I first noticed traffic on my own network beaconing out garbage on port 80 going out to the Internet to 209.53.113.223. I took a closer look at one of the packet traces.
So what appears as normal web traffic is really just garbage over port 80 and not html at all. Probably taking advantage of the fact that most organizations allow outbound TCP 80 by default.
My first thought is IPS / IDS would probably detect or block this since its malformed HTML... but would it???
The packet:
The packet:
Packet 1
2012-Jun-09
18:21:19.582328 [479180969654]
| 00000000 : 00000010 : 00000020 : 00000030 : |
00 00 0C 9F F0 E6 00 19 E8 2B DA 21 08 00 45 38 00 28 63 72 00 00 FF 06 85 B9 D1 35 71 DF 0A 05 85 52 00 50 0C 67 C2 27 4D 8E 3D C7 0D 58 50 11 20 00 55 DB 00 00 00 00 00 00 00 00 |
[.........+.!..E8] [.(cr.......5q...] [.R.P.g.'M.=..XP.] [ .U.........] |
Packet 2
2012-Jun-09
18:21:19.582333 [479180969656]
| 0000003c : 0000004c : 0000005c : 0000006c : |
00 00 0C 9F F0 E6 00 19 E8 2B DA 21 08 00 45 38 00 28 63 72 00 00 FF 06 85 B9 D1 35 71 DF 0A 05 85 52 00 50 0C 67 C2 27 4D 8E 3D C7 0D 58 50 11 20 00 55 DB 00 00 00 00 00 00 00 00 |
[.........+.!..E8] [.(cr.......5q...] [.R.P.g.'M.=..XP.] [ .U.........] |
So I decided to dive deeper into the source.
I fired up my research tool hand book aka "Google" and starting digging for clues.
First I looked up the address that the traffic was beaconing to. Absolute Software aka Computrace.
Its a lojack service that's really forced upon you when you purchased the hardware that has the bios enabled chip installed.
Lets take a look at the mass of OEM that manufacture these Bios chips. I bet you can find this kind of hardware running on just about any network.
http://www.absolute.com/company/bios-compatibility
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
According to Dell.
"The tamper-resistant software enables the only service of its kind. Your laptop will check in daily with the Absolute Monitoring Center. If you report your laptop stolen, our elite Recovery Team can track and locate your laptop. Other services may be able to give you a rough estimate of your laptop's location, but LoJack for Laptops is the only service with a recovery team that works with your local law enforcement to get your laptop back for you. This gives you the best chance of getting your laptop back and for keeping you safe."
But how does this service get installed and controlled??
What if in 2005 you read an article about Computrace and this "lojack" service and put an "IGNORE" policy in your ACL's... Or what If you never heard of this but your firewall / IPS vendor did it "FOR" you...... Are you even watching this service anymore? What IP address is this service talking to now?
I bet if most of you check you'll find these files on HD's of devices on your network..
rpcnet.exe
rpcnetp.exe
rpcnet.dll
rpcnetp.dll
Im also willing to bet if your company is doing whitelisting you have those on the "permit" list :)
Back to Google....
I found an unhappy poster named overbet reporting similar problems I was seeing in packet traces
Article:
http://www.tomshardware.com/forum/241587-49-computrace-absolute-software
overbet 03-14-2011 at 03:45:50 AM
"does anyone know how I can get this big brother spyware crap off my dell studio xps 1340 laptop? I have receipt and bought it on a dell credit so i can prove to dell and absolute its mine but they are both unresponsive to emails and i would rather have anon medicated root canal than calling. I tried ending process every time i reboot on it but it regenerates itself. I cant disable it in the bios, it shows it but doesnt allow the option. i hate dell"
"I have sent more than 5 emails to dell and computrace and they just ignore them. I have called them both too and been bounced around and put on hold for 20 minutes before giving up out of frustration."
He further requested the company remove the software by email.
Subject: second removal request
Please do not continue to fail to respond to my email request. If I do not get a response to this request I will cc the top executives at your company as well as any other person or organization I deem fit from laptop suppliers to privacy rights organizations that you may not want attention from. I will also post regularly on every laptop review forum about the big brother nature of the lojack programs and inform everyone who cares to read what they are trading in exchange for this laptop theft recovery software that is on their computer no matter what but only functions to their benefit if they pay for it. You see I am certain this will alter the buying habits of many if they are aware that #1. itis possible their activity could be monitored and recorded constantly and # 2. The factory is putting software on their computers that is the definition of spyware that they have to pay additional money to benefit from and it can not be removed by them like the other bundled software manufactures put on machines (more commonly referred to bloatware that people deliberately try to avoid). As a courtesy I have refrained from including a copy of this email request to anyone outside of your company but if this request is ignored as my last one was I will take further action. I would like to know how to remove your spyware from my computer. I do not want this spyware on my machine and I refuse to be ignored. Here are a few email addresses I was able to find with 3 minutes of effort:
brad_anderson@dell.com, jeffrey_clarke@dell.com, brian_gladden@dell.com, steve_price@dell.com, ronald_rose@dell.com, karen_quintos@dell.com, david_johnson@dell.com, stephen_felice@dell.com, Clarence_Worthington@acer.com, Gregg_Prendergast@acer.com, Lenny_Pollak@acer.com, Joe_Castillo@acer.com, Richard_Black@acer.com, ming_wang@acer.com, mark_hill@acer.com, Rudi_Schmidleithner@acer.com, alison_williams@acer.com, Mark_Groveunder@acer.com, Terry_Tomecek@acer.com, customer_support@tacp.com, http://www.privacyrights.org/contact/Beth+Givens, http://www.privacyrights.org/contact/Paul+Stephens, epic-info@epic.org, infoaclu@aclu.org, comments@cauce.org, cme@cme.org, cpsr-info@cpsr.org, cyperpunks-ftp@csua.berkely.edu, gilc@gilc.org., coalition@privacy.org., privacyint@privacy.org, http://www.privacy@rights.org/, http://www.pirg.org/
http://epic.org/privacy/privacy_resources_faq.html
He gets a couple shocking responses...
Hello Jason,
Thank you for contacting Absolute Software.
I wasn’t able to find an account associated with your name or email address, so there shouldn’t be any of our software set up on your computer which is collecting any sort of data. To confirm this (as it may be registered under a different name or email address), I could do a search by your serial number or Service Tag (if it is a Dell computer) if you wouldn’t mind providing it.
Having said this, I’m not clear on why you feel that our software is on your computer. To clarify, ‘Computrace’, which is basically the technology at the core of our products, may be built into the motherboard by the computer manufacturer as they are putting the computer together. All this means is that the computer has the technical ability to make full use of our software, should it be installed and registered on the computer. Without the installation, however, this technology will simply sit dormant on the machine as there will be nothing on the computer to make use of it. The software will still need to be installed and registered by the customer after they receive the computer (installation requires acceptance of a service agreement, which the computer manufacturer cannot do on behalf of the customer).
An additional point of clarification I’d like to add is that even if a customer has our software installed, we do not monitor or track a user’s ‘activities’ on their computer. This requires the downloading additional forensic tools, which is only done after a theft report is taken and an active investigation involving the police is commenced.
If you have another reason for thinking our software is on your machine (there could be unique circumstances which has resulted in this scenario), please provide additional info and I’ll do my best to look into it.
Regards,
"overbet "I seen it in my Bios and there are several RPC processes running in the background which I can not end. My service tag is xxxxxxxx."
He goes on to say......
"An additional point of clarification I’d like to add is that even if a customer has our software installed, we do not monitor or track a user’s ‘activities’ on their computer."
Irrelevant, the capability to do so is intrusive and unacceptable! I would never willingly agree to have something like this on my personal property that could not be removed by me. Given this software is so advanced perhaps it could have a PIN assigned with a disclaimer to the end user that it voids liability if it is used."
I assume this was a second repsonse from the company.
Hello Jason,
Thanks for your response.
In looking at your Service Tag, it looks like Dell either accidentally activated the Computrace agent on your machine before sending it out, or may have sent you a machine that was originally meant for a customer who wanted Computrace. This resulted in an agent on your computer trying to reach our monitoring center (which explains the rpcnet.exe process), but not being associated with any account.
From our end, we have sent a command for the agent on your computer to remove itself on the next call to us (should be next time the computer connects to the internet). While we can’t remove the technology built into the BIOS (BIOS will still list ‘Computrace’), with no agent active on the computer you will not see a running process from us nor will the computer have any connections with our monitoring center.
For details on how the agent was activated on your computer, Dell may be able to provide more information as it was done completely outside the control of Absolute Software.
If there’s something else I can clarify or assist with, please let me know.
Regards,
Accidentally turned it on ???
I did some more digging and found this article
http://www.zdnet.com/blog/security/absolute-software-downplays-bios-rootkit-claims/3936
Absolute's response to "floods of calls" led to this statement
"Our BIOS module allows no special undetected path into the operating system. Uncontrolled access to a computer system may allow some BIOS images to be tampered with by an expert. Attempting to alter the Computrace BIOS module for malicious purposes will not defeat conventional detection as claimed by the authors. Any alteration to the BIOS module will cause any popular antivirus software to alert the customer.
More importantly, if the BIOS of a computer has been compromised by an attacker, that machine is exposed to innumerable other vulnerabilities far beyond the scope of the Computrace BIOS module. The presence of the Computrace module in the BIOS in no way weakens the security of the BIOS."
Wait!! Read that again "More importantly, if the BIOS of a computer has been compromised by an attacker, that machine is exposed to innumerable other vulnerabilities far beyond the scope of the Computrace BIOS module."
ZDNET futher commented....
"Moreover, the company states that “Computrace is designed to be activated, deactivated, controlled and managed by the customer using encrypted channels.” Long gone are the days when a plain simple HTTP update mechanism using domain names, lack of digital signatures, combined with 8-bit XOR obfuscated configuration block can be described as encrypted channels. Going through the research presented by Alfredo Ortega and Anibal Sacco, the “encrypted channels” mentioned suddenly disappear:
Unpacked, the configuration block is easily modifiable. By simply changing the URL or IP, we can redirect the agent queries to our site. This is very easy to accomplish in the registry, but we don’t have persistence for merely modifying the registry. To modify the configuration of the persistent agent we need to modify and reflash the BIOS. This is possible in many systems at the date of publication for this article, as unsigned BIOS are common.
For years, malware authors have been conducing network reconnaissance in an attempt to automatically prevent infected users from reaching the hard-coded update locations of antivirus software. Conficker is the most recent example of this fairly simple but highly effective approach.
Should LoJack customers worry? Common sense in the current threatscape will position the practice of hijacking the service for malware serving purposes as highly exotic one. But yes, the flaw is there. What the customers of the service should be really concerned with, is the ease with which a potential thief can block it from phoning back his location."
So how is this traffic suddenly showing up in hundreds of devices on a network and especially in light of the recent discovery of malware that targets bios and executes successful MD5 collision attacks.
What if these devices are part of control systems like life support, climate control...
Should I be concerned? Should YOU be?
@razoreqx
Too bad you didn't just capture the incoming packet to disable the software; you could just write a tool to have the soft auto-destruct.
ReplyDelete