ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Researchers find insecure BIOS 'rootkit' pre-loaded in laptops

By | July 30, 2009, 1:18pm PDT

Summary: LAS VEGAS — A popular laptop theft-recovery service that ships on notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic is actually a dangerous BIOS rootkit that can be hijacked and controlled by malicious hackers. The service — called Computrace LoJack for Laptops — contains design vulnerabilities and a lack of strong authentication  that [...]

LAS VEGAS — A popular laptop theft-recovery service that ships on notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic is actually a dangerous BIOS rootkit that can be hijacked and controlled by malicious hackers.

The service — called Computrace LoJack for Laptops — contains design vulnerabilities and a lack of strong authentication  that can lead to “a complete and persistent compromise of an affected system,” according to Black Hat conference presentation by researchers Alfredo Ortega and Anibal Sacco from Core Security Technologies.

Computrace LoJack for Laptops, which is is pre-installed on about 60 percent of all new laptops, is a software agent that lives in the BIOS and periodically calls home to a central authority for instructions in case a laptop is stolen.  The call-home mechanism allows the central authority to instruct the BIOS agent to
wipe all information as a security measure, or to track the whereabouts of
the system.

For it to be an effective theft-recover service, Ortega and Sacco explained that it has to be stealthy, must have complete control of the system and must be highly-persistent to survive a hard disk wipe or operating system reinstall.

“This is a rootkit.  It might be legitimate rootkit, but it’s a dangerous rootkit,” Sacco declared.   The research team stumbled upon the rootkit-like technology in the course of their work on BIOS-based malware attacks.  At last year’s CanSecWest security conference, the duo demonstrate methods for infecting the BIOS with persistent code that survive reboots and reflashing attempts.

[ SEE: Researchers demo BIOS attack that survives hard-disk wipe ]

The biggest problem, Ortega explained,  is that a malicious hacker can manipulate and control the call-home process.   That’s because the technology uses a configuration method that contains the IP address, port and URL, all hard-coded in the Option-ROM.    At first run, Sacco explained that the configuration method is copied in many places, including the registry and hard-disk inter-partition space.

The duo found that it’s trivial to search and modify the configuration, giving them the ability to point the the IP and URL to a malicious site, where un-authenticated payloads can be directed to laptop.

Because the rootkit is white-listed by anti-virus software, the malicious modifications will go unnoticed.   On unsigned BIOSes, Sacco and Ortega aid modifi

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
158
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Researchers find insecure BIOS 'rootkit' pre-loaded in laptops
birumut Updated - 29th Apr 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
The BIOS is really deep!
BALTHOR 30th Jul 2009
You'll never get this virus out.Nobody will let you into the BIOS!
0 Votes
+ -
BIOS access
Mihi Nomen Est 31st Jul 2009
So the Linux BIOS is sealed?
0 Votes
+ -
Yes it is!!
Too Old For IT 31st Jul 2009
But only after Feisty Fawn ...
0 Votes
+ -
Linux BIOS !?!
rjacksix 3rd Aug 2009
Can you say n00b. The BIOS is OS neutral so quit trying to start a flame war over something you OBVIOUSLY don't understand.

Sheesh
0 Votes
+ -
While BIOS is or rather should be OS Neutral (even EFI)
LazLong 3rd Aug 2009
There is sometimes a differences (and issues) between the Intel & MS Spec.
Guess which one sometimes has issues with alternate systems?

Anyway there is/was a LinuxBIOS, it is now called CoreBoot
http://en.wikipedia.org/wiki/Coreboot

Also there are things Like Splashtop/ExpressGate & Hyperspace
While not actually BIOS they are a nearly instant-on Linux environment stored in the flash memory usually reserved for motherboard BIOS, and may even do device VM (run multiple systems concurrently)
http://en.wikipedia.org/wiki/Splashtop
http://en.wikipedia.org/wiki/HyperSpace_(software)
0 Votes
+ -
peel -n- eat
pgit 1st Aug 2009
BIOS should go back to the old days of a removable chip. I remember swapping BIOS around on 486 machines. By P-II is seemed this was abandoned.

On a separate chip it would be a very simple matter to check for a rootkit or other problem. A separate reader could compare what exists against what should be, i.e peel the chip off, plug it in to a device and have at.
0 Votes
+ -
And...
bernalillo 3rd Aug 2009
That makes it pretty easy to "fix" a stolen laptop.
0 Votes
+ -
take your pick the hacker or big brother
Opcom_ 3rd Aug 2009
"periodically calls home to a central authority"

umm.. I no likee that partz. At least there should be an option to remove this or turn it off so it can only be turned on by a console user. If 'console" even means anything any more.

The best thing to do is take measures to prevent the notebook from being stolen or to make it harder to steal in the first place. My employer's stays locked in a cabinet if it's not in my custody. Mine get the same treatment at home. If in the car, hidden. It's amazing how people just leave these things lying around to be taken by the thief of opportunity.
0 Votes
+ -
Big Brudduh vs Hacker:
XweAponX 4th Aug 2009
At least there should be an option to remove this or turn it off so it can only be turned on by a console user.

The DELL laptops allow you to completely disable COMPU-PUKE-TRACE. UNFORTUNATELY, this option is irreversible, if you shut it off, you can never ever activate it again.

Alternately, if you steal or otherwise acquire a DELL laptop that has Compu-Poop-Trace ACTIVATED, you also are prevented from DISABLING it.

When the BIOS are opened for first use, you are given access to the COMPUPUKE feature and you are asked if you want to ENABLE or DISABLE it. I always choose DISABLE.

Also, even if enabled, you have to pay even more MONEY to use the technology, as in you gotta have a Compu-Narc account to have yer missing computer located.

That is the BIG problem with this tech:

If I BUY a brand new computer that has theft-tracking tech BUILT IN? Then the SYSTEM BETTER DAMN WORK without HAVING TO PAY EXTRA DAMN MONEY to use it!

That is where the freakin computer manufacturers get us over a barrel to nickle and dime us 2 deth: They insert tech that looks useful, but to USE it, ya gotta pay almost as much as you paid for the laptop!
0 Votes
+ -
So what's your point?
CarlS 7th Aug 2009
If I BUY a brand new computer that has theft-tracking tech BUILT IN? Then the SYSTEM BETTER DAMN WORK without HAVING TO PAY EXTRA DAMN MONEY to use it!

You're saying they should not have the technology built in?

Or that they should charge everyone for it (by increasing the purchase price), including those, like yourself, who don't want to use it?
0 Votes
+ -
You know, these things shouldn't be in the BIOS itself
Lerianis10 30th Jul 2009
They should be on a SEPARATE chip with authentication
necessary to write to it.
0 Votes
+ -
You are absolutely right
aandruli@... 31st Jul 2009
Should be hardcoded into a chip, like you said, so IP and URL cannot be changed, but that will cost a few dollars more and all the manufacturers are going for cheaper. The "better mousetraps" always seem to lead to "better mice" -- and the wheels go round and round. Best practice -- don't lose your laptop in the first place!
0 Votes
+ -
No good!
NetArch. 31st Jul 2009
aandruli - re-read the article. Since the code phones home periodically, there's no need to have physical possession of the laptop to exploit it. If there exists any other exploitable flaw in the OS of the laptop, it can be compromised remotely. Plus, upstream routers can be programmed to route specific addresses to rogue servers masquerading as the legitimate security servers the code is supposed to report back to...

Scary...
0 Votes
+ -
Isn't this also...
ShadowGIATL 31st Jul 2009
more what the TPM chips were for? Why is this in the BIOS in the first place?
0 Votes
+ -
there should be an option in the BIOS to turn it
theguru1995@... 31st Jul 2009
off, WOW, I cant believe the things I am seeing and hearing. I went to bed one day, and woke up to this...Unbelievable.
0 Votes
+ -
RE: Researchers find insecure BIOS 'rootkit' pre-loaded in laptops
ishbash 30th Jul 2009
pre-installed on 60 percent of all new laptops!?
is it worldwide or just U.S.?

I surf around for the source of this for a while, but couldn't find the source. Could you tell me something about this information?
0 Votes
+ -
RE: Researchers find insecure BIOS 'rootkit' pre-loaded in laptops
gertruded 31st Jul 2009
Ho Ho HO HA HA HA Ha. I wonder of NSA knows this? Ya
Think?

Do all Computer systems have a BIOS?
0 Votes
+ -
BIOS Rootkit
toml_12953 31st Jul 2009
No, not all systems have BIOS. Some have EFI which is a different animal.
0 Votes
+ -
RE: Who Knew!!!
gizmo350 31st Jul 2009
This is actually quit disturbing... If Computrace LoJack for Laptops is pre-installed on about 60 percent of all new laptops, how is this function even activated in case of laptop theft. Who knows how to activate it. Where is the manufacturers documentation for this function (in case of laptop theft)? Why is it even there if no one even knows how to use it for its intended purpose? How does one know if this rootkit is part of the machines BIOS? If the machine has this function, would it be stated as such when purchasing the laptop? Seriously, who allows such action in the industry? Obviously Absolute Corp. pulls in $$ from the manufaturers opening themselves up to possible litigation - some people better get on some BIOS updates real fast! Did Cheney have anything to do with this? LOL
0 Votes
+ -
- some people better get on some BIOS updates
gertruded 31st Jul 2009
The article says a re-flash of bios will NOT remove the root kit.
0 Votes
+ -
Flash City, Here We Come!
twaynesdomain 31st Jul 2009
Well, until they get 90% changed out and then discover it's so well protected that flashing won't remove it. Lots of money to be made here by the right people. And a company that should go down the drain.
0 Votes
+ -
That's not possible.
wolf_z 3rd Aug 2009
Reflashing a BIOS completely erases it of old information.

0 Votes
+ -
Not if it has a CMOS or NVRAM backup!..(nt)
JCitizen 3rd Aug 2009
.
0 Votes
+ -
Already got an email a couple of weeks ago
wolf_z 31st Jul 2009
I own an HP mini notebook and HP sent me an email containing a link to an "urgent" BIOS update. Wonder if this was why? happy
0 Votes
+ -
Danger....
Fark 31st Jul 2009
You sure it was really from DELL? Maybe this is just one way of getting you to the malicious website?
0 Votes
+ -
It was from HP, not Dell actually...
wolf_z 3rd Aug 2009
But I haven't done anything about it yet. I'll just make sure all the i's are dotted and t's are crossed before I go looking.
0 Votes
+ -
Is there a way to disable it?
MikeZane 31st Jul 2009
Okay, so its there, how do I turn it off? is there a way?
0 Votes
+ -
A better question...
JustAMuggle 31st Jul 2009
A better question, not addressed in this article, is "Is this a threat if Computrace isn't enabled?" After all, it needs to be turned on and a license key entered before it works.
0 Votes
+ -
RE: A better question....
mikesg 31st Jul 2009
?

Computrace doesn't need a license key. If you're referring to the license key for the operating system...NO! This is installed in the BIOS...the operating system has nothing to do with it, so a license key is irrelevant to this.
0 Votes
+ -
RE: A Better Quesition
tenrun@... 1st Aug 2009
The BIOS module in question ships disabled: it has to be activated on purchase of the tracking service and installation of the tracking agent. It does not appear to be a threat as long as it remains disabled
0 Votes
+ -
it says right in the article...
JCitizen 3rd Aug 2009
that most bios programs have a turn off in the bios utility, that can't be reversed!

Check your bios manual.
0 Votes
+ -
RE: Who knew?
gizmo350 31st Jul 2009
This is actually quit disturbing... If Computrace LoJack for Laptops is pre-installed on about 60 percent of all new laptops, how is this function even activated in case of laptop theft. Who knows how to activate it. Where is the manufacturers documentation for this function (in case of laptop theft)? Why is it even there if no one even knows how to use it for its intended purpose? How does one know if this rootkit is part of the machines BIOS? If the machine has this function, would it be stated as such when purchasing the laptop? Seriously, who allows such action in the industry? Obviously Absolute Corp. pulls in $$ from the manufaturers opening themselves up to possible litigation - some people better get on some BIOS updates real fast! Did Cheney have anything to do with this? LOL
0 Votes
+ -
Outsourcing away our national security...
techboy_z 31st Jul 2009
We've all heard of the misplaced and stolen government laptops -- keeps happening every once in a while. Well, we do have enemies in the world...and some are in the far east...where much of our electronics is manufactured. Does anyone not think that this is a BIG national security issue? It is NOT far-fetched to conceive of electronics manufacturers in certain other countries being "made amenable" by other foreign powers to deliberately introducing something like this.
0 Votes
+ -
NOT far-fetched
gertruded 31st Jul 2009
No it is not far-fetched, but even likely in some form.

The far eastern countries have a far greater problem in using an
American written, hidden source code, operating system, don't they?
0 Votes
+ -
Outsourcing = mortgaging the future
JohnOfStony 2nd Aug 2009
I agree with techboy_z about outsourcing electronics being risky, stupid and shortsighted. Even more stupid is outsourcing vital manufacturing industry as has happened in Britain. If we can't supply our own energy needs, can't manufacture steel, we're just ripe for a country which can to walk in and take over. And just because you're paranoid doesn't mean they aren't out to get you!
0 Votes
+ -
Lenova = Chinese Gov. = Chinese Military
Kyser Soze 3rd Aug 2009
Lenova had to give the Chinese Government 25% interest in its business. The Chinese government allows/encourages the military to invest in business to pay for itself. I do not believe that it is far fetched to imagine the Chinese putting a BIOS level bug in every laptop because they understand that this is a competative world and they want to win. America (as it is now) seems more interested in being loved. Is it any wonder the Chinese are buying our country from under our noses, with the help of our own government? (Not just the current adminstration, it started with Carter.)
0 Votes
+ -
Parallels to this problem
kevinf@... 3rd Aug 2009
Another case of someone trying to solve a security related problem, only to make it potentially worse.

I won't say that all outsourcing is bad, but sometimes you create problems for yourself. When Cisco started using Chinese manufacturers for some of their fab and assembly work, it didn't take long for counterfeits to start appearing in the alternative markets.

One step forward, two steps back....
0 Votes
+ -
RE: Who knew?
mikesg 31st Jul 2009
Disturbing indeed. To answer your questions, you don't HAVE to know how to activate it. It is already activated and phones home periodically. I'm speculating but I think that when you purchase the machine, the model or serial is recorded by the store and/or when you register the machine for the first time. If you report it stolen, I'm assuming that the model/serial is entered into a database of stolen laptops at the 'phone home' location and then if the machine ever connects to the web and phones home.... ZAP. From what I'm reading, there is no way to remove it by flashing the bios or any other method. It just sits there, phones home periodically, and waits to be compromised.
0 Votes
+ -
RTFI
seamountie 4th Aug 2009
OK, you folks really gotta read the other posts.

According to poster XweAponX, if your laptop has this service available, you will be asked on the first start-up if you want to enable it or not. THIS CHOICE IS IRREVOCABLE.

So, if you didn't get the choice when you started your laptop the first time, you don't have the service. Default is OFF, so if you did not choose to have this service, you don't. And there is no longer any way of altering that.

Chill.

Just say NO at first startup and there is nada to worry about. Just another piece of Crapware the OEMs are foisting on us.
0 Votes
+ -
RE: Researchers find insecure BIOS 'rootkit' pre-loaded in laptops
ccie18532 Updated - 31st Jul 2009
Good morning:

I don't think that the vendors are going to move as fast as we all might like. My answer: block the request from going out the network.

Does anyone know the IP ranges of the different providers? The protocol and port numbers sent to by the BIOS?

With the IP addresses, Protocol, and port numbers we can all establish access-lists to stop the chatty BIOS from going out to the network.

Even if the PC has been comprised the protocol an port number can be blocked. The following example is just that. I don't have the IP addresses or port ranges that are used by the BIOS root kit.

If we were to get the vendor IP's and ports the following would be a start to protect your equipment.

Cisco ASA example:
access-list inside_in remark Stop BIOS Rootkit
access-list inside_in deny tcp host [hp ip address] port 666 any
access-list inside_in deny tcp any eq 666 any
access-list inside_in permit any any
!
access-group inside_in in interface inside

This is not the final answer but something to slow down the problem today. So if the authors would could provide the IP addresses, protocol, (TCP, UDP, GRE, ICMP, etc.) and port numbers? We can start to move from shock to fix it, (maybe).

Without some idea of what is going on we can only Lab a notebook, wait for the PC-BIOS to call home, record the data, then apply the correct access-list.

George Morton, Ph. D.
Dual CCIE 18532
Router/Switch and Security
0 Votes
+ -
Think about what you're proposing
NetArch. 31st Jul 2009
You propose blocking the legitimate destination addresses. As the article points out, the Windows registry can be manipulated by an attacker (through some other remotely exploitable flaw) and change the destination addresses to whatever they want...
0 Votes
+ -
This is not registry based...
wolf_z 3rd Aug 2009
...it is BIOS based. The BIOS is a hardware chip that contains firmware to initialize the hardware to give it a known state for the OS.

All this happens long before the OS starts to load.
0 Votes
+ -
I am not sure your proposal will help.
clareJ 3rd Aug 2009
It was mentioned in the article that this information was written to normally inaccessible parts of the hard disk. Knowing where it is supposed to call is one thing but knowing where it actually calls is another.

I think an approach to the problem is to find the ip and port on the hard disk and point it to 127.0.0.1 or ::1. You might have to do that often if the malware tries to change it back.

Also not mentioned is an infection that turns the lojack system on without authorization.

0 Votes
+ -
RE: Researchers find insecure BIOS 'rootkit' pre-loaded in laptops
gertruded 31st Jul 2009
It seems that, from the article, that it takes Windows
cooperation to make the root kit effective.

That being the case, the best answer is to go to LInux
online.

Windows crap again, almost every day.
0 Votes
+ -
you're faulty analytical skills
j_eyon@... 31st Jul 2009
Maybe an analogy might help:

It take a human body for certain symptom-producing viruses to thrive. Therefore, the human body is crap.

-----------

The reason Linux and the Mac don't have the quantity of malware that Windows has is becuz they aren't successful and aren't a satifying target for malware producers. They're not invulnerable to attack. They just aren't worthy of the time and effort.
0 Votes
+ -
Quit the fantasyland
Wintel BSOD 31st Jul 2009
The reason Linux and the Mac don't have the quantity of malware that Windows has is becuz they aren't successful and aren't a satifying target for malware producers. They're not invulnerable to attack. They just aren't worthy of the time and effort.

The reason they haven't is because they can't. Not yet, anyway.

Even in the hacker world, ego is a big thing and who wouldn't rise to the challenge of being the first to hack Linux.

As far as Apple is concerned, they near the 10% mark now. To buy an expensive system like that, they tend to have money. Millions to be made there. Why hasn't it happened yet there either. doh.
0 Votes
+ -
Quit the fantasyland
gertruded 31st Jul 2009
This fantasy has become message one for the Microsoft gorilla
marketers.

The FUD continues as a marketing tool.
  • Flagged
0 Votes
+ -
Oh I know that
Wintel BSOD 31st Jul 2009
Try as they might, the Redmond fanboys and the anti-virus companies (looking for new, fearful customers) still can't come up with any actual Linux exploits beyond theoretical vulnerabilities created in testing labs.

Scare the sheep and they will pay for the same old grass to eat.
  • Flagged
0 Votes
+ -
Oh I know that
mikesg 1st Aug 2009
If a software is patched to eliminate vulnerabilities, it is no longer a vulnerability.

You DO KNOW that a vulnerability is not the same thing as an exploit, right?
0 Votes
+ -
Don't add confustion to the situation..
Dredster 3rd Aug 2009
Yes, a vulnerability is what allows an exploit to take place..

For example:

"Door unlocked" = Vulnerability

"Turning the door knob on the unlocked door, opening the door, and entering where you're not authorized to be" = Exploit(ed).

Lock the door = close the vulnerability
Turning a door knob and finding it locked = foiling that particular exploit.

0 Votes
+ -
RE: Researchers find insecure BIOS 'rootkit' pre-loaded in laptops
birumut Updated - 29th Apr 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix