Deactivate the Rootkit (ekoparty edition)

Deactivate the Rootkit (ekoparty edition)

Friday, September 18, 2009
Anibal Sacco, Alfredo Ortega
Ekoparty 2009, Buenos Aires, Argentina

This is a report on our research into anti-theft technologies found into the PC BIOS. In particular, we have analyzed the Computrace BIOS agent and documented some design vulnerabilities that allow the agents reporting address to be controlled by unauthorized users. Additionally, we outline an experimental method for re-setting the permanent activation/deactivation capability of the persistent agent in the BIOS to the default factory settings. We confirmed that controlling the antitheft agent allows a highly dangerous form of BIOS-enhanced rootkit that allows an attacker to bypass all chipset or installation restrictions reusing many existing features offered in this kind of software.

Related information

Projects
BIOS rootkits

Publications
Persistent BIOS Infection | Deactivate the Rootkit