Two very talented researchers from CoreSecurity have recently presented at BlackHat about a new twist in the saga of security products whose presence may actually be a security risk. Anibal Sacco and Alfredo Ortega have exposed the presence, and potential security risk, of a post-theft-recovery product that may already be installed on your laptop.
These two have exposed a vulnerability in the security model of Absolutes Corp’s Computrace Anti-Theft Agent, that comes included in the BIOS of most notebooks sold since 2005. The Absolutes Computrace technology is designed to report the location of a laptop, and in the event of theft, allow the data on the laptop to be deleted.
When activated, the BIOS component of Computrace directly alters the Windows filesystem to install and activate its agent. Once Windows has started up, this agent runs as a Windows service which connects out to a remote server to wait for instructions. At BlackHat2009, Anibal and Alfredo demonstrated how an unauthorized privileged user could hijack the agent to contact a server of their choice. Unfortunately for AV vendors, a hijacked agent is identical to legitimate ones. The only changes on the system are to a region of memory that direct where the agent reports to. The agent’s executable remains unchanged.
Many security professionals (including the authors) are referring to this as a rootkit. I personally think this is more of an extremely persistent backdoor. But those that call it a rootkit, have a decent reason for doing so. Unlike most rootkits, this doesn’t actually hide anything. The purpose of rootkits is typically to avoid detection so that hackers control of a system can persist as long as possible. The parallel between this insecurity and most rootkits is the persistence aspect. If abused, this could potentially be used to provide an indirect backdoor into your system that could survive reformats, and even the complete replacement of your hard drive.
So… Do you think Sophos should detect the Computrace Agent? Let us know what you think!