• Same story, different day...........year ie more of the same fiat floods the world
  • There are no markets
  • "Spreading the ideas of freedom loving people on matters regarding high finance, politics, constructionist Constitution, and mental masturbation of all types"

Computrace BIOS Malicious Root Kit In Just About Every LapTop?

Joined
Nov 15, 2016
Messages
330
Likes
149
#1
Computrace

I was looking at buying some off lease IBM/Lenova thinkpads. I noticed some were going for fairly cheap. Then I saw that they had “computrace” enabled. So I started doing some research on Computrace. Seem’s pretty scary that almost all computers/devices have a function called from the BIOS to call home to the “Absolute Command & Control (C&C) server “

This reminded me of that other Lenova scandal where all the devices were ”phoning” home to China, plus who knows who else. It starts to make sense now when I think of the “wake on LAN” feature in BIOS on most every computer now and the open comcast network by my house that you can’t do anything on but, still send packets back and forth.

http://www.theepochtimes.com/n3/174...lled-on-lenovo-huawei-and-xiaomi-smartphones/

Also just another point most .gov agencies use those Lenova’s for the finger print scanner. Doesn’t seem very secure to me. They talk all about this high bit encryption but if you can get root access to BIOS and install some trojan keylogger from a repository through remote procedure call, whats the point?

Well, that interested me and I wondered how they could keep injecting code even after you flash the bios. So I found this site with a simplified explanation.
https://securelist.com/analysis/publications/58278/absolute-computrace-revisited/

In their whitepaper “Deactivate the Rootkit: Attacks on BIOS anti-theft technologies” they described the general mechanisms behind anti-theft products such as Absolute Computrace.
3. Computrace Agent Normal Operation

Computrace Agent is a Windows application that has two variants: a small agent and a full-size agent. The Small Agent is a piece of code that is of minimal possible size and maximum extensibility. This module is embedded into BIOS PCI Option ROM or UEFI firmware. According to the US patent 20060272020 by Absolute Software, where it is called a mini CDA (Communications Driver Agent), it was designed to check if the full-function agent is installed and functioning on the system, and if not, load the full function CDA across the Internet from the server.

According to the patent, the persistence module resides in BIOS Option ROM:



BIOS Option ROM

The Option ROM contents has a small section with Computrace modules that are added by the manufacturer of the BIOS and written to the flash memory by the hardware vendor.

The first stage (after main BIOS initialization) is to execute modules from Option ROM. At this point the Computrace code searches for available disk drives and analyzes the partition table. If FAT/FAT32/NTFS partitions are found, it locates the Windows installation path and autochk.exe application. Next, it creates a backup of system default autochk.exe code parts and overwrites them with its own code. These parts are saved as autochk.exe.bak file on an FAT or autochk.exe:BAK NTFS ADS. This can be used as an indicator of Computrace activity at stage one.

On some systems where the Computrace module is not part of the BIOS or it cannot be activated, a different approach is used. On such systems the Computrace activation code modifies the MBR of the hard drive and takes control of the PC at the earliest stage of the system boot. Apparently this approach is not as persistent as a BIOS-based dropper.

Stage 2: autochk.exe
At this stage a modified autochk.exe starts and has full access to the local file system as well as system registry via Windows NT Native API calls. Its main purpose is to drop the local file rpcnetp.exe and change the local system registry to create a new system service called rpcnetp. The original autochk.exe code is then restored.

Stage 3: rpcnetp.exe
This module is also known as the small Computrace Agent or mini CDA (Communication Driver Agent). It’s approximately 17 KB in size and is written in C language.

It is started as a Windows service; however, its operation is not limited to being a system service. This Windows PE executable copies itself to another file with a .DLL extension, modifies PE header flags accordingly to change the Windows PE EXE file to a Windows PE DLL and loads it in the memory. After that, rpcnetp.exe creates a child process “svchost.exe” in a suspended state and injects a freshly created rpcnetp.dll into its memory. When a DLL injection is successful and the svchost.exe process in resumed, the latter creates its own child process “iexplore.exe” started with the environment and rights of the locally logged-in user. A new iexplore.exe is started in a suspended state as well, and it receives an injection of the same rpcnetp.dll.

When iexplore.exe is resumed, it may connect to the Absolute Command & Control (C&C) server to get commands and download additional modules to execute.

upload_2017-1-19_18-38-34.png


rpcnetp.exe started two extra processes to initiate a connection with the Absolute C&C server

This technique is widely used in malicious software and was one of the reasons for a close interest in the modules. In fact, according to our experience, no other legitimate software uses techniques like this. Also, the software uses a time delay of about one minute. We assume that this delay is used to let the system find and connect to a Wi-Fi network after starting. But this is also used as a trick in many malicious applications to prevent malware detection which relies on emulators or sandboxes.




http://www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf

We studied many versions of the Computrace Agent,
including V80.845 and V80.866. Once installed and with Windows fully
booted, the agent runs as a Windows service and proceeds to contact a
remote system and wait for orders. This process can consist in the down-
loading of additional software or reporting of various run-time parameters.
The following hexadecimal dump details the Computrace PCI Option ROM
header found inside the BIOS of a HP 9420 notebook computer. The Option ROM is deactivated because it correspond to the PCI Device 1917:1234, inexistent on the system
00000000 55 aa 2a eb 15 43 6 f 6d 70 75 54 72 61 63 65 20 |U.*. . CompuTrace|
00000010 56 38 30 2e 38 36 36 78 1d 00 e9 5c 01 50 43 49 |V80.866 x . . .n. PCI|
00000020 52 17 19 34 12 00 00 18 00 00 06 00 00 2a 00 00 |R . . 4 . . . . . . . . .. .|

Interestingly, Computrace uses the UPX packing software, version 1.00,
you can see the UPX! signature near o set 0x200:
00000200 57 e9 45 e2 55 50 58 21 0b 01 04 09 45 78 74 75 |W.E.UPX ! . . . . Extu|
00000210 c2 ae 1a 79 58 e2 b9 4 f 04 26 ed f f 8c 16 00 f f |. . . yX . .O. & . . . . . .|

When installed, the deployed agent registers itself as a normal windows ser-vice using the name "Remote Procedure Call (RPC) Net". This name, with slight variations, is also used by Windows to refer other legitimate services as "Remote Procedure Call (RPC)" (Used to provide the endpoint map-
per and other RPC Services) and "Remote Procedure Call (RPC) Locator"
(In charge of managing the RPC name service database). In this way, the
registered service could be easily confused with these legitimate Windows
services, except for its lack of a description. The service is implemented on
the rpcnet.exe or rpcnetp.exe file.

We are presenting a method to search and modify this conguration
block, pointing the IP and URL to a malicious site, where un-authenticated
payloads can be directed to the involved notebook. Modi cation of the block
in the inter-partition space allows for a format-resistant malicious agent.
On unsigned BIOSes, direct Option ROM modi cation of the con guration
block allows for a very persistent and dangerous form of rootkit,

After all, the main purpose of rpcnetp.exe is to download and start a fully functional remote access tool. It communicates with a C&C server, relying on the built-in capabilities of the Small Agent to obtain some extra executables. The first executable that is sent to the agent is the file wceprv.dll, which is used to provide data encryption. Soon after saving wceprv.dll in the System32 directory, the Small Agent loads it in memory and switches conversation with the C&C to a more secure encrypted form. After that the Small Agent downloads extra files such as identprv.dll, Upgrd.exe and NTAgent.exe (later renamed to rpcnet.exe). Then it starts Upgrd.exe which is a single-run tool that handles an upgrade procedure: stopping and removing the current rpcnetp service and registering and starting a new service for rpcnet.exe (“Remote Procedure Call (RPC) Net”).

3.1 Configuration block
Below is the configuration block used by the Computrace agent V80.866, it
was extracted from the Option ROM with the UPX utility. The Con gura-tion block starts at off set 0x3c38:

http://www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf

With the port clearly visible at o set 0x32, IP at o set 0x35 and URL
at 0x39. The communication is made via plain HTTP connections, using wininet.dll exported functions.
This is the hard-coded block located on BIOS. When installed, the agent copies this block to the registry keys:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/rpcnet/Parameters
or
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/rpcnet/Parameters

subkey Security, depending if the Persistent (BIOS) agent is used or not.
Unpacked, the con guration block is easily modi able. By simply chang-
ing the URL or IP, we can redirect the agent queries to our site. This is very
easy to accomplish in the registry, but we don't have persistence for merely
modifying the registry. To modify the con guration of the persistent agent
we need to modify and re ash the BIOS. This is possible in many systems
at the date of publication for this article, as unsigned BIOS are common.

4 Computrace Agent stub: Bios code execution
As we said on section 2, we found many incarnations of the persistent agent.
One particular example , found on notebooks like Dell Vostro 1510, is
the Computrace V 70.785 agent (this number may change with the BIOS
version). This agent doesn't contain any code except for a small stub used to
load additional code from a sector on the hard disk located outside normal
partitions. This is also documented on the public patent application US
2006/027220 A1. The code on the hard-disk contains a small header that indicates the
stub where to load the code in the memory, and carry out a CRC-16 check.

We found the lack of code authentication in this particular case provides an
easy way to build a BIOS- rootkit attack, as an unauthorized privileged user
could put code on hard disk that will be executing directly on the BIOS.
7 Conclusion

At this time, we found three major problems with common Absolute-Computrace

Implementations:

1. Lack of authentication of con guration options, leading to report redi-rection.

2. Lack of authentication of code in stub agent, leading to bios code execution.

3. On at least one speci c setup, activation/deactivation of the Compu-trace Agent can be reverted to factory defaults.

For issues 1 and 2 a digital signature scheme would x the issues. We don't have any recommendation for the issue number 3 at this moment. Furthermore, there are couple of issues that at the time of this report we
can't con rm:

4 Unauthenticated code download from the Agent once activated.

5 Unauthenticated BIOS agent activation.

Issues 1, 4 and 5 combined would allow for an extremely dangerous BIOS-
assisted rootkit software attack to be deployed on the majority of notebooks today.

Issue 2 is dangerous by itself, providing a simple and reliable method to execute any code in the context of the BIOS, once the Option-ROM is activated.


Mind you that white paper was written in 2009.
 

Attachments

the_shootist

Targeted!
Midas Member
Sr Site Supporter
Joined
May 31, 2015
Messages
20,859
Likes
22,503
#2
Holy shit Batman, great post! Now I need to do some investigation on my own. Thanks for the heads up!
 
Joined
Nov 15, 2016
Messages
330
Likes
149
#3
Sucks you gotta hack your BIOS in the home automated microwave to keep the command and control server from over loading the magnetron.



 
Joined
Nov 15, 2016
Messages
330
Likes
149
#4
Or your fancy new car even.

Here's the patent.

http://www.google.co.in/patents/US20060272020
Abstract
A tamper resistant servicing Agent for providing various services (e.g., data delete, firewall protection, data encryption, location tracking, message notification, and updating software) comprises multiple functional modules, including a loader module (CLM) that loads and gains control during POST, independent of the OS, an Adaptive Installer Module (AIM), and a Communications Driver Agent (CDA). Once control is handed to the CLM, it loads the AIM, which in turn locates, validates, decompresses and adapts the CDA for the detected OS environment. The CDA exists in two forms, a mini CDA that determines whether a full or current CDA is located somewhere on the device, and if not, to load the full-function CDA from a network; and a full-function CDA that is responsible for all communications between the device and the monitoring server. The servicing functions can be controlled by a remote server.
 

mayhem

Другая перспектива
Silver Miner
Site Supporter
Joined
Mar 30, 2010
Messages
3,796
Likes
5,299
Location
One foot over the line.
#5
Yes, the smart home for free!

Great article and I will read the attachments over the next few days even if some of it is over my head a little I still have some learning cells left.

Haven't used Windows on the net for over 13 years. I said it that way because I do have a copy of Win-7 on a desktop, but it is a old Dell, and would need a wireless card to connect to my router.

Some will say that Apple doesn't have this kind of spyware, but I'll bet it does. I bought 3 used acer Chromebooks, two for me and one for the wife. Over wrote the BIOS with SeaBios and compiled a small neat linux OS just for internet use, pdf reader, but no email. Beware though when you over write the BIOS you stand the possibility of making a brick as I did with my first try. I just might put a bigger SSD in this one so I can install something like TOR. I currently use a VPN, and a stripped down version of Chrome with no add-ons. Every add on you have calls home, so I have settled for sloooow loading on some sites like ZH with all the ads. There probably isn't any safe fool proof way to be online, just make them work real hard for their information, don't make it easy for them. Turn off your Windows net access and install a copy of linux in dual boot. There's is more, but hey those who know already know.

Heck even my new CPAP and fridge are trying to access the net. And don't forget your "Smart TV" reporting everything you do.

This guy was correct all along. http://cyber.eserver.org/unabom.txt
 

dacrunch

Platinum Bling
Platinum Bling
Joined
Apr 9, 2010
Messages
4,161
Likes
2,884
#6
So complex that you'd have to dedicate half your life to being inscrutable...

So my "Peerblock" and "Ghostery" are useless, it appears?

... would be nice to have a "plug & play" file to make yourself "anonymous", haha!

But since that isn't the case... we're all in Orwell's "Big Brother Is Watching You"...
 

Usury

Platinum Bling
Platinum Bling
Joined
Apr 1, 2010
Messages
4,145
Likes
3,311
#7
Joined
Nov 15, 2016
Messages
330
Likes
149
#8
poor Ted...

Here's some BIOS moding tools for future reference though. Mainly for GFX cards.



http://forums.guru3d.com/showthread.php?t=406016
I will Post Here All known BIOS/MODING releated tools:
Also some Really Great Tools for Fiji HBM architecture Made by Radeon Community in overclock . net

# AtiWinFlash_2.2.0.0
# Fiji_BIOS_Editor_v1.2
# Atomtool_v11
# Cuinfo_ver16
# R9 Fury Unlocking with Simple How to ReadMe + Python_2.7.12_amd64

All files are here for Fast Download (for Updates you need to go to the overclock . net Forums)

My Fast Mega Downloads (All files Here)

I manage to add Unlocked V BIOS Edit Ready (no UEFI):
Fury-X
NANO
Pro-Duo
NITRO OC+
TriX BIOS

================================================== =======================================
Here you can find Guides for Moding your Radeon GPU
R9 280, 290, 380, 390
Fiji Arch. Fury-X, Nano & Fury-Pro

overclock.net amd-ati
================================================== =======================================

I need point to start.
I wanna Edit Mem Timings, in short i need to tighten it up

RAS/CAS etc.

Give me some advise.
And i think lot of people will be happy with Our Guru3D Thread for BIOS HEX Editing.

1. Save BIOS (GPU-Z, VBE7 0.7b etc.) VBE7 - vBIOS Editor for Radeon
2. Download Hex Workshop
3. Find strings then change.
4. Calculate BIOS checksum before change and after, then make it right.
or Easy way -> Open Edited BIOS with VBE7 and save it (checksum corrected ;-) )

================================================== =======================================

Some usefull Tools for AMD/ATI:

The Stilt's AMD "Extreme" Tools
- APU Fuse Interpreter ("AFI"), latest version: R1.02
- BullDozer Conditioner ("BDC), latest version: R1.0.3B
- Devastator PowerTune ("DPT"), latest version: R1.00 (unzip with 7-zip)
- Trinity Control Interface K2 ("TCI K***65533;"), latest version: V1.1

The Stilt's AMD "Extreme" Tools Collection

Tahiti GDDR5 Identifier

http://www.techpowerup.com/downloads...oryinfo-1-005/

And here ->
My Space in MEGA - lot of stuff there
 

the_shootist

Targeted!
Midas Member
Sr Site Supporter
Joined
May 31, 2015
Messages
20,859
Likes
22,503
#9
Anyone know if there's a similar BIOS root kit out there for Apple products? (It wouldn't surprise me)
 

oldgaranddad

Gold Member
Gold Chaser
Sr Site Supporter
Joined
Feb 21, 2012
Messages
3,807
Likes
5,756
Location
On the top shelf.
#10
Anyone know if there's a similar BIOS root kit out there for Apple products? (It wouldn't surprise me)
Knowing the governments of the world it is probably hard coded into every CPU chip out there.
 

mayhem

Другая перспектива
Silver Miner
Site Supporter
Joined
Mar 30, 2010
Messages
3,796
Likes
5,299
Location
One foot over the line.
#11
Anyone know if there's a similar BIOS root kit out there for Apple products? (It wouldn't surprise me)
I really don't know. But with Cook selling out to the FBI with the password thing (no it wasn't some Israeli hacker). I heard that there is a NSA call home in Apple stuff though, same as Winders. Don't own overpriced gay products, I like to be in control, yes I tend to be a control freak at times. This is different as it is calling a independent Co., but it could be a gov shell.
 

JayDubya

Platinum Bling
Platinum Bling
Joined
Apr 5, 2010
Messages
4,371
Likes
4,714
#12
WTF dude...why the hell would you post a link to that without some damn warning about what it is??? Good grief! I don't really want/need to see that and I CERTAINLY don't want to be in a list as having downloaded it!
Why don't you please tell the rest of us what it is so we don't do the same damn thing?
 

ErrosionOfAccord

#1 Global Warmer
Gold Chaser
Sr Site Supporter
Joined
Mar 30, 2010
Messages
3,087
Likes
3,140
Location
Coal Country
#13
Why don't you please tell the rest of us what it is so we don't do the same damn thing?
I ain't skeered. Looks like some geeky guys manifesto. Hardly what I would call incriminating.
 
Joined
Nov 15, 2016
Messages
330
Likes
149
#14
Apple uses intel chipsets as far as I know.

Apple's Intel transition was the process of changing the central processing unit (CPU) of Macintosh computers from PowerPC processors to Intel x86 processors. The transition became public knowledge at the 2005 Worldwide Developers Conference (WWDC), when Apple's CEO Steve Jobs made the announcement that the company would make a transition from the use of PowerPC microprocessors supplied by Freescale (formerly Motorola) and IBM in its Macintosh computers, to processors designed and manufactured by Intel, a chief supplier for most of Apple's competitors.[1]

The transition marked the Macintosh platform's second migration to a new CPU architecture. The first was the switch from the Motorola 68000 ("68k") series architecture (used since the original Macintosh 128K) to the PowerPC architecture.
These things were the last of the real MACs you could go up to 4 RISC processors.



 

mayhem

Другая перспектива
Silver Miner
Site Supporter
Joined
Mar 30, 2010
Messages
3,796
Likes
5,299
Location
One foot over the line.
#15
I ain't skeered. Looks like some geeky guys manifesto. Hardly what I would call incriminating.
Indeed, ya get more exposure here than by clicking that link and reading what he had to say. I don't support how Ted decided to change things, but I have heard similar suggestions on how to change some of today's things here.

Funny thing is he might be proven correct in the long run, time will tell.