Title
Deactivate the Rootkit
Authors
Anibal Sacco and Alfredo Ortega
In
Black Hat Briefings 2009 USA. Las Vegas, NE. July 30
Date published
2009-07-30
Keywords
rootkit BIOS malware computrace

Abstract

This is a report on our research into anti-theft technologies utilized in the PC BIOS. In particular, we have analyzed the Computrace BIOS agent and documented some design vulnerabilities that allow the agent's reporting address to be controlled.

Additionally, we outline an experimental method for re-setting the permanent activation/deactivation capability of the persistent agent in the BIOS to the default factory settings and show that the software mechanisms to protect the agent embedded in BIOS from tampering and re-flashing are insufficient to prevent malicious attacks if digitally signed BIOS updates are not enforced by the manufacturers as is the case in computers deployed globally as of 2009.

As a result, the anti-theft agent allows a highly persistent and stealth form of rootkit that can re-utilize many existing features that come pre-installed in BIOS firmware and can survive operating system reinstallation and hard disk wiping or replacement

Several tools are provided to identify and mitigate the risk posed by this BIOS firmware.

To determine if the agent is embedded in the BIOS of computer we provide a small Python program that dumps the BIOS firmware to disk and searches the Option ROM code for the CompuTrace agent. The program requires work on Linux and requires three Linux utilities (flashrom, upx, dmidecode) to be installed on the system.

Another Python program can be used to redirect the outbound HTTP connection of the agent to monitoring web server.

More details are given in the actual paper.

Attachments

Computrace_Redirector.py - Python program to modify the obfuscated Windows registry key that stores the hostname used by the Computrace agent to report
Paper-Deactivate-the-Rootkit-AOrtega-ASacco.pdf - Whitepaper describing the findings and potential risk mitigation actions
Slides-Deactivate-the-Rootkit-ASacco-AOrtega.pdf - Slides of the BlackHat Briefings 2009 talk
Stream-Computrace-nm2.pcap - A packet capture showing the Computrace agent's plaintext HTTP outbound connection to search.namequery.com
dumpComputrace.py - Python program to dump the BIOS firmware and search for a CompuTrace Option ROM