Punta Cana, Dominican Republic - February 12, 2014 - Kaspersky Lab’s security research team published today a report confirming and demonstrating that the weak implementation of anti-theft software marketed by Absolute Software can turn a useful defensive utility into a powerful utility for cyberattackers.
In a stealthy way, this poor implementation gives attackers full access to millions of users' computers. The focus of the research was the Absolute Computrace agent that resides in the firmware, or PC ROM BIOS, of modern laptops and desktops.
The major reason for this research project was the discovery of the Computrace agent running on several private computers of Kaspersky Lab’s researchers and corporate computers without prior authorization. While Computrace is a legitimate product developed by Absolute Software, some owners of the systems claimed that they had never installed, activated or had ever known about this software on their machines. Most traditional pre-installed software packages can be permanently removed or disabled by the user; however Computrace is designed to survive professional system cleanup and even hard disk replacement.
A user can mistakenly recognize Computrace as malicious software because it uses so many tricks popular in modern malware: anti-debugging and anti-reverse engineering techniques, injection into memory of other processes, establishment of secret communications, patching system files on disk, keeping configuration files encrypted, and dropping a Windows executable right from the BIOS/firmware.
● According to Kaspersky’s Security Network, there are approximately 150,000 users who have the Computrace agent running on their machines. The estimated total number of users with the activated Computrace agent may exceed 2 million. It's unclear how many of those users know about Computrace running on their systems.
● The majority of such computers are located in The Unites States and Russia.
The network protocol used by the Computrace Small Agent provides basic features for remote code execution. The protocol doesn't require using any encryption or authentication of the remote server, which creates many opportunities for remote attacks in the hostile network environment.
An attack platform
There is no proof that Absolute Computrace is being used as a platform for attacks. However, experts from several companies see the possibility for attacks; some alarming and unexplained facts of unauthorized Computrace activations make this more and more realistic.
Back in 2009, researchers from Core Security Technologies presented their findings on Absolute Computrace. The researchers warned about the dangers of this technology and how an attacker could modify the system registry to hijack the callbacks from Computrace. An aggressive behavior of the Computrace Agent was a reason why it was detected as malware in the past. According to some reports Computrace was detected by Microsoft as VirTool:Win32/BeeInject. Nevertheless the detection was later removed by Microsoft and some anti-malware vendors. Computrace executables are currently whitelisted by most anti-malware companies.
Vitaly Kamluk, Principal Security Researcher, Global Research and Analysis Team
“Powerful actors with the ability to tap fiber optics can potentially hijack computers running Absolute Computrace. This software can be used to deploy spyware implants. Our estimate is that millions of computers are running Absolute Computrace software and a large number of the users might be unaware that this software is activated and running. Who had a reason to activate Computrace on all those computers? Are they being monitored by an unknown actor? That is a mystery which needs to be solved.”
“Such a powerful tool as Absolute Computrace software must use authentication and encryption mechanisms to continue serving the greater good. It's clear that if there are a lot of computers with Computrace agents running, it is the responsibility of the manufacturer (in this case Absolute Software) to notify users and explain how the software can be deactivated and disabled. Otherwise, these orphaned agents will keep on running unnoticed and provide a possibility for remote exploitation.”
To read the full report with a detailed description of the Absolute Computrace Agent's operation, see Securelist.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report "Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.