Pre-installed Computrace Software Could be Used to Hijack Computers: Kaspersky Lab

Security researchers at Kaspersky Lab claim in a new report that the Computrace agent residing in the firmware of many popular laptop and desktop computers can be used as a springboard for attackers.

Made by Absolute Software, Computrace is marketed as a product that can help organizations track and secure their endpoints. The Computrace agent resides in the firmware of devices, making it difficult to remove.

According to Kaspersky Lab, Computrace uses many tricks popular among malicious software. For example, it uses anti-debugging and anti-reverse engineering techniques, injects memory into other processes and keeps configuration files encrypted. The network protocol used by the Computrace Small Agent provides basic features for remote code execution. The protocol does not require the use of any encryption or authentication of the remote server, opening up avenues of attack.

“Although encryption seems to be added to the protocol at some later stages of communication, an attacker may utilize the basic unencrypted protocol to successfully hijack the system remotely,” according to the Kaspersky Lab report. “A typical attack on a local area network would be to redirect all traffic from a computer running Small Agent to the attacker’s host via ARP-poisoning. Another possibility is to use a DNS service attack to trick the agent into connecting to a fake C&C server. We believe there are more ways to accomplish such attacks, though this is beyond the scope of the current research.”

Kaspersky Lab says it has no proof that Absolute Computrace is being used as a platform for attacks. However, this is not the first time security concerns have been raised about the product. In 2009, researchers from Core Security Technologies warned that an attacker could potentially modify the system registry to hijack the callbacks from Computrace. At the time, Absolute Software denied it was an issue.

In response to the Kaspersky Lab report, Absolute Software Vice President of Global Marketing Stephen Midgley said the company is reviewing the report and will offer a detailed response in the future.

“All major anti-malware software vendors recognize the Absolute client implementation as safe, legitimate technology that improves the security of the endpoint – hence our status as a white-listed vendor,” he said.

Kamluk called for Computrace to use authentication and encryption in order to better secure the product.

“It’s clear that if there are a lot of computers with Computrace agents running, it is the responsibility of the manufacturer to notify users and explain how the software can be deactivated and disabled,” he said. “Otherwise, these orphaned agents will keep on running unnoticed and provide a possibility for remote exploitation.”

Midgley noted that the software has been reviewed and implemented by numerous organizations around the world.

“Absolute currently has over 30,000 active customers representing all industries including corporate, healthcare, government, and education – from Fortune 500 to individuals,” he said. “Computrace has been successfully deployed and actively protecting millions of devices, without compromise, for 20 years.”