Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Overview of 2009 Computrace Research.

No description

Hannibal San

on 25 June 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Overview of 2009 Computrace Research.

Long Story, short.
Persistent BIOS Infection (with Alfredo Ortega, CanSecWest09/Syscan09). Lots of BIOS reverse engineering fun.

Found a very particular OptionROM

- String references: iexplore.exe, rpcnetp.exe,
- Strange components: FAT/NTFS driver
- Even more strange: Embedded PE files.
What is Computrace?
- Absolute Corp. Computrace, Software Anti-theft system
- Call-home mechanism within the OS (Application/Service)
- The server (home) can gather information, execute code and even wipe the HDs remotely.

Agreements with motherboard vendors to offer
through an

on most BIOS/EFI (more, later)

How does the persistancy agent work?
- Check if the agent is activated (NVRAM)
- Detect HD filesystem
- Check if the windows binaries exist
- If not, restore them.
We are a happy family
Computrace lives in your BIOS even if you never heard of it.

For a complete list of vendors, check http://www.absolute.com/en/partners/bios-compatibility
Persistancy agent activation
- In a legit installation, the windows agent is installed and an entry is set in CMOS NVRAM.
- This let the BIOS stub know that it is installed.

No authentication of any kind. It can be done by anybody with system privileges, or with physical access.
Problems found
- You have a latent rootkit in your BIOS
- As it is positioned as a legitimate product, is whitelisted by all AV companies, including Kaspersky.
- No digital signature
- Communicates through an unencrypted channel (MITM is possible)
- Server info stored unencrypted (Redirection is possible. Demonstrated in 2009 talk)
Overview of Black Hat '09 presentation: "
Deactivating the rootkit
Anibal Sacco
Security Researcher
Full transcript