Deactivate the Rootkit

Deactivate the Rootkit

Thursday, July 30, 2009
Anibal Sacco and Alfredo Ortega
Black Hat USA 2009

This is a report on our research into anti-theft technologies utilized in the PC BIOS. In particular, we have analyzed the Computrace BIOS agent and documented some design vulnerabilities that allow the agent's reporting address to be controlled.

Additionally, we outline an experimental method for re-setting the permanent activation/deactivation capability of the persistent agent in the BIOS to the default factory settings and show that the software mechanisms to protect the agent embedded in BIOS from tampering and re-flashing are insufficient to prevent malicious attacks if digitally signed BIOS updates are not enforced by the manufacturers as is the case in computers deployed globally as of 2009.

As a result, the anti-theft agent allows a highly persistent and stealth form of rootkit that can re-utilize many existing features that come pre-installed in BIOS firmware and can survive operating system reinstallation and hard disk wiping or replacement

Several tools are provided to identify and mitigate the risk posed by this BIOS firmware.

To determine if the agent is embedded in the BIOS of computer we provide a small Python program that dumps the BIOS firmware to disk and searches the Option ROM code for the CompuTrace agent. The program requires work on Linux and requires three Linux utilities (flashromupxdmidecode) to be installed on the system.

Another Python program can be used to redirect the outbound HTTP connection of the agent to monitoring web server.

More details are given in the actual paper.

Related information

BIOS rootkits

Deactivate the Rootkit (ekoparty edition)