Anti-theft Software Could Be Attackers’ Conduit to Millions of PCs

February 13, 2014 – 5:34 PM

A useful cyber-defensive utility can be turned into a powerful tool for cyber-attackers in the form of full access to millions of users’ computers, according to research from Kaspersky Lab regarding an element of Absolute Software’s anti-theft software.

The focus of the Kaspersky research was the Absolute Computrace agent that resides in the firmware, or PC ROM Basic Input/Output Systems (BIOS), of modern laptops and desktops. It’s a key part of the ability to trace endpoints in case of loss or theft by products like Absolute’s LoJack offering. But the firm decided to look into it after the Computrace agent was found running on several private computers of Kaspersky Lab’s researchers and corporate computers without prior authorization.

While Computrace is a legitimate product developed by Absolute Software, signs point to a bad actor potentially using it to infiltrate a wide range of systems. Some owners of those systems examined by Kaspersky claimed that they had never installed, activated or had ever known about this software on their machines.

The software has traits that would be attractive to hackers, Kaspersky said. For instance, while most traditional pre-installed software packages can be permanently removed or disabled by the user, Computrace is designed to survive professional system cleanup and even hard disk replacement. It also has a bag of tricks that are also popular in modern malware – for example, anti-debugging and anti-reverse engineering techniques, injection into memory of other processes, establishment of secret communications, patching system files on disk, keeping configuration files encrypted and dropping a Windows executable right from the BIOS/firmware.


You must be logged in to post a comment.