Sorry for the offtopic, this post has nothing to do with startups, web-development or entrepreneurship, but I felt I should still write thisI've just discovered a built-in rootkit in my wife's brand new Toshiba laptop. A non-removable malicious software application right from the manufacturer. That even captured and sent-out screenshots of my wife's work... But first things first.
First, let me apologize for the tone of this post and kinda incoherent writing. Please try to imagine where I am right now and please accept my apologies - I just finished dealing with this issue, like, 10 minutes ago. And, to be honest, I'm angry as a bear.It all started with some corrupted files & folders on my wife's laptop. No problem - I launched the "CHKDSK" utility and scheduled a disk scan on restart. No big deal, right?
Except - there was no disk scan when I rebooted. I tried again - no scan. I tried everything: rebooting to safe-mode, marking the disk as a "dirty" one with the "CHKNTFS" tool, booting with recovery disk - nothing helped. I just couldn't launch checkdisk or schedule it for the next startup. So, I figured that the checkdisk file itself might be corrupted, so I ran "SFC /scannow" command that, supposedly, should restore it.
The command went up to 47% and aborted with the error message "Windows Resource Protection could not perform the requested operation". Hmmm... May be there's a virus preventing this? So I opened the Process Explorer tool (God bless SysInternals) and found a suspicious process called "rcpnetp.exe".
Why hello there! The process has no "Description" and "Company Name" fields, it loads "rcpnetp.dll" via AUTOCHK.EXE. A-ha! The tool that is supposed to launch startup disk scan! This can't be a coincidence. I opened Autoruns (God bless SysInternals #2) trying to find some registry key or something that launched this "rcpnetp" process.
Surprisingly, I found nothing. I decided to kill the process, delete those files from the "System32" folder and reboot the laptop. Imagine my frustration when those processes were back there, up and running!
I spent hours trying to figure, where this monster launches from... I tried several antiviruses, manual registry search, SysInternals tools... Nothing. So I turned to Google. And found some links (the second link is in Russian).
It turns out the files are loaded from BIOS:
It's a "security" software built into the BIOS of many laptops called CompuTrace. It is sorta like "LoJack" for laptops. If your laptop is stolen, CompuTrace can notify a server where your laptop is. It is written by Absolute Software and provided to laptop manufacturers so they can include it in the BIOSes they supply for their laptops.
CompuTrace is a rootkit <...> it will hijack the AUTOCHK.EXE process that normally runs during Windows boot, and instead run its own code. One issue this rootkit may cause: chkdsk will not run during boot like it is supposed to.
So, what is this thing?
I'll summarize what I've found out so far:
- This thing lives in your BIOS.
When the system starts, it searches for "autochk.exe" in your system folder, supporting both FAT and NTFS drives. Then it hijacks "autochk.exe" substituting its own code instead, which unpacks and starts the "rcpnetp" process. It also verifies the registry key [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\Session Manager] "BootExecute"= autocheck autochk.
- When the Internet connection is up, it updates itself via the internet (connecting to 209.53.113.xxx - xxx.absolute.com), tries to send some personal info to the server and then listens to the instructions.
- This crap is white-listed by most known antivirus packages that's why it was not found by my antivirus.
- This crap has even created screenshots of my wife's activity and placed the JPG files into the %WinDir% folder, it gathered system reports about the laptop, our external IP-address etc. etc. etc.
How to fight this
If you find this process ("rcpnetp.exe") in the processes list, follow these steps:
- Delete the files rpcnetp.exe, rpcnetp.dll from your system
- Move autochk.exe to another folder
- Edit the registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):00,00 - Note that this crap will come back after reinstalling Windows
- Note that you can forget about the checkdisk tool forever.
What's the big deal?
Now, this rootkit does no harm. But- I don't like that someone collects my personal info without my permission
- I don't want my computer running programs I never approved
- I don't like the possibility that a dishonest employee at Absolute Software can execute remote commands on millions of laptops. There's a name for this. It's called a botnet.
- I don't like the possibility that some malware authors can piggyback this system.
- I want to be able to CHKDSK my hard-drive for Pete's sake!!!
UPDATE 4: I've just sent a support ticket to Absolute Software requesting to remove this tool, let's wait for their reply...
33 comments:
Install linux, problem solved.
Yeah, my wife'd be happy to learn some Linux :)
Install Ubuntu Linux on her machine. Its easy to use
Installing Linux doesn't change the fact there's a piece of code in the BIOS making unauthorised and ill-advised changes to his operating system. While "Install Linux" might be the rallying cry of people without constructive input, if the market share were reversed, Linux could very well be in the same position. Point being, the OS is irrelevant, there's malicious code in the BIOS having an adverse effect on the OS that Toshiba needs to explain.
Ha. "Install linux". Sorry but security through obscurity will never be the answer. There are rootkits for linux too people, just throwin that out there.
This is terrible!! I can't believe manufacturers are doing things like this. Samsung also does it: http://tinyurl.com/43t69uh
We need Open Source Hardware portable laptops now!
Who knows what we may find on modem/wifi/ethernet chips...
Of course, using Linux could be a solution, but remember even the kernel has blobs...
I believe this kind of behaviour in manufacturers shouldn't be allowed without notifying the user correctly. This should be regulated.
Anonyomus: The likelihood that Linux vendors would accept software to hijack the operating system this way, let alone whitelisting it in malware scans, is pretty much zero. Pretend nothing else.
Should've gotten a Mac in the first place.
"Ha. "Install linux". Sorry but security through obscurity will never be the answer. There are rootkits for linux too people, just throwin that out there. "
Obscurity, Linux is everywhere, servers, routers, etc and Linux is secure because the source code can be looked at by millions
Anonymous:
Forget about Mac, see what they do with iPhone/iPad...
Maybe "Install Linux" may not be as unconstructive as you think.
Have you considered virtualizing her Windows environment? The BIOS won't recognize where the process is.
The added bonus is that she can switch to Firefox/Chromium under linux and browse with less threat from malware.
The downside is that there is a performance hit. I guess it depends on how techy she is, how much performance she actually use on her machine, and how much lag she will notice.
"Anonymous said...
Ha. "Install linux". Sorry but security through obscurity will never be the answer. There are rootkits for linux too people, just throwin that out there."
Is this a joke? Linux is obscure? And as if we don't know rootkits exist for Linux? The issue here is a rootkit installed by the people who sold you the system. That's a bit different than merely 'existing'.
My mother has been using Linux for two years and it's been really trouble free.
@AZ: You are completely wrong and dumb. They do not track. The aim was like in Tomtom or other Navigation-Software to implement in the next firmware the feature to know how man people are near and therefore to know if there are possible traffic jams.
I believe changing the hard drive will stop computrace...
"Install linux, problem solved." - And lots of new problems gained in return.
Why is it that so many morons belch out this dumb-ass advice every time there's a problem with Windows? Seriously...
Obviously, if this were happening on a Linux box, many options (different BIOSs, bootloaders) would be available that are not in the case of Windows. And at least in this case, changing the OS to anything but Windows would render this rootkit inoperative. So, "install Linux" looks like a pretty good solution.
If you're competent with IDA, could you patch some of the stuff out of the bios image, and then re-flash?
Problems you don't have on a Mac.
You can keep your shitty bulky PC laptop that spies on you, thanks. :)
Jonas:
What makes you think Microsoft did? There's no way known that Microsoft would endorse this behaviour, especially when in the process it's hijacking binaries crucial to the functioning of the OS.
The way this has been implemented compromises the integrity of the system; when this happens, MS tends to get blamed despite it being the fault of a 3rd party making dumb modifications.
It's not in MSs interest in any sense to permit this.
You sure you didn't "agree" to it? You probably did in one of the EULA's you accepted without reading.
"Problems you don't have on a Mac. You can keep your shitty bulky PC laptop that spies on you, thanks. :)"
The most hilarious thing about your snarky, smug little comment is your obvious ignorance of the fact that the iPhone tracks everywhere you go and dumps it onto your computer in unencrypted format so any application can read it.
But hey, we're used to smug, ignorant Apple users. Without self-satisfied yuppie posers Apple would have gone out of business ages ago.
Dude- just go to Absolute Software (the makers of Computrace) and request the process to remove/disable Computrace- relatively quick/painless. And to the rest of you- Linux or Apple ain't going to make a dif. It is BIOS loaded- by design not usually OS dependent. In some cases you can disable via the BIOS as well. Also you may want to check your "collects personal information" statements.
Much easier to remove Computrace than to stop your cell phone from keeping track of you.
To the author:
I would not equate "cannot rescue your data from drive corruption" with "rootkit does no harm". Most portable storage devices still use FAT32. Those need CHKDSK in case of the worst. Most posters here will be able to think of other ways to recover their files, but the average laptop owner won't.
To the "Install Linux" crowd:
If enough laptop owners install Linux then Absolute will write a Linux wrapper for their driver. They wouldn't want to leave you unprotected.
While I agree, and personally would support, that installing another OS would fix it right now. It is equivalent to "Security by Obscurity." This is obscure in the sense that Absolute just hasn't taken the time to work around it.
There is however ANOTHER solution that is OS independent and likely not one that can easily be hijacked. Use TrueCrypt or some other disk encryption system. This should allow you to get back the proper CHKDSK without fear that it'll come back with the rootkit, with a minimal performance impact compared to installing another OS and virtualizing Windows, or even learning a new OS.
If you're interested in removing the rootkit by replacing the BIOS, you should check out the Coreboot project: http://www.coreboot.org/Welcome_to_coreboot They may support your board, and since it's Free software, it provides a nice guarantee against other manufacturer-sanctioned nasties.
Check this presentation for 2009 http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Deactivate_the_Rootkit
Excellent article! Every time I read one of these accounts of consumer products laced with root-kits (a-la Sony) it gets my blood boiling.
Now I need to cross check my ACER laptop when I get home for signs of this.
?!
You guys can't be serious lol. That's your solution? INSTALL LINUX?
I love Linux but every time there is any bit of rockiness with an OS the answer is not to CHANGE OSes. Especially when it's not the OSes fault? This is a manufacturer literally exploiting the system. This technique could be used on ANY kind of OS. As a matter of fact. Complete control over a users system? This is RIGHT UP "Apple Alley".
To anyone who says about Apple... They are on the partner list and OSX has it's own implementation of this rootkit.
hence the importance of building your own router/firewall so you know what your machines are trying to send to the external world. Thing is a laptop is a roaming device so you'd be likely to connect from other non thoroughly filtered networks and then be geolocalised...
Alternatively, and since the identification system might be based on the MAC addy (which is sent through), then what if you don't use the laptop's default NIC and add your own NIC?
this may trick the rootkit...I would assume that the bios level rootkit program is rudimentary and wouldn't bother detecting the network interfaces ?
I dont understand why the US govt hasnt passed regulations concerning this huge security issue with motherboards, phones, medical devices, etc. with China; it provides China with a wealth of information via their rootkits about Americas technology, innovation and more importantly its people.
I have a new machine and a new laptop at home that havent even been online and they both have vicious rootkits. Ive only installed photoshop nothing else.
The rootkit injects xml into every file and will push a sepia filter through the cpu as punishment if i attempt to change my photoshop setting to where i need them to be. If I try to open its directory while on the hard drive the rootkit uses a latex filter and/or bold asian characters on the cpu. Ive attempted to flash the bios with no hard drive running on a live cd as well as with no harddrive attached with a usb floppy and it does not work.
Ive done so much research, and have read so many books, and am so frustrated with this that my anger often ends in tears.
LOL, if hackers target that server, I'm pretty sure they might find classified info!
https://www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf
everything you need to know, kind sir
Post a Comment