Connect with us

Hi, what are you looking for?



Pre-installed Computrace Software Could be Used to Hijack Computers: Kaspersky Lab

Security researchers at Kaspersky Lab claim in a new report that the Computrace agent residing in the firmware of many popular laptop and desktop computers can be used as a springboard for attackers.

Security researchers at Kaspersky Lab claim in a new report that the Computrace agent residing in the firmware of many popular laptop and desktop computers can be used as a springboard for attackers.

Made by Absolute Software, Computrace is marketed as a product that can help organizations track and secure their endpoints. The Computrace agent resides in the firmware of devices, making it difficult to remove.

According to Kaspersky Lab, Computrace uses many tricks popular among malicious software. For example, it uses anti-debugging and anti-reverse engineering techniques, injects memory into other processes and keeps configuration files encrypted. The network protocol used by the Computrace Small Agent provides basic features for remote code execution. The protocol does not require the use of any encryption or authentication of the remote server, opening up avenues of attack.

“Although encryption seems to be added to the protocol at some later stages of communication, an attacker may utilize the basic unencrypted protocol to successfully hijack the system remotely,” according to the Kaspersky Lab report. “A typical attack on a local area network would be to redirect all traffic from a computer running Small Agent to the attacker’s host via ARP-poisoning. Another possibility is to use a DNS service attack to trick the agent into connecting to a fake C&C server. We believe there are more ways to accomplish such attacks, though this is beyond the scope of the current research.”

“Powerful actors with the ability to tap fiber optics can potentially hijack computers running Absolute Computrace,” said Vitaly Kamluk, principal security researcher for the Global Research and Analysis Team at Kaspersky Lab, in a statement. “This software can be used to deploy spyware implants. Our estimate is that millions of computers are running Absolute Computrace software and a large number of the users might be unaware that this software is activated and running. Who had a reason to activate Computrace on all those computers? Are they being monitored by an unknown actor? That is a mystery which needs to be solved.”

Kaspersky Lab says it has no proof that Absolute Computrace is being used as a platform for attacks. However, this is not the first time security concerns have been raised about the product. In 2009, researchers from Core Security Technologies warned that an attacker could potentially modify the system registry to hijack the callbacks from Computrace. At the time, Absolute Software denied it was an issue.

In response to the Kaspersky Lab report, Absolute Software Vice President of Global Marketing Stephen Midgley said the company is reviewing the report and will offer a detailed response in the future.

“All major anti-malware software vendors recognize the Absolute client implementation as safe, legitimate technology that improves the security of the endpoint – hence our status as a white-listed vendor,” he said.

Advertisement. Scroll to continue reading.

Kamluk called for Computrace to use authentication and encryption in order to better secure the product.

“It’s clear that if there are a lot of computers with Computrace agents running, it is the responsibility of the manufacturer to notify users and explain how the software can be deactivated and disabled,” he said. “Otherwise, these orphaned agents will keep on running unnoticed and provide a possibility for remote exploitation.”

Midgley noted that the software has been reviewed and implemented by numerous organizations around the world.

“Absolute currently has over 30,000 active customers representing all industries including corporate, healthcare, government, and education – from Fortune 500 to individuals,” he said. “Computrace has been successfully deployed and actively protecting millions of devices, without compromise, for 20 years.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.