Rootkit inside your laptop BIOS

Last week I attended an interesting presentation from Absolute Software. They showcased a product called Computrace. This nifty tool can be used to track the whereabouts of laptops as they are deployed by companies to their mobile workforce. They also sell a comparable product for home users. The way this works is that the software on the laptop phones home every hour or so when the computer is connected to the internet. When the laptop goes missing or is stolen, this information can be retrieved from a website hopefully aiding in the safe return of the hardware.

I’ll ignore the legal issues with this solution (privacy/is knowing where your stolen laptop is considered acceptable proof by the police?) and skip to the interesting bit. I can imagine that experienced laptop thieves wipe or swap the hard drive before selling it. Computrace solves this by embedding software in the BIOS. When enabled, at every system boot the BIOS checks if the software is still installed on the hard drive. If not, it drops rpcnetp.exe in C:\windows\system32 and makes sure Windows runs it. This program then downloads and activates the full rpcnet.exe software.They call this feature persistence and according to their website it is embedded in the BIOS of the almost all mainstream Windows laptops available today. At this point in the presentation I looked at the colleague next to me and we both said at the same time: rootkit!

Later some googling showed that we were not alone in this. In 2009 Anibal Sacco and Alfredo Ortega presented their research on this product at Black Hat Vegas (which I attended, but missed this interesting talk) and discovered that a malicious rootkit could leverage Computrace to become very persistent.

Another thing that struck me during the presentation is that if this type of anti-theft software would become widely used, laptop fencers would find a way to disable the Computrace BIOS feature. Absolute Software claims all this is not possible, but they have already been proven wrong.

So be aware of the rootkit that is probably already inside your laptop’s BIOS, just waiting to be activated.

Thanks to Wikipedia for all of the above info. Please donate today.

Leave a Comment