Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/13/2014
01:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

The Mysterious Appearance Of An Anti-Theft Application

Kaspersky Lab researchers discover on their machines Absolute Software Computrace anti-theft application -- but they had not installed it

KASPERSKY SECURITY ANALYST SUMMIT -- Punta Cana, Dominican Republic -- It started with a Kaspersky Lab researcher noticing unusually slow performance on his home laptop. Vitaly Kamluk, principal security researcher for the firm, did some digging and discovered a commercial software utility on the machine that he had not installed.

Turns out the utility was Absolute Software's Computrace, a legitimate security agent that runs in firmware or the ROM BIOS of desktop and laptop machines for anti-theft purposes and tracking and securing them. But Kamluk, as well as other Kaspersky colleagues who then found the utility running on their personal and corporate machines, had not installed the software, which was running host processes and Internet Explorer on their machines. Kamluk here this week said that somehow the Computrace tool appears to have been hijacked by bad actors using it to monitor victim machines, raising concerns of cyberspying.

Kaspersky researchers estimate that millions of computers worldwide run Computrace, and many of those users may not know it's on their machines. "Usually, we talk about threats to our customers. This is a threat that affected us personally," Kamluk says. "Who had a reason to activate Computrace on all those computers? Are they being monitored by an unknown actor? That is a mystery which needs to be solved."

Kaspersky's findings relate to prior research conducted by Core Security in 2009, where the Core team pinpointed security weaknesses in Computrace and presented those findings at Black Hat 2009. Anibal Sacco, co-founder and researcher at Cubica Labs, who was part of the Core team who conducted the research, describes the Computrace issue as a "latent rootkit."

"In a legitimate installation [of Computrace], a Windows agent is installed and there is no authentication of any kind. There is a big problem with this," Sacco says. He says the software also communicates to the host server via an unencrypted channel and stores information there unencrypted. It flies under the radar because it appears legitimate. So even if you didn't install it, you wouldn't necessarily know it was there. "Every time the machine boots up ... all companies see it as a legitimate product," he says.

Absolute Software yesterday shot down the Kaspersky research as "flawed" and says Computrace uses encryption and authentication to the server, which would prevent the potential attacks that the researchers cite.

"Absolute Software considers Kaspersky's analysis flawed and rejects its conclusions. We've reviewed the report that was published earlier today, and we are unable to determine how Kaspersky was able to reach the conclusions they provide," says Phil Gardner, CTO of Absolute Software. "Most importantly, we want to reassure our customers and partners that the speculation contained within the report has questionable technical merit."

Absolute says any attack would occur only if the endpoint had been compromised. "This must happen before Computrace can be used maliciously. The obstacles to mounting such an attack are considerable and are not achievable via the mechanism outlined in the Kaspersky report," Absolute said in an FAQ.

As for Computrace being installed without the users' knowledge, Absolute says that may be due to "defective implementations ... and/or poor IT practices."

Gardner says the agent won't communicate with a server unless it's authorized, and "will only communicate with mutual authentication of the server and the client."

"Kaspersky has misinterpreted this rebuilding process that -- by design -- will fully resecure the system if the security desired by the legitimate user is disabled or tampered with by a user with access and privilege," he says.

Kaspersky's Kamluk said Computrace could be used to install spyware on the endpoints, noting that millions of users run Computrace, many of which may not know they do. "There is a big mystery in this scene ... why someone installed this on the machines of our colleagues," he says. "And evidence of online messages on the Internet of users claiming they found them [Computrace] on their machines and they had never purchased Absolute."

Kamluk demonstrated a proof-of-concept here showing how an attacker could wage a man-in-the-middle attack against a machine running Computrace. "They would pretend" to be an Absolute server and able to read and change memory in the victim's machine, he says. "Anyone with the power to control your Internet connection could do the same -- a government or an ISP, for example," he says.

The researchers say there is no evidence that the software is being used for attacks, but they believe it could be used by attackers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
larsamund
50%
50%
larsamund,
User Rank: Apprentice
2/13/2014 | 11:17:11 PM
re: The Mysterious Appearance Of An Anti-Theft Application
How is it possible that any malware researcher or research firm, is not able to find out how a piece of software got installed onto their computers? Is it the plumber with bad plumping?
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17513
PUBLISHED: 2019-10-18
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .