What if your computer ran an anti-theft software you never activated? A software that can make your PC remotely accessible. A software that you can’t delete, even by physically replacing the hard drive. Sounds like a modern urban legend. However, it turns out that it’s true.
This exact realization happened to Sergey Belov, a Kaspersky Lab malware researcher, when he started to investigate a software-related mistake on his wife’s personal laptop. A suspicious process caught his attention; first, he thought that he had found a previously unknown rootkit. However, the process turned out to be legitimate – it was a part of the Absolute Computrace software agent, a popular anti-theft solution for laptops. What is unique about Computrace is the very exclusive position it holds on a users’ computer. The Computrace agent partially resides in BIOS or UEFI, a chip with a hardcoded program sequence that executes first on a computer bootup, before the operating system even starts. This helps Computrace survive “hard resets” and even disk replacements. What is most disturbing about Computrace – Belov’s wife never activated the software and was unaware of its existence. Further analysis uncovered the bad news – a malicious third party is able to hijack the Computrace agent and perform any kind of remote hack on a victim’s PC.
Anti-theft solutions are crucial for mobile devices, as thieves favor these small and expensive gadgets. Designing an anti-theft software is not an easy task. It must be tiny and stealthy. It should keep a connection to some HQ server to report its location or call for action, if stolen. Finally, it must resist a thief’s attempts to remove the software. All these requirements mean that anti-theft software operates at a low level and must have impressive privileges on the user’s machine. So what happens if such a powerful application is vulnerable? Worst case, the hacker may do whatever he/she wants and basically own your computer.
Unfortunately, I am not theorizing. Last week, I was a witness to a real-life demonstration, conducted by Vitaly Kamluk and Sergey Belov of Kaspersky Lab during Security Analyst Summit 2014. The researcher duo unwrapped a newly bought Asus laptop, performed a typical set of first-run procedures and used another PC to remotely activate the laptop’s camera and eventually initiate a remote wipe procedure. The wipe was done by intercepting unencrypted network packets and sending some data back, mimicking communication with the original Computrace server.
By now you may feel an urge to immediately check your laptop for the presence of the Computrace agent. If you’re already planning its brutal deletion, don’t bother, it’s very challenging. The agent fights attempts to remove it, which is quite natural due to its anti-theft purpose. To achieve this, a BIOS part of Computrace agent checks for the software presence on each boot. If there is no software found, a tiny program is installed from BIOS to the Windows OS. Upon Windows boot, this program will download a full-scale Computrace agent from the Internet and make it active. This specific step is vulnerable to remote compromise, which was demonstrated at SAS 2014.
The full analysis is available on Securelist, as well as the list of indicators of the Computrace Agent activity. Data from Kaspersky Security Network indicates that 150,000 of our customers have a Computrace agent active on their machines. Vitaly Kamluk estimates, that Computrace is active on 2 million computers worldwide. We don’t know, how many of them are activated by user’s themselves.
The BIOS part of Computrace is preinstalled on most popular BIOS/UEFI chips and you can encounter it on most laptops, including Acer, Asus, Sony, Toshiba, HP, Lenovo, Samsung and others. However, some laptops include a visible BIOS option to enable/disable Computrace while others don’t. Additionally, not every computer runs Computrace, even if it has a BIOS component onboard, the software is inactive on many computers. But Kaspersky Lab researchers discovered and bought some fresh laptops, which bear an active Computrace agent on the first run, just after the unboxing. Why these agents are active and who possesses control, remains a mystery.