BIOS Rootkit talks.....

Filed Under: Malware, SophosLabs, Vulnerability

Two very talented researchers from CoreSecurity have recently presented at BlackHat about a new twist in the saga of security products whose presence may actually be a security risk. Anibal Sacco and Alfredo Ortega have exposed the presence, and potential security risk, of a post-theft-recovery product that may already be installed on your laptop.

These two have exposed a vulnerability in the security model of Absolutes Corp's Computrace Anti-Theft Agent, that comes included in the BIOS of most notebooks sold since 2005. The Absolutes Computrace technology is designed to report the location of a laptop, and in the event of theft, allow the data on the laptop to be deleted.

When activated, the BIOS component of Computrace directly alters the Windows filesystem to install and activate its agent. Once Windows has started up, this agent runs as a Windows service which connects out to a remote server to wait for instructions. At BlackHat2009, Anibal and Alfredo demonstrated how an unauthorized privileged user could hijack the agent to contact a server of their choice. Unfortunately for AV vendors, a hijacked agent is identical to legitimate ones. The only changes on the system are to a region of memory that direct where the agent reports to. The agent's executable remains unchanged.

Many security professionals (including the authors) are referring to this as a rootkit. I personally think this is more of an extremely persistent backdoor. But those that call it a rootkit, have a decent reason for doing so. Unlike most rootkits, this doesn't actually hide anything. The purpose of rootkits is typically to avoid detection so that hackers control of a system can persist as long as possible. The parallel between this insecurity and most rootkits is the persistence aspect. If abused, this could potentially be used to provide an indirect backdoor into your system that could survive reformats, and even the complete replacement of your hard drive.

So... Do you think Sophos should detect the Computrace Agent? Let us know what you think!

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s