Jump to content
Sign in to follow this  
high_tide1

Detection of Computrace Variants in UEFI and Pre-loaded Software?

Recommended Posts

Since running a full-system scan yesterday, ESET has complained about detecting multiple Computrace variants within the UEFI and my pre-loaded HP Drive Encryption software, which has been on the computer since I bought it. As my last full-system scan on 9/1 reported no such problems, I'm unsure whether there is a legitimate threat on the system, potentially false positives on ESET's end, or just something that I can ignore all together. In any case, ESET doesn't offer any options for "removing" such a threat from the UEFI, so if this is a legitimate problem, what should I do?

Share this post


Link to post
Share on other sites

Eset's recommended mitigation for UEFI malware is to update your motherboard firmware. See this: https://support.eset.com/kb6567/?locale=en_US&viewlocale=en_US .

Some motherboards have dual UEFI/BIOS setups which allow you to restore from the backup UEFI/BIOS.

When you did the full scan on 9/1, were you on version 11.2.49 assuming you're running a retail version of Eset? Was the UEFI malware detection made on version 11.2.63? This could be a false positive issue with 11.2.63. It could also mean that UEFI/BIOS detection has improved in 11.2.63.

Finally, Eset's default Smart scanning does scan the OS installation drive BIOS/UEFI by default. This scan runs each time you boot your PC. Unless you disabled this scheduled scan, I find it odd that Smart scanning did not detect your UEFI malware but your full system scan did.

Here's is a Blackhat conference presentation on Computrace: https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf . It is definitely not something you want on your PC if this is indeed the case. If Computrace does indeed exist, there is also the possibility that it arrived on your device via a recent manufacturer BIOS/UEFI firmware update. So you want to first check if this is the case.

Edited by itman

Share this post


Link to post
Share on other sites

You can check on the Computrace developer's, Absolute, web site for all the device manufacture's it partner's with: https://www.absolute.com/en/partners/compatibility . Appears it includes all the major PC manufacturers.

As such, appears Eset might have recently created a UEFI detection for it. Whether it has been or could be used by the manufacturer for nefarious purposes is unknown and debatable.

Edited by itman

Share this post


Link to post
Share on other sites

There is a discussion on Computrace here: https://security.stackexchange.com/questions/53698/detecting-and-removing-absolute-persistance-technology .

Appears the only way to get rid of it is:

Quote

Unless there is a dedicated chip onboard for storing such preinstalled modules, flashing with a clean or moded version of BIOS is enough. Coreboot also can be used. To detect the presence, the best way is to observe the system deeply and carefully, check settings in bios, reverse engineer the BIOS etc. – Nikhil_CV Sep 29 '15 at 5:12

 

Edited by itman

Share this post


Link to post
Share on other sites

To answer your questions in the order posed:

I do not know what the retail version of ESET was for the 9/1 scan. The log records the detection engine as 17982, but I'm not sure how to translate that into a version number. The latest scan was run with detection engine 18058

The System Startup File Checks are still enabled, and report their last run time as of earlier today. They haven't reported any issues in the past.

My computer is an HP ProBook 4540s, where the last shipped BIOS update was on ~July 2017, so I think that rules out a recent update introducing the issue. I've double checked the product specifications, and the laptop ships with Intel AT turned off by default, so I think that may solve the question of how Computrace got there (there by default)

 

It's probably worth noting that ESET didn't detect the Computrace variants as malware, but as a PUA (Potentially Unsafe Application). With PUA detection disabled, no complaints are given on the UEFI. I haven't confirmed whether the same is true for the complaints on the HP Drive Encryption software and the unknown installer (which I believe is related to the HP software), but I would believe so.

My main concern with this is whether this is a malicious threat or something that I can put off dealing with. I'm a bit ticked that I have to deal with this pre-loaded software that I don't need, but I'd rather avoid reflashing the BIOS since this is my primary computer, and if it were to be put out of service I'd be screwed. I feel like I'm fairly safe from a local network attack targeting Computrace since I'm behind a fair amount of firewalls and have ESET constantly protecting me, but I'm also paranoid about people stealing my passwords and the like. What would be the best solution here?

 

Share this post


Link to post
Share on other sites

Just my 2 cents worth here.....I recently got the same Computrace UEFI/BIOS indication 2 days ago (just after upgrading to EIS 11.2.63. My bios firmware is the latest from Dell so I down graded and then updated to the latest bios again and EIS was still barking at me. I then emailed ESET support and the bottom line from them was there was nothing they could do to help me and that I should contact Dell and have them take care of it. I do believe that version 11.2.63 is the culprit and so far none of the definition updates are helping (yet?). I also went back to an earlier version of EIS 11.1.xx and no sign of a problem with the UEFI/bios. I think there are others getting the same indications so you are not alone. Let's hope ESET fixes this soon and in the meantime I have disabled the PUA detection. My start up scans did not find this, just full computer scans.

Share this post


Link to post
Share on other sites

The detection is correct. The only way how to 100% resolve the issue is by upgrading UEFI to a version that doesn't contain Computrace, if available. Other than that, you have 2 options:
1, disable detection of potentially unsafe applications (not recommended, especially on servers and machines that might be a target of RDP attacks)
2, exclude the application from detection by its detection name as per https://support.eset.com/kb6519.

Share this post


Link to post
Share on other sites
9 hours ago, hsimpson409 said:

My bios firmware is the latest from Dell so I down graded and then updated to the latest bios again

I would contact Dell about the issue. The mitigation could be as simple as deactivating the anti-theft option in the BIOS/UEFI if such option exists there. Or you could demand a UEFI/BIOS update w/o CompuTrace included.

However per Blackhat article link I posted, CompuTrace will install a permanent service on the device named rpcnet that loads like named executable. Both have to be eliminated.

Also any reference to rpcnetp.exe in the autochk registry key also has to be eliminated. This process is what creates the above permanent service. This might also require an Eset HIPS rule to prevent the UEFI/BIOS from recreating the entry at boot time. I suspect this occurs if the UEFI detects the registry entry is missing.

Share this post


Link to post
Share on other sites

Is Computrace itself malicious, or just unsafe software? Also, was the reason for lack of previous detection an upgrade of the detection signatures in the latest version, or did this PUA just manifest recently?

Share this post


Link to post
Share on other sites

@Marcos, has Eset created a default HIPS rule to detect a possible malicous presence of CompuTrace per the above linked Blackhat article recommendation?
 

Quote

How to detect Computrace?

Original Absolute Computrace can be detected in the process list. Check one of the names:

1. rpcnetp.exe
2. rpcnet.exe

However, if someone renamed it and used as a backdoor, it's recommended to scan HDD with the
following Yara rule
(download free yara tool here http://plusvic.github.io/yara/):

rule ComputraceAgent
{
meta:
description = "Absolute Computrace Agent Executable"
thread_level = 3
in_the_wild = true
strings:
$a = {D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04}
$mz = {4d 5a}
$b1 = {72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00}
$b2 = {54 61 67 49 64 00}
condition:
($mz at 0 ) and ($a or ($b1 and $b2))
}

 

Edited by itman

Share this post


Link to post
Share on other sites

ESET started detecting Computrace components back in 2012. With the addition of the UEFI scanner, the detection has been recently extended to UEFI too.

There is no HIPS rule to detect Computrace.

Share this post


Link to post
Share on other sites

So, is this an active threat to my system and information, or something that I can deal with when I have the ability to?

Share this post


Link to post
Share on other sites

The application was found in UEFI. According to https://en.wikipedia.org/wiki/LoJack_for_Laptops,  it drops its files to system folders after purchasing a license.

I'd like to emphasize that the application is not detected by default. Detection of potentially unsafe applications is disabled after installation. If there's no new update for your UEFI firmware without the application included, you can exclude the application from detection by its detection name so that it's no longer reported during scans.

Share this post


Link to post
Share on other sites

I found a thread that has a number of CompuTrace/LoJack mitigations: http://www.freakyacres.com/remove_computrace_lojack . Most do not involve BIOS modification. I can't vouch if these still work since the thread dates to 2010. However, it appears the Win software components of CompuTrace/LoJack appear to be unchanged. A rather clever "hack" involved replacing the Win software components with essentially dummy ones:

Quote

Computrace can be stopped: Do the following:

1) START>SETTINGS>CONTROL PANEL> ADMINISTRATIVE TOOLS> SERVICES> find RPC ( Remote Procedure Call ) NET and/or Service. Right click and Properties, set to Automatic and stop the serive.

2) C:\WINDOWS\SYSTEM 32\ Find these 4 files RPCNET.dll + RPCNETP.DLL + RPCNET.EXE + RPCNETP.EXE ( Do the following to each file )

3) Delete each file. DO NOT REBOOT. Open WORD PAD. Type and "Save As" ( without quotes ). Name the file as the one it will replace above. Do this for all 4 files. Once they are all replaced with the "VOID" (bogus file ) Right click on each file and change the attribute to READ ONLY > APPLY > OK.

To check and make sure it has worked, reboot your machine. Go to Services and check your RPC process and see if it has re started. If it restarted then you did something wrong with the above files, retry and reboot and recheck. Remember, if you delete one or all the files without stopping the service the files WILL come back automatically. Also you will not be able to delete RPCNET.exe if the service IS started. It must be done in the order above.

I know this works because i've tested it.

I would research the above a bit further to ensure that Absolute found a way to detect that its Win service hasn't started and reinitiated the installation process again.

Note: Deleting/uninstalling CompuTrace/LoJack Win components won't work since it appears the installed firmware checks for their existence at boot time. If they don't exist, the firmware will reinitiate the installation process again automatically. 

Edited by itman

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×