Default Backdoor on Computers

Friday, August 15, 2014 @ 04:08 PM gHale


Devices that come with an anti-theft solution called Computrace have a built in back door by default.

Computrace is a legitimate software and is part of the BIOS firmware that can end up used as “an advanced removal-resistant BIOS-based backdoor.”

RELATED STORIES
Details Emerge on Espionage Campaign
Bad Guys Use Govt. Quality Malware
After Takedown, Botnet Returns
Global Malware Infrastructure Seized

The software, developed by Absolute Software and embedded in BIOS PCI Options ROM and UEFI firmware, has remote code execution capabilities by design and its purpose is to offer computer owners the possibility of remote management of the devices.

However, because it does not encrypt communication with the server, it can end up hijacked, if an attacker gains control over the network traffic (man-in-the-middle attack) of the affected computer, said researchers Vitaly Kamluk and Sergey Belov from KasperskyLab and Anibal Sacco from Cubica Labs during a presentation at Black Hat USA 2014 in Las Vegas last week.

Computrace runs through two agents identified as “rpcnetp.exe” (Small Agent) and “rpcnet.exe” (Main Agent), and the researchers found on some systems it ends up enabled by default, making the machine susceptible to compromise.

Kamluk said they do not believe there is a malicious reason behind the component being active without user consent. Instead, they think manufacturers turned it on unintentionally.

Regardless, the component presents a risk to users on who are running it on their machines.

The researchers found two types of remote attacks can occur against Absolute Computrace, one directed at the Small Agent module and the other at the Main Agent.

“It’s important to note that Small Agent runs for a limited time starting from initial installation of the module and ending when the system is connected to the Internet and module is successfully updated,” said the researches in a whitepaper discussing the issue.

In the second type of attack, the Main Agent ends up pushed to replace the Small Agent.

At the beginning of the communication, no encryption is available for the protocol, but it seems this comes at a later stage.

Another side benefit for the bad guys is because the software is not malicious and a trusted entity developed it, most antivirus products have it whitelisted.

Researchers found the glitch at the beginning of the year and reported it t Absolute Software, but according to the Black Hat presentation slides, there was no real reaction.

The second remote code execution vulnerability, reported June 25, generated a response from the company, who denied its existence.

If you look at the executables, Computrace is there if you look at the two agents in the list of processes as well as by connection to certain hosts. Disabling it, however, is more difficult because it is a vendor specific process, and the developer of the BIOS setup utility decides whether to include the possibility to turn on or off the Computrace module.



Leave a Reply

You must be logged in to post a comment.