|[February 12, 2014]
Kaspersky Lab Confirms Hidden Threat in BIOSes of Popular Laptops and Warns That Absolute Computrace Anti-Theft Software Can Be Remotely Hijacked
PUNTA CANA, Dominican Republic --(Business Wire)--
Lab's security research team published today a
report confirming and demonstrating that the weak implementation of
anti-theft software marketed by Absolute Software can turn a useful
defensive utility into a powerful utility for cyberattackers.
In a stealthy way, this poor implementation gives attackers full access
to millions of users' computers. The focus of the research was the
agent that resides in the firmware, or PC ROM BIOS, of modern laptops
The major reason for this research project was the discovery of the
Computrace agent running on several private computers of Kaspersky Lab's (News - Alert)
researchers and corporate computers without prior authorization. While
Computrace is a legitimate product developed by Absolute Software, some
owners of the systems claimed that they had never installed, activated
or had ever known about this software on their machines. Most
traditional pre-installed software packages can be permanently removed
or disabled by the user; however Computrace is designed to survive
professional system cleanup and even hard disk replacement.
A user can mistakenly recognize Computrace as malicious software because
it uses so many tricks popular in modern malware: anti-debugging and
anti-reverse engineering techniques, injection into memory of other
processes, establishment of secret communications, patching system files
on disk, keeping configuration files encrypted, and dropping a Windows
executable right from the BIOS/firmware.
According to Kaspersky's Security Network, there are approximately
150,000 users who have the Computrace agent running on their machines.
The etimated total number of users with the activated Computrace
agent may exceed 2 million. It's unclear how many of those users know
about Computrace running on their systems.
The majority of such computers are located in The Unites States and
The network protocol used by the Computrace Small Agent provides basic
features for remote code execution. The protocol doesn't require using
any encryption or authentication of the remote server, which creates
many opportunities for remote attacks in the hostile network environment.
An attack platform
There is no proof that Absolute Computrace is being used as a platform
for attacks. However, experts from several companies see the possibility
for attacks; some alarming and unexplained facts of unauthorized
Computrace activations make this more and more realistic.
Back in 2009, researchers from Core Security Technologies presented
on Absolute Computrace. The researchers warned about the dangers of this
technology and how an attacker could modify the system registry to
hijack the callbacks from Computrace. An aggressive behavior of the
Computrace Agent was a reason why it was detected as malware in the
past. According to some reports
Computrace was detected by Microsoft (News - Alert) as VirTool:Win32/BeeInject.
Nevertheless the detection was later removed by Microsoft and some
anti-malware vendors. Computrace executables are currently whitelisted
by most anti-malware companies.
Vitaly Kamluk, Principal Security Researcher,
Global Research and Analysis Team
actors with the ability to tap fiber optics can potentially hijack
computers running Absolute Computrace. This software can be used to
deploy spyware implants. Our estimate is that millions of computers are
running Absolute Computrace software and a large number of the users
might be unaware that this software is activated and running. Who had a
reason to activate Computrace on all those computers? Are they being
monitored by an unknown actor? That is a mystery which needs to be
"Such a powerful tool as Absolute Computrace software must use
authentication and encryption mechanisms to continue serving the greater
good. It's clear that if there are a lot of computers with Computrace
agents running, it is the responsibility of the manufacturer (in this
case Absolute Software) to notify users and explain how the software can
be deactivated and disabled. Otherwise, these orphaned agents will keep
on running unnoticed and provide a possibility for remote exploitation."
To read the full report with a detailed description of the Absolute
Computrace Agent's operation, see Securelist.
About Kaspersky Lab
Kaspersky Lab is the world's largest privately held vendor of endpoint
protection solutions. The company is ranked among the world's top four
vendors of security solutions for endpoint users*. Throughout its more
than 16-year history Kaspersky Lab has remained an innovator in IT
security and provides effective digital security solutions for large
enterprises, SMBs and consumers. Kaspersky Lab, with its holding company
registered in the United Kingdom, currently operates in almost 200
countries and territories across the globe, providing protection for
over 300 million users worldwide. Learn more at www.kaspersky.com.
* The company was rated fourth in the IDC (News - Alert) rating Worldwide Endpoint
Security Revenue by Vendor, 2012. The rating was published in the IDC
report "Worldwide Endpoint Security 2013-2017 Forecast and 2012 Vendor
Shares (IDC #242618, August 2013). The report ranked software vendors
according to earnings from sales of endpoint security solutions in 2012.
[ InfoTech Spotlight's Homepage ]