10

I was reading about CompuTrace and this thing is pretty much a backdoor and irremovable. It's in the firmware, in the BIOS and survives formatting and even hard drive change and OS reinstalls.

Some question came to mind,

  1. Does CompuTrace work with Linux?

  2. Does CompuTrace still work when using VPN or Tor?

  3. How do you find out if it's on the computer, even if inactive?

I did some reading online and this exploit/backdoor is very dangerous. It can basically obtain ANY information and send it back home and is a poison pill and a tracking device. One of the issues I have noticed is the purchasing of used notebooks which you cannot be sure are not stolen.

Read this: http://www.freakyacres.com/remove_computrace_lojack

One comment was particularly interesting, apparently coming from a cop, which claims (quote)

"It's all nice in theory to sit here and talk about how you think you can disable the software, but from a law enforcement perspective I can tell you it is a LOT more persistent than you know and it does a whole lot more than you think it does."

That does not sound good and is pretty much an information security killer.

Am I missing something here or is this a permanent, irremovable exploit/backdoor?

elipconis
  • 101
  • 1
  • 3

2 Answers2

5

According to "Absolute Computrace Revisited" and "Absolute Computrace / System Requirements" answers to your questions are:

  1. Yes (Ubuntu, Debian). There should not be a big problem for CompuTrace developers to make it work with RH or SuSE I believe, since SW versions, placement of binaries and packaging are more or less standard in these distributions also. RH SeLinux and SuSE AppArmor can be a bit of a problem, but it is more administrative (to get a proper profile built-in) than technical.

  2. Yes/probably. Since VPN just wraps IP traffic and routes all or part of it to another location, CompuTrace will follow that routing. If the addresses it wants to contact are routed to VPN gateway and the gateway does not know/is not configured to route these addresses further, CompuTrace will not work, but this issue is not specific to VPN, the same is also true for any router that has configurable routing tables. As for TOR if a TOR proxy is set in IE properties of a user then IE process launched by CompuTrace will also use this setting. Other ways to connect to Internet are not announced, but there is no problem for CompuTrace developers to build TOR presence detection and act accordingly.

  3. On the first linked page there is a list of signs of CompuTrace presence on a computer. Also on CompuTrace official site there is a list of laptop models where CompuTrace is preinstalled by manufacturers, so if you buy a new laptop that is in the list - you have CompuTrace.

And the answer to your last question would be "Yes, but..." Technically CompuTrace is a permanent irremovable (for an average/above-average user) backdoor. Legally it was not developed with malicious intentions in mind (or I hope so) so at least in some countries it is not considered malware. It is not an exploit per se, since it was made to function exactly like it functions, but it can be exploited by bad guys, just like any other network-enabled SW.

Vilican
  • 2,703
  • 8
  • 21
  • 35
Yaris
  • 81
  • 2
1

Updated, edited answer 2017 August

IMPORTANT! Note, that the previous answer might be outdated. Kaspersky did a research on Computrace in 2014 August, which is also already 2 years outdated!

So yes, computrace seems to be a permanent backdoor, unless you have hardware experience to inspect and follow BIOS modification, decribed by Kaspersky. Any authority or hacker can alter the files and take full control over your machine, including full activity monitoring and deleting files.

Answers according to 2017:

  1. We dont know, but: Secondary sources ( like Kaspersky@youtube and https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html ) refer to Ubuntu/Debian agents, which are not found on the official site as supported. I also did a Wireshark packet capture with Linux, and I did not find any suspicious activity listed in the end of Kaspersky presentation. Exe does not run on linux, unless you have wine installed.

In an mail from 2007 Absolute seems to represent the philosophy that Linux is a minor operating system, thats why they do not support it:

"From: Miguel Guhlin [mailto:mguhlin@yahoo.com] Sent: Monday, January 22, 2007 To: John Livingston Subject: Re: April 10th, 2006 article "Protecting Deleted Files" - reference to Computrace

(...)

1) What if the hard drive is repartitioned, and users employ dual-boot scenario, one side running Linux and the other Windows? If running Linux, would CompuTrace still work?

After repartitioning Computrace will work when running in Windows.

2) You mention Eraser wouldn't cause removal of CompuTrace. If CompuTrace is part of the bios, I imagine that it would not. However, if the machine is reformatted using a utility like Darik's Boot-n-Nuke, loaded with a new Operating System (e.g. Linux), then pressed into service, would Absolute Software be able to find the equipment? In other words, would it still work as advertised?

Well we support Windows and MAC OS 10+ so yes; we would work if rebooted into a Windows world, but not if the user boots into Linux."

( full artice: http://www.mguhlin.org/2008/10/computrace-revisited.html?_escaped_fragment_=#! )

BUT I assume, it is just a question of time to develop it. 2 years passed, and they still do not write anything about it. Kaspersky proved on live demonstration, that modified files are allowed to run in your system (Win).

  1. Yes, computrace resides in your BIOS, therefore it has the highest privilege to send collected data about your real activity. Also here the author of the secondary source says it does not disappear with reflashing. Some other articles say, it is on a CHIP. Obviously there are different informations from different times and versions. Even if it shows "not activated", it does not mean, that computrace is not running and phoning home.

  2. You do a hardware BIOS inspection. Otherwise software tools are not reliable, but Kaspersky also provided some informations about it at the end of the presentation, and how to kill it. But they warn everyone not to mess with it, unless you have experience in BIOS, becuse you can accidsentally permanently enable it, and not even Absolute can turn it off for you. If we suppose, that we are not infected from backdoor, we can rely partially on a clean Wireshark inspection. If you know how to mod a BIOS, you ccan also do that yourself, or just trust someone with that.

WARNING: you should do your own wireshark test with your own Linux distributon and hardware setup. DO NOT RUN wireshark as superuser!

" sudo addgroup -system wireshark sudo chown root:wireshark /usr/bin/dumpcap sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap sudo usermod -a -G wireshark YOUR_USER_NAME

Then just start Wireshark and select the network interface. It worked for me on 10.04 LTS. permanent link

answered 04 Apr '12, 11:41 kyphos"

Otherwise bad news, there is still nothing 100% reliable about it, especially not about Linux. You can try to purchase open source or military hardware.

(I couldnt link much, but copy the quoted things for more sources if you wish)

TriloByte
  • 231
  • 2
  • 8
  • I just found a video, previously called "LoJack", where they advertise it proudly, that they can turn it on, and see where the "suspect" is, when is it turning on, WHAT is he doing on the laptop... That was in 2011. https://www.youtube.com/watch?v=Oy8Ye2laT7c Now add the fact, that it is nonremovable officially, you just deactivate it. Than comes the investigation authority, and tells Absolute to turn it on, tho "cooperate" with them, but keep it in secret. Or lets say an employee is interested, what people are doing online. Or a hacker redirects all data to their server... – TriloByte Aug 09 '17 at 09:06