The focus of the Kaspersky research was the Absolute Computrace agent that resides in the firmware, or PC ROM Basic Input/Output Systems (BIOS), of modern laptops and desktops. It’s a key part of the ability to trace endpoints in case of loss or theft by products like Absolute's LoJack offering. But the firm decided to look into it after the Computrace agent was found running on several private computers of Kaspersky Lab’s researchers and corporate computers without prior authorization.
While Computrace is a legitimate product developed by Absolute Software, signs point to a bad actor potentially using it to infiltrate a wide range of systems. Some owners of those systems examined by Kaspersky claimed that they had never installed, activated or had ever known about this software on their machines.
The software has traits that would be attractive to hackers, Kaspersky said. For instance, while most traditional pre-installed software packages can be permanently removed or disabled by the user, Computrace is designed to survive professional system cleanup and even hard disk replacement. It also has a bag of tricks that are also popular in modern malware – for example, anti-debugging and anti-reverse engineering techniques, injection into memory of other processes, establishment of secret communications, patching system files on disk, keeping configuration files encrypted and dropping a Windows executable right from the BIOS/firmware.
“Powerful actors with the ability to tap fiber optics can potentially hijack computers running Absolute Computrace. This software can be used to deploy spyware implants,” warned Vitaly Kamluk, principal security researcher for global research and analysis at Kaspersky Lab. “Our estimate is that millions of computers are running Absolute Computrace software and a large number of the users might be unaware that this software is activated and running. Who had a reason to activate Computrace on all those computers? Are they being monitored by an unknown actor? That is a mystery which needs to be solved.”
According to Kaspersky’s Security Network, there are approximately 150,000 users who have the Computrace agent running on their machines. But, the estimated total number of users with the activated Computrace agent may exceed 2 million (mostly located in the US and Russia). And it’s unclear how many of those users know about Computrace running on their systems.
There is no hard evidence that Absolute Computrace is being used as a platform for attacks. But Kaspersky pointed out that the network protocol used by the Computrace Small Agent provides basic features for remote code execution.
“The protocol doesn't require using any encryption or authentication of the remote server, which creates many opportunities for remote attacks in the hostile network environment,” it said.
As far back as 2009, researchers from Core Security Technologies presented their findings on Absolute Computrace, warning of how an attacker could modify the system registry to hijack the callbacks from the program. At the time, Absolute Software downplayed the issue with a statement:
Our BIOS module allows no special undetected path into the operating system. Uncontrolled access to a computer system may allow some BIOS images to be tampered with by an expert. Attempting to alter the Computrace BIOS module for malicious purposes will not defeat conventional detection as claimed by the authors. Any alteration to the BIOS module will cause any popular antivirus software to alert the customer.
More importantly, if the BIOS of a computer has been compromised by an attacker, that machine is exposed to innumerable other vulnerabilities far beyond the scope of the Computrace BIOS module. The presence of the Computrace module in the BIOS in no way weakens the security of the BIOS.
But Kaspersky is still calling the company to action. “A powerful tool such as Absolute Computrace software must use authentication and encryption mechanisms to continue serving the greater good. It's clear that if there are a lot of computers with Computrace agents running, it is the responsibility of the manufacturer (in this case Absolute Software) to notify users and explain how the software can be deactivated and disabled,” said Kamluk. “Otherwise, these orphaned agents will keep on running unnoticed and provide a possibility for remote exploitation.”
Infosecurity reached out to Absolute, which provided the following statement from Stephen Midgley, vice president of global marketing: "All major anti-malware software vendors recognize the Absolute client implementation as safe, legitimate technology that improves the security of the endpoint. Hence our status as a white-listed vendor. Absolute Computrace has been reviewed and implemented by numerous organizations globally."
He pointed out that Absolute has more than 30,000 active customers representing all industries. including corporate, healthcare, government, and education – from Fortune 500 to individuals. "Computrace has been successfully deployed and actively protecting millions of devices, without compromise, for 20 years," he said.
He added, "We are currently reviewing the report and will provide a more detailed response once our review is completed."