Deactivate the Rootkit (ekoparty edition)

This is a report on our research into anti-theft technologies found into the PC BIOS. In particular, we have analyzed the Computrace BIOS agent and documented some design vulnerabilities that allow the agents reporting address to be controlled by unauthorized users. Additionally, we outline an experimental method for re-setting the permanent activation/deactivation capability of the persistent agent in the BIOS to the default factory settings. We confirmed that controlling the antitheft agent allows a highly dangerous form of BIOS-enhanced rootkit that allows an attacker to bypass all chipset or installation restrictions reusing many existing features offered in this kind of software.


View Slides