UPDATE: A previous version of this story incorrectly stated that Anibal Sacco works for Core Security. Sacco left Core Security last year to start Cubica Labs.
LAS VEGAS – Nearly every PC has an anti-theft product called Computrace embedded in its BIOS PCI Optional ROM or its unified extensible firmware interface (UEFI). Computrace is a legitimate, trusted application developed by Absolute Software. However, it often runs without user-consent, persistently activates itself at system boot, and can be exploited to perform various attacks and to take complete control of an affected machine.
Kaspersky Lab researchers Vitaly Kamluk and Sergey Belov along with Anibal Sacco of Cubica Labs earlier presented their research in a briefing titled “Absolute Computrace Revisited” six months ago at the Kaspersky Security Analyst Summit (SAS) in the Dominican Republic. They presented an updated version of that talk at Black Hat last week.
Computrace should not be enabled by default. Absolute Software’s technical documentation says that Computrace should be enabled either by the user or by IT departments with admin control of work machines. In fact, to this point, Kamluk, Sacco and Belov can only guess at how Computrace is enabled by default on many out-of-the-box PCs. At present they believe the software is being unintentionally initiated by manufacturers.
Furthermore, once Computrace is enabled, it is incredibly persistent and very difficult to remove or even turn off.
“We believe that persistence was erroneously activated,” Kamluk and Saccco said. “It could be a bug in this tool or a human error. We don’t think this bug was introduced on purpose.”
One of the problems – as was highlighted at SAS – is that Computrace does not enforce encryption when it communicates and it does not verify the identity of the remote server from which it receives commands. This is particularly irksome given how Computrace works: first the persistence modules in BIOS/UEFI update a system’s default autochk.exe. Then the new autochk.exe drops and registers a new system service called rpcnetp. Rpcnetp, in turn, talks to the Absolute server and is replaced by rcpnet, which is a core remote administration module that is restored if the user deletes it.
In other words, the way Computrace interacts with Absolute could expose users to man-in-the-middle attacks. Back in February, Kamluk described Computrace’s exploitability as follows:
“The software is extremely flexible. It’s a tiny piece of code which is a part of the BIOS. As far as it is a piece of the BIOS, it is not very easy to update the software as often. So they made it very extensible. It can do nearly anything. It can run every type of code. You can do to the system whatever you want. Considering that the software is running on these local system privileges, you have full access to the machine. You can wipe the machine, you can monitor it, you can look through the webcam, you can actually copy any files, you can start new processes. You can do absolutely anything.”
[youtube https://www.youtube.com/watch?v=Gq8-7EErqpM&w=640&h=360]
A half year later, Computrace remains exploitable. In addition to that, Kamluk’s presentation at Black Hat last week included the disclosure of a new remote code execution vulnerability, a demonstration of how Computrace can be used as a removal-resistant backdoor capable of bypassing security software, and an examination of how Computrace is running on so many machines.
The mystery regarding who or what is activating Computrace remains unsolved. However, forensic analyses of affected computers show what Computrace dates back to the first system boot. Deeper analysis of a brand new machine on which Computrace was not enabled may hint at how the anti-theft product is ending up on machines automatically.
Kamluk and Sacco believe that manufacturers may run tests on newly made machines checking for compatibility with Computrace. They managed to extract the test and run it themselves:
First the test would activate BIOS/UEFI dropper, which launches the application. Next the test reboots the system and checks that rpcnetp.exe is running, which is integral to Comptrace’s persistence. The third and operative step is to deactivate BIOS/UEFI dropper. Finally, the test reboots and checks that rpcnetp.exe is not running. When Sacco and Kamluk simulated the test, it crashed out during the third step, meaning it failed to remove the mechanism that initiates Computrace.
Absolute Software, according to the researchers, has promised to address these “security issues,” though the company “denied the existence of vulnerabilities in its products.”
Kamluk and Sacco noted in their Black Hat talk that Computrace, though it acts like malware in a number of ways, is not detected by antivirus engines. And there are a number of good reasons for that, not the least of which is that Computrace is a well-known piece of software that is whitelisted by most antivirus companies, trusted by large numbers of hardware companies and developed by a legitimate business.
The problem with Computrace isn’t that it’s outright malicious, but rather that vulnerabilities in it can turn the useful tool into a powerful weapon for cybercriminals.
Rpcnetp.exe can be easily patched to provide an under-the-radar connect back method in a system without Computrace. In a system with Computrace, they say the situation is even worse, because rpcnet.exe is signed but depends on the registry configuration block, so it can be redirected with no binary modification.
“At 2009 [Black Hat] talk we released a tool to demonstrate redirection of (signed) rpcnet.exe through registry modification,” the researchers explained in a slide deck. “With a small modification, it still works. With this attack, all the Computrace persistency features will be turned against the user, by giving control to the attacker. This provides an attacker with a disguised connect back method in a Computrace deployed system.”
The modified rpcnet executables can be detected by antivirus engines, but because of white-listing, the executables are not blocked.
“We have no reasons to think that Absolute Software or any PC manufacturers secretly activate persistence, but it’s clear that if there are a lot of computers with activated Computrace agents, it is the responsibility of the manufacturers and Absolute Software to notify those users and explain how they can deactivate it if they don’t want to use Absolute Software services. Otherwise, these orphaned agents will keep on running unnoticed and provide opportunities for remote exploitation.”
Image via Black Hat USA 2014