Is Computrace Helping Your Attackers?

Most computer users aren’t aware about a preloaded anti-theft product which is a part of almost all PCs. Embedded mostly in the BIOS PCI Optimal ROM of computers, Computrace can also be found in the UEFI (Unified Extensible Firmware Interface), and is designed by Absolute Software.

computrace

Photo: ChromaWise / Shutterstock

Although it is an authorized application, it initiates itself at the system boot without the user’s permission. Computrace is vulnerable to attacks and can be exploited by hackers.

In a study named Absolute Computrace Revisited, Vitaly Kamluk and Sergey Belov from Kaspersky Labs and Anibal Sacco from Cubica Labs uncovered the weak side of Computrace. The research was presented at Kaspersky Security Analyst Summit (SAS) which was held in the Dominican Republic.

While the official paper sent out by Absolute Software mentions that Computrace would be enabled only if permitted by the user or the admin controlling the machine, the software is still being automatically initiated.

According to Kamluk, Belov, and Sacco; the manufacturers aren’t doing this intentionally. In fact, they are unaware of its automatic initiation. What makes it even worse is that once initiated, it cannot be easily removed or disabled.

According to Sacco and Kamluk, the complex process of removal must be due to an unintentional bug in the software.

What makes Computrace hacking a threatening prospect is the fact that it works without encryption even while it communicates with the other parts of the computer. It can receive commands from unidentified remote servers. The software’s mode of operation makes things even more complicated. The default autochk.exe file in the system is updated by UEFI/BIOS. This new file registers the rpcnetp system service. Upon communication with the Absolute server, this new system service is replaced by rcpnet. And if the user deletes this dangerous remote administration module, it shows up on the computer again.

Kamluk tried to explain the issue with Computrace. He said that being a part of the BIOS, such software is complex and cannot be updated regularly, and hence it is made extensible. This makes it powerful enough to run any code in the system. According to Kamluk, if a hacker gains control over its mechanism, he can get all privileges and do almost anything on the machine. From monitoring to deleting data and spying, he can perform a number of functions.

Surprisingly, the reason behind the software’s automatic initiation still remains anonymous. The only assured fact is that the initiation of Computrace is activated at the time of first system boot. A new machine with non-initiated Computrace would give a better understanding of its automatic initiation.

Apart from that, Kamluk further disclosed a remote execution vulnerability in Computrace. This feature gives it the capability to bypass the security software. This also highlights the actual working of Computrace running on many machines.

To further explore the working of Computrace, Kamluk and Sacco ran some tests on new machines. According to them, in the first test, the application is launched upon activation of BIOS/UEFI dropper. This is followed by the system reboot. At this stage, the status of rpcnetp.exe is checked. In the third step, the BIOS/UEFI dropper is deactivated. The final test involves rebooting and checking if rpcnetp.exe is running. The test, while performed by Kamluk and Sacco, couldn’t complete all the stages and crashed in the middle of the third stage, failing to stop the initiation of Computrace.

While denying any existing shortcomings in their product, Absolute Software has pledged to take care of all the security issues.

According to Sacco and Kamluk, Computrace isn’t even caught by any anti-virus software. Among the multiple reasons behind this, the most significant one is that being a legitimate software, Computrace is placed in the white list of most anti-virus databases.

While Computrace was never developed to be a malware, its intentional malicious use can cause some serious harm.
Even in the systems that don’t have Computrace, rpcnetp.exe can be infected to form a communication channel with the machine. But if Computrace is present in the system, rpcnetp.exe can be rigged even more easily and redirected without any binary modification.

According to the researchers, a minor adjustment can modify the registry and redirect rpcnetp.exe. This slight alteration would easily transfer the machine’s control to hackers. This provides the hackers with a camouflaged connect back method.

While the modified versions of rpcnet executables are caught by most anti-virus tools, the executables are still not completely blocked because of their presence in the white list.

The researchers didn’t blame Absolute Software for the product’s shortcoming. But they also remarked that if this unintentional bug has embedded itself into the program, then it is the obligation of the developer to get rid of it and inform the users about how to keep themselves safe. Otherwise, it could easily be a breeding ground for the hackers.