system files on disk (autochk.exe), keeps configuration files encrypted, and finally drops a Windows executable directly from BIOS/firmware"

That means that Computrace will only work on computers that are wide open to a range of malware injection tricks, eg. the average Windows desktop installation ..

1
0
Nym

Which is why...

A couple of programs of mine keep quietly wiping so much crap off the hard drive. I was pretty sure this Alienware had something and ran several scans--mind you, this is premium gaming equipment, bought last year. However, Alienware is...Dell. 'Nuff said.

1
0
Pirate

duckware

If it looks like a duck, swims like a duck, and quacks like a duck...

1
0
Anonymous Coward

Oh, so I'm not the only one concerned.

I discovered what appeared to be a rootkit on a customer's ex-laptop (they left it for us to do what we want) recently after we'd done a fresh install on a new HDD. Further investigation told me it was supposedly legit, but as I read more about what it does (from their own bragging, mind you), I was quite disturbed by it.

I've asked Toshiba to help me remove it, and asked Absolute to direct me to their documentation on security updates and patches... I expect neither will be terribly helpful.

It worries me even more now that I know it doesn't make any attempt to confirm the legitimacy of the servers and downloads! Fake "Free WiFi" access point + public place and you could install anything you want onto random targets.

3
0

This post has been deleted by its author

This topic is closed for new posts.

Forums