Deactivating the rootkit – from Core Labs, who are part of Core Security – the makers of Core IMPACT Pro.
Here’s an update from Core Security posted today – Wednesday August 12th, 2009
I attended Black Hat and Defcon this year and gained much useful information from that trip. There were a couple of eye opening presentations in the general terms of the security world, and the one I am going to summarize here is “Deactivating the Rootkit” from Core Labs. You can view all the information, and download the white paper and presentation from Core Labs. I’m going to outline it here from my notes – I would strongly suggest you read the details from Core Labs though – scary stuff!
Here are my notes:
HISTORY
2004: The BIOS size of 60% of all notebooks increased by 25kb.
2009: When Core Labs were investigating creating their own rootkit, they found one already there! There had been agreements with major vendors that this agent would be installed in the BIOS (Phoenix) as an anti-theft agent. It is dormant until activated – wait – activated? BACK DOOR!
More details: US 6,300,863 B1 Patent – Filed Mar 24, 1998 by Absolute Corp – Agent inside modem Option ROM – Support for DOS Backdooring
WHAT IS THIS ROOTKIT?
Absolute Corp, Computrace Anti-theft agent – Option ROM Embedded in Phoenix BIOS – Agreements with law enforcement agencies – Inside notebooks from HP, Dell, Lenovo, Toshiba, Gateway, ASUS, Panasonic, & more … estimated 60% of PC notebooks have this rootkit.
Option ROM header: (you’ll need to copy/paste this to see it properly)
00000000 55 aa 2a eb 15 43 6f 6d 70 75 54 72 61 63 65 20 |U.*..CompuTrace |
00000010 56 38 30 2e 38 36 36 78 1d 00 e9 5c 01 50 43 49 |V80.866x...\.PCI|
00000020 52 17 19 34 12 00 00 18 00 00 06 00 00 2a 00 00 |R..4.........*..|
PROBLEMS FOUND
Huge privacy risk (bad/no authentication) – Anyone can activate it with enough privileges – Anyone can change the configuration – Anyone can de-activate it – Whitelisted by AV (potentially undetectable)
If the notebook OS is not Windows it will not place any files – but it’s still there!
MORE ISSUES FOUND
Uses URL instead of IP – Configuration block can be modified:
Configuration block XOR 0xB5: (you’ll need to copy/paste this to see it properly)
00000000 b1 b7 b5 b5 35 ab b1 b4 b5 f5 b4 aa b1 b5 b5 b5 |....5...........|
00000010 b5 a5 bf 41 41 30 49 4e 30 30 30 30 30 95 b1 1f |...AA0IN00000...|
00000020 ee 30 86 a0 b1 8b b5 35 b5 ac ae 4a 4a 4a 4a 4a |.0.....5...JJJJJ|
00000030 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a |JJJJJJJJJJJJJJJJ|
00000040 4a 4a 4a 4a 4a 4a af b4 35 ae b3 b5 b5 b5 b5 b5 |JJJJJJ..5.......|
00000050 b5 a8 b7 b5 b5 f3 b3 b5 b5 b5 b5 b5 b5 f2 b3 b5 |................|
00000060 b5 b5 b5 b5 b5 fd af 00 50 d1 35 71 17 73 65 61 |........P.5q.sea|
00000070 72 63 68 2e 6e 61 6d 65 71 75 65 72 79 2e 63 6f |rch.namequery.co|
00000080 6d bf b7 b2 a5 b3 b3 ac 35 b4 b4 b5 b5 b2 b3 b5 |m.......5.......|
00000090 b5 b5 b5 b5 4a 98 b4 0d 98 b4 0d 9e b1 41 54 44 |....J........ATD|
000000a0 54 81 b7 38 2c 80 b7 39 2c 82 b2 39 2c 39 31 38 |T..8,..9,..9,918|
Stub agent: Unauthenticated BIOS code execution
DETECTING THE ROOTKIT AGENT
Two files to look for: system32\rpcnet.exe (normal agent) – System32\rpcnetp.exe (BIOS persistent agent) – A service called “Remote Procedure Call (RPC) Net” with no description – Outgoing connections to search.namequery.com (209.53.113.223) – A custom tool from Core (not released yet)
DEACTIVATING THE ROOTKIT
Easiest way is host file redirection (127.0.0.1) – Modifying the BIOS (only unsigned BIOS!) – Modifying the configuration block (registry, hard drive, etc) – Modifying nvram, then full HD wipe – anyone think of more?
Does anyone else see what a huge risk this is to anyone owning a notebook with this BIOS, let alone corporations who (these days) predominately issue notebooks to ALL employees? I strongly suggest you hop on over to Core Labs (they are a part of Core Security by the way – the makers of Core IMPACT Pro.
These notes are the outline from the presentation, and of a further presentation that I made to the executive staff at the company I work for. It made them nervous, and we are going to take steps to negate this risk. What are you going to do?
