August 5th, 2009

Absolute Software downplays BIOS rootkit claims

Posted by Dancho Danchev @ 2:47 pm

Categories: Anti Virus, Complex Attacks, Hackers, Malware, Reverse Engineering, Rootkits

Tags: Absolute Software, Malware, Rootkit, LoJack, Anti-theft Service, Conficker, BIOS, Spyware, Adware & Malware, Cyberthreats, Security

Following a flood of calls from customers, the company behind the LoJack anti-theft service which researchers from Core Security Technologies recently portrait as a security threat, issued a statement downplaying the researchers’ claims.

According to the statement, LoJack is neither a rootkit, nor does it behave in such a way. Moreover, the company insists that the product is forced upon any user, and that even if someone attempts to use it as an infection vector for a BIOS-persistent malware, traditional antivirus software will detect the attempt.

More from the press release:

Our BIOS module allows no special undetected path into the operating system. Uncontrolled access to a computer system may allow some BIOS images to be tampered with by an expert. Attempting to alter the Computrace BIOS module for malicious purposes will not defeat conventional detection as claimed by the authors. Any alteration to the BIOS module will cause any popular antivirus software to alert the customer.

More importantly, if the BIOS of a computer has been compromised by an attacker, that machine is exposed to innumerable other vulnerabilities far beyond the scope of the Computrace BIOS module. The presence of the Computrace module in the BIOS in no way weakens the security of the BIOS.

To a certain extend, every anti-theft service operates like malware since you wouldn’t want the thief to be able to basically uninstall it while he’s offline and then conveniently connect online without worrying that the victim will be able to trace them back. And even though the probability that current LoJack customers are already infected with malware that didn’t took advantage of LoJack since it basically doesn’t need to, is very high, what the researchers really expose is an anti-theft service which is trivial to deactivate and take control of maliciously due to several points - flawed update mechanism and lack of advanced self-protection mechanisms.

Moreover, the company states that “Computrace is designed to be activated, deactivated, controlled and managed by the customer using encrypted channels.” Long gone are the days when a plain simple HTTP update mechanism using domain names, lack of digital signatures, combined with 8-bit XOR obfuscated configuration block can be described as encrypted channels. Going through the research presented by Alfredo Ortega and Anibal Sacco, the “encrypted channels” mentioned suddenly disappear:

Unpacked, the configuration block is easily modifiable. By simply changing the URL or IP, we can redirect the agent queries to our site. This is very easy to accomplish in the registry, but we don’t have persistence for merely modifying the registry. To modify the configuration of the persistent agent we need to modify and reflash the BIOS. This is possible in many systems at the date of publication for this article, as unsigned BIOS are common.

For years, malware authors have been conducing network reconnaissance in an attempt to automatically prevent infected users from reaching the hard-coded update locations of antivirus software. Conficker is the most recent example of this fairly simple but highly effective approach.

Should LoJack customers worry? Common sense in the current threatscape will position the practice of hijacking the service for malware serving purposes as highly exotic one. But yes, the flaw is there. What the customers of the service should be really concerned with, is the ease with which a potential thief can block it from phoning back his location.