Anti-theft software could be exploited, Kaspersky reports

Kaspersky Lab’s research has revealed millions of computers running anti-theft software could be at risk of being hijacked by cyber attackers.

Kaspersky Lab’s security research team has published a report that highlights that the weak implementation of anti-theft software marketed by Absolute Software can turn a useful defensive utility into a powerful instrument for cyber attackers. The focus of the research was the Absolute Computrace agent that resides in the firmware, or PC ROM BIOS, of modern laptops and desktops.

The major reason for this research project was the discovery of the Computrace agent running on several private computers of Kaspersky Lab’s researchers and corporate computers without prior authorisation. Kaspersky Lab’s principal security researcher, Vitaly Kamluk, said: “Powerful actors with the ability to tap fiber optics can potentially hijack computers running Absolute Computrace,” he said. “This software can be used to deploy spyware implants.”

Safeguards limit user oversight

While Computrace is a legitimate product, some owners of the systems claimed that they had never installed, activated or knew of the software’s presence on their machines, according to the report. Kamluk said that millions of computers were running Absolute Computrace software and that a large number of the users might be unaware that the software is activated and running.

“Who had reason to activate Computrace on all those computers? Are they being monitored by an unknown actor?,” he said. According to Kamluk, most traditional preinstalled software packages can be permanently removed or disabled by the user; however Computrace is designed to survive professional system cleanup and even hard disk replacement. The network protocol used by the Computrace small agent provides basic features for remote code execution.

The protocol doesn’t require using any encryption or authentication of the remote server, which creates many opportunities for remote attacks in a hostile network environment. Kamluk software said Absolute Computrace software must use authentication and encryption mechanisms.

“It is the responsibility of the software manufacturer to notify users and explain how the software can be deactivated and disabled,” he said. “Otherwise, these orphaned agents will keep on running unnoticed and provide a possibility for remote exploitation.” Computrace executables are currently white-listed by most anti-malware companies.

Subscribe to the Security Watch Newsletter

Comments