24

Absolute persistence technology amounts to a persistent rootkit pre-installed by many device manufacturers (Acer, Asus, Dell, HP, Lenovo, Samsung, Toshiba, etc) to facilitate LoJack for laptops, and other backdoor services:

The Absolute persistence module is built to detect when the Computrace and/or Absolute Manage software agents have been removed, ensuring they are automatically reinstalled, even if the firmware is flashed, the device is re-imaged, the hard drive is replaced, or if a tablet or smartphone is wiped clean to factory settings.

Absolute persistence technology is built into the BIOS or firmware of a device during the manufacturing process.

This has echoes of both Rakshasa and vPro.

Also, like other corporate rootkits, it increases the attack surface available on the host PC and thereby opens the door to additional malware:

The protocol used by the Small Agent provides the basic feature of remote code execution [and] creates numerous opportunities for remote attacks in a hostile network environment. ... A typical attack on a local area network would be to redirect all traffic from a computer running Small Agent to the attacker’s host via ARP-poisoning. Another possibility is to use a DNS service attack to trick the agent into connecting to a fake C&C server. We believe there are more ways to accomplish such attacks, though this is beyond the scope of the current research.

If a user legally purchases, secondhand or new, a device that originally had Absolute persistence technology built-in and may even have had it activated, and wishes:

  • to detect whether the technology is still present in the device; and, if so,
  • to remove that technology from the device (i.e. disinfect the device),

how best should the user go about this?

I'm guessing that Coreboot is part of the answer.

schroeder
  • 123,438
  • 55
  • 284
  • 319
sampablokuper
  • 1,961
  • 1
  • 19
  • 33
  • Unless there is a dedicated chip onboard for storing such preinstalled modules, flashing with a clean or moded version of BIOS is enough. Coreboot also can be used. To detect the presence, the best way is to observe the system deeply and carefully, check settings in bios, reverse engineer the BIOS etc. – Nikhil_CV Sep 29 '15 at 05:12
  • @Nikhil_CV, I've no idea whether there is a dedicated chip, or indeed if the rootkit persists by homing itself in multiple chips/firmwares/etc (e.g. is it related to "Intel Anti-Theft Technology" in many modern Intel CPUs?). If you know more than I do, then please expand on your comment in an answer, and provide sources for your information. Thanks! – sampablokuper Sep 30 '15 at 18:44

8 Answers8

4

"Absolute persistence technology is built into the BIOS or firmware of a device during the manufacturing process."

So, in addition to removing the agent, you will need to flash the BIOS or firmware of the device, with a version without the technology.

Since "core boot is a Free Software project aimed at replacing the proprietary BIOS (firmware) found in most computers", it is potentially part of an answer.

Of course, you haven't specified a device, so it's impossible to provide you with a detailed answer. The only correct answer is 'it depends'.

The functionality of the technology requires that removing it remain infeasible, so its quality/repuation hinges on us being unable to provide you with a detailed answer.

It's really not one technology, but many; review the NSA's ANT technology codenamed DEITYBOUNCE, IRONCHEF, FEEDTROUGH, GOURMETTROUGH, etc; see https://commons.wikimedia.org/wiki/Category:NSA_ANT...

  • 1
    I didn't specify a device because I'm interested in in the general case and I don't know whether there's a common implementation or if implementation varies from model to model. Still, if you want a specific suggestion, how about the ThinkPad X60? – sampablokuper Apr 17 '14 at 17:44
  • That's cool. The only correct answer is 'it depends', because the implementation varies from model to model. I don't have specifics for the ThinkPad X60. For the Juniper brand, for example, there are three implementations in the NSA toolbox. Can these be detected? Not readily. There is no answer to your question 'till someone knows what the technology is in a specific case. How to go about knowing that? Buy the tech, and compare a protected system to an unprotected one. – WHO's NoToOldRx4CovidIsMurder Apr 25 '14 at 19:11
  • 2
    I'm not sure what you mean by "protected". Presumably, you mean one with the Absolute rootkit removed. Anyhow, this still begs the question of *how* to get both a protected and unprotected X60 (for instance) in order to make such a comparison. – sampablokuper Apr 26 '14 at 13:34
2

The only way I know of is to contact Absolute Software and request removal of the agent. They are friendly enough, they will ask for some identifying information on the laptop, and then they will send a message to the original owner and ask if they sold it or got rid of it (I guess).

I waited on the order of six months for the final resolution, just got my message. Here is what it looks like:

The agent has been removed from device XXXXXXXX, make sure that the device is connected to a wired network, must have Windows O.S. installed, perform some reboots and please allow 24.5 hours in order to complete the whole process. Please let us know if you need further assistance.

guntbert
  • 1,825
  • 2
  • 18
  • 21
Morgan
  • 21
  • 2
  • 3
    Interesting to know that this option is available. However, it requires the user to trust MS and to place even more trust in *Absolute Software* than might otherwise be so. I.e. it requires the user to: trust *AS* with (pseudonymous?) contact info associated w/the PC in question; trust *AS* (& anyone they share info with) not to misuse their ability to correlate that identity w/the PC's connections to the Internet; trust the agent to do no harm while still present; trust *AS* to get back to you; and trust *AS* to be have been truthful if/when they finally tell you they have removed the agent. – sampablokuper Jan 27 '19 at 18:47
  • 2
    Upvoted, because this is *plausibly the approach that AS intends for users who wish to remove the agent*. So, thank you for pointing it out. However, I have not marked this answer as "accepted", because the approach outlined in it seems to me to be slow, dangerous, and unverifiable; and because it does not address the "[how] to detect whether the technology is still present in the device" part of my question. – sampablokuper Jan 27 '19 at 19:00
1

You could, as I did, write a windows service that loads early in the windows boot order ,in my case before network service, and waits for the service injected by the apm module to load. Once detected it will stop the apm service and delete the services file. I kept my service running in the background just in case the apm module could somehow re-inject and run the apm service.

This method worked with my acer travelmate from 2012, maybe things have come along since then.

Rich
  • 111
  • 3
1

Basically

In addition to WHO's NoToOldRx4CovidIsMurder, I would add:

  • Have a look at Coreboot's board status page, for information about your device.

  • Considering this sample: Board:lenovo/t420.

    If a user legally purchases, secondhand or new, a device that originally...

    Once firmware is flashed while computer is off, Absolute don't have chance to boot. From there, if you install new system from scratch, I think you can consider that this computer is your computer.**

  • As coreboot is open source, you could inspect code before compiling it, but coreboot is not the only solution! There a lot of opensource BIOS replacement projects...

Paranoid disclaimer: **

As absolute is a kind of backdoor installed from design by hardware constructor, but keeping in mind that constructor is mostly delegated in other contries ( regarding human work cost ), I'm not able to certify that no other backdoor was ever built... by vendor OR by real hardware constructor, for sample...

And they could even by located in any chipset, network interface rom, or even elsewhere... see Cyber-attack concerns raised over Boeing 787 chip's 'back door'

For this, I think the better way should be something like:

  • slow down your network Internet access,

  • watch for signal, using old oscilloscope,

  • then try to follow every communication, during boot time...

0

I reached Absolute Software tech support at the provided number and gave him the PC serial number. He told me that their records said that Computrace had been disabled by the original PC owner 5 years ago, however there is nothing that Absolute Software can do to help, that my only recourse is to see about purchasing a replacement motherboard from the manufacturer.

schroeder
  • 123,438
  • 55
  • 284
  • 319
0

My Thinkpad T490 has a bios option in the security tab to "permanently disable the Absolute Persistence Module". It's in no way clear what this option actually does, but I've just disabled it on my system. This option, or similar options, are available for many Thinkpads. For discussion, see https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T/BIOS-option-to-quot-permanently-disable-quot-Computrace/td-p/104500

0

According to the FAQ:

What if the Absolute software agent needs to be removed from a device?

IT administrators that have been authorized to do so, may carry out this function themselves within the Absolute Customer Center for Computrace, or from within the Absolute Manage console for Absolute Manage software agent removal.

I.e. you have to allow CompuTrace to be installed, persuade Absolute that you are the authorised user now, get control transferred to you, and de-activate it using their managed service.

Which will certainly involve sending them money.

I am guessing that CompuTrace will be detected by any competent antivirus as "remote management software" which you can probably flag not to run.

Ben
  • 3,697
  • 1
  • 18
  • 24
  • I'm afraid this FAQ answer ("*What if the Absolute software agent needs to be removed from a device?*") doesn't address my question, as it would only remove the software agent, not the Active persistence technology. – sampablokuper Mar 19 '14 at 18:20
  • 5
    As for using mainstream antivirus software to block the execution of any part of the Active system, that's unlikely to work: **"the [Absolute] rootkit is [white-listed by anti-virus software](http://www.zdnet.com/blog/security/researchers-find-insecure-bios-rootkit-pre-loaded-in-laptops/3828)"**. – sampablokuper Mar 19 '14 at 18:25
-2

I have CTES From Absolute on my Dell laptop board and consider it Corporate spyware. This is how I defeated it. I went to C:\Windows\system32\ and grouped everything by manufacturer, made a list of everything from Absolute so I could create a .cmd file to delete it all, hey It's gonna come back right? Did the same in SysWOW64. There is 5 services to stop, CscService, Ctes Manager, CtesHostSvc, rpchdp and rpcnet. These were stopped using NET STOP in my .cmd file, before I deleted everything like this:

@Echo Off
NET STOP CscService /Y 
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\CscService" /v "Start" /t REG_DWORD /d "4" /f
NET STOP Ctes Manager /Y
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\Ctes Manager" /v "Start" /t REG_DWORD /d "4" /f
NET STOP CtesHostSvc /Y
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\CtesHostSvc" /v "Start" /t REG_DWORD /d "4" /f
NET STOP rpchdp /Y
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\rpchdp" /v "Start" /t REG_DWORD /d "4" /f
NET STOP rpcnet /Y
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\rpcnet" /v "Start" /t REG_DWORD /d "4" /f
DEL /F /Q /A C:\Windows\SysWOW64\cshost.dll
DEL /F /Q /A C:\Windows\SysWOW64\CTLojack.dll
DEL /F /Q /A C:\Windows\SysWOW64\DIAGDLL64.DLL
DEL /F /Q /A C:\Windows\SysWOW64\identprv.dll
DEL /F /Q /A C:\Windows\SysWOW64\pkgmgr.dll
DEL /F /Q /A C:\Windows\SysWOW64\pcnet.dll
DEL /F /Q /A C:\Windows\SysWOW64\wceprv.dll
DEL /F /Q /A C:\Windows\SysWOW64\instw64.exe
DEL /F /Q /A C:\Windows\SysWOW64\pkgslv.exe
DEL /F /Q /A C:\Windows\SysWOW64\rpcnet.exe
DEL /F /Q /A C:\Windows\System32\cshost.dll
DEL /F /Q /A C:\Windows\System32\CTLojack.dll
DEL /F /Q /A C:\Windows\System32\DIAGDLL64.DLL
DEL /F /Q /A C:\Windows\System32\identprv.dll
DEL /F /Q /A C:\Windows\System32\pkgmgr.dll
DEL /F /Q /A C:\Windows\System32\pcnet.dll
DEL /F /Q /A C:\Windows\System32\wceprv.dll
DEL /F /Q /A C:\Windows\System32\instw64.exe
DEL /F /Q /A C:\Windows\System32\pkgslv.exe
DEL /F /Q /A C:\Windows\System32\rpcnet.exe
RD /S /Q C:\ProgramData\CTES
RD /S /Q C:\ProgramData\Rpcnet
PAUSE

OK services stopped, everything deleted. CTES is now off the system temporally, temporally because it's on the motherboard and it will reinstall to your system, but now you have your .cmd file you can run but that's not enough, CTES must contact a server to update itself and then upload data, and it's considerable. Go to the CTES folder and have a look at CtesPersistence.txt to get an idea of what's happening. I stopped that Internet traffic cold by blocking these servers in the hosts file:

127.0.0.1 search.namequery.com
127.0.0.1 search2.namequery.com 
127.0.0.1 search64.namequery.com 
127.0.0.1 eol.absolute.com 
127.0.0.1 si.namequery.com 
127.0.0.1 d.namequery.com 
127.0.0.1 a.fc.namequery.com 
127.0.0.1 fo.fc.namequery.com 
127.0.0.1 resources.namequery.com 
127.0.0.1 cdta.namequery.com 
127.0.0.1 eum.absolute.com 
127.0.0.1 api.absolute.com 
127.0.0.1 ps.namequery.com 
127.0.0.1 amp.namequery.com 
127.0.0.1 ps.absolute.com 
127.0.0.1 ctm.server.absolute.com 
127.0.0.1 gcm-http.googleapis.com 
127.0.0.1 bh.namequery.com 
127.0.0.1 sv.symcb.com
127.0.0.1 s.symcb.com
127.0.0.1 s1.symcb.com
127.0.0.1 s2.symcb.com
127.0.0.1 crl.thawte.com
127.0.0.1 cdp.thawte.com
127.0.0.1 cacerts.thawte.com

I have effectively disabled a rather well thought out piece of Corporate Spyware. CTES service still installs because it's on my laptop board. I have Process Hacker from Source Forge, it notifies me when the CTES service installs, so I give it an hour then go to %ProgramData%\CTES and confirm that nothing was updated or uploaded.

To understand just how persistent this is, have a look at Administrator’s Guide for Absolute Agents Once the software is activated, you can only block it. And most laptops are shipped with it activated. Please note this is my system, yours may be different, but it's a jumping-off point.

So to answer the question, I will say quite definitively that this technology is not coming off that board... ever. It can only be managed.

Here's some reference:

search.namequery.com    209.53.113.223  80 and 443  Absolute agent communication for Windows and Mac
search2.namequery.com   209.53.113.19   80  Data Delete & Device Freeze
search64.namequery.com  209.53.113.224  80  Absolute Consumer agent
eol.absolute.com    209.53.113.77   443 End of Life (EOL) Data Delete
si.namequery.com    209.53.113.217  80  Absolute Persistence 2.x
d.namequery.com 209.53.113.225  80  Absolute Persistence 2.x
a.fc.namequery.com
fo.fc.namequery.com 209.53.113.5    80  Real-Time-Technology over IP (RTT-IP)
resources.namequery.com 209.53.113.51   443 Absolute 7 components
resources.namequery.com 152.195.12.32   443 Absolute 7 components delivered from Microsoft Azure Content Delivery Network
cdta.namequery.com  209.53.113.110  80  Data Transfer
eum.absolute.com
.and embedded URL   209.53.113.7    443 End User Messaging
api.absolute.com    209.53.113.121  443 Web Services API
ps.namequery.com    204.174.66.17   443 Professional Services
amp.namequery.com   209.53.113.24   443 Professional Services
ps.absolute.com 209.53.113.132  443 Professional Services
ctm.server.absolute.com 209.53.113.108  443 Absolute agent communication for Android and Chromebook
chrome.google.com   172.217.3.206   443 Absolute for Chromebooks Extension Web Store
gcm-http.googleapis.com 64.233.177.95   443 Google Cloud Messaging for Android and Chromebook
bh.namequery.com    209.53.113.221  80  Absolute holding account
sv.symcb.com    72.21.91.29 80  CRL Distribution Point
s.symcb.com 72.21.91.29 80  CRL Distribution Point
s1.symcb.com    72.21.91.29 80  CRL Distribution Point
s2.symcb.com    23.60.139.27    80  Authority Info Access - On-line Certificate Status Protocol
ts-ocsp.ws.symantec.com 23.60.139.27    80  Authority Info Access - On-line Certificate Status Protocol
ts-aia.ws.symantec.com  72.21.91.29 80  Authority Info Access Certification Authority Issuer
ts-crl.ws.symantec.com  72.21.91.29 80  CRL Distribution Point
ocsp.thawte.com 23.60.139.27    80  Authority Info Access - On-line Certificate Status Protocol
crl.thawte.com  72.21.91.29 80  CRL Distribution Point
cdp.thawte.com  72.21.91.29 80  CRL Distribution Point
cacerts.thawte.com  104.18.11.39    80  Authority Info Access Certification Authority Issuer
ocsp.digicert.com   72.21.91.29 80  Authority Info Access - On-line Certificate Status Protocol
crl3.digicert.com   72.21.91.29 80  CRL Distribution Point
schroeder
  • 123,438
  • 55
  • 284
  • 319