Detecting Hidden Backdoors in Your BIOS With Nessus
The Hidden Threat
One of the inherent qualities of malware is the ability to hide from the system and the user. It is in the best interest of the bad guys to not be detected, and various forms of malware implement different methods of hiding. However, one method that is very scary is the ability to hide inside the components of the PC, rather than in the operating system. This is the case with malware targeting the BIOS or the unified extensible firmware interface (UEFI) in more modern computers. The dangers is that software running in this area of the system can gain full control of any functions (such as all connected hardware) and bypass protections put in place by the operating system. It makes detection extremely difficult and will persist across system restores and rebuilds.
One such instance of software hiding in the BIOS/UEFI is Computrace. While Computrace is not considered malware, but anti-theft software that reports back the location of a stolen computer to a company called Absolute Software. While this sounds like a reasonable way to pinpoint where your stolen laptop might be, the Computrace software has flaws.
Kaspersky Lab researchers Vitaly Kamluk and Sergey Belov along with Anibal Sacco of Cubica Labs earlier presented at Blackhat this year and discovered the Computrace software to be vulnerable to man-in-the-middle attacks. This means attackers can gain control of the Computrace software, leading to many possibilities as the researchers point out:
"The software is extremely flexible. It’s a tiny piece of code which is a part of the BIOS. As far as it is a piece of the BIOS, it is not very easy to update the software as often. So they made it very extensible. It can do nearly anything. It can run every type of code. You can do to the system whatever you want. Considering that the software is running on these local system privileges, you have full access to the machine. You can wipe the machine, you can monitor it, you can look through the webcam, you can actually copy any files, you can start new processes. You can do absolutely anything."
Detect Computrace Using Nessus
To assist customers in assessing their risk to this vulnerability, which has not yet been patched, the Tenable research team has created a new plugin to detect Computrace running on target systems: Absolute Software Computrace LoJack for Laptops Detection (Plugin ID 40468) The above plugin will require credentials to the scan targets. For more information about performing credentialed vulnerability scans, please refer to the Nessus Credential Checks for Unix and Windows document.
Nessus, Nessus Enterprise and SecurityCenter customers can use this plugin to detect the Computrace backdoor in their environments. Using our Continuous Monitoring solutions organizations can detect threats, such as backdoors which compromise system integrity, on a regular basis. This particular threat is very persistent: even if disabled, a BIOS/UEFI update could easily re-introduce the problem. Furthermore, as new systems are deployed the Computrace software must be disabled. By continuously monitoring your environment for potential threats disasters, such as data breaches and/or loss of intellectual property, can be avoided.