Detecting Hidden Backdoors in Your BIOS With Nessus
The Hidden Threat
One of the inherent qualities of malware is the ability to hide from the system and the user. It is in the best interest of the bad guys to not be detected, and various forms of malware implement different methods of hiding. However, one method that is very scary is the ability to hide inside the components of the PC, rather than in the operating system. This is the case with malware targeting the BIOS or the unified extensible firmware interface (UEFI) in more modern computers. The dangers is that software running in this area of the system can gain full control of any functions (such as all connected hardware) and bypass protections put in place by the operating system. It makes detection extremely difficult and will persist across system restores and rebuilds.
One such instance of software hiding in the BIOS/UEFI is Computrace. While Computrace is not considered malware, but anti-theft software that reports back the location of a stolen computer to a company called Absolute Software. While this sounds like a reasonable way to pinpoint where your stolen laptop might be, the Computrace software has flaws.
Kaspersky Lab researchers Vitaly Kamluk and Sergey Belov along with Anibal Sacco of Cubica Labs earlier presented at Blackhat this year and discovered the Computrace software to be vulnerable to man-in-the-middle attacks. This means attackers can gain control of the Computrace software, leading to many possibilities as the researchers point out:
"The software is extremely flexible. It’s a tiny piece of code which is a part of the BIOS. As far as it is a piece of the BIOS, it is not very easy to update the software as often. So they made it very extensible. It can do nearly anything. It can run every type of code. You can do to the system whatever you want. Considering that the software is running on these local system privileges, you have full access to the machine. You can wipe the machine, you can monitor it, you can look through the webcam, you can actually copy any files, you can start new processes. You can do absolutely anything."
Source: Millions of PCs Affected By Mysterious Computrace Backdoor
Detect Computrace Using Nessus
To assist customers in assessing their risk to this vulnerability, which has not yet been patched, the Tenable research team has created a new plugin to detect Computrace running on target systems: Absolute Software Computrace LoJack for Laptops Detection (Plugin ID 40468) The above plugin will require credentials to the scan targets. For more information about performing credentialed vulnerability scans, please refer to the Nessus Credential Checks for Unix and Windows document.
Conclusion
Nessus, Nessus Enterprise and SecurityCenter customers can use this plugin to detect the Computrace backdoor in their environments. Using our Continuous Monitoring solutions organizations can detect threats, such as backdoors which compromise system integrity, on a regular basis. This particular threat is very persistent: even if disabled, a BIOS/UEFI update could easily re-introduce the problem. Furthermore, as new systems are deployed the Computrace software must be disabled. By continuously monitoring your environment for potential threats disasters, such as data breaches and/or loss of intellectual property, can be avoided.
Related Articles
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Cybersecurity Snapshot: New Guide Details How To Use AI Securely, as CERT Honcho Tells CISOs To Sharpen AI Security Skills Pronto
January 26, 2024Cyber agencies from multiple countries published a joint guide on using artificial intelligence safely. Meanwhile, CERT’s director says AI is the top skill for CISOs to have in 2024. Plus, the UK’s NCSC forecasts how AI will supercharge cyberattacks. And a global survey shows cyber pros weighing pros and cons of AI. And much more!
Cybersecurity Snapshot: Are SBOMs on Your Supply Chain Security Radar Screen? Check Out New Recommendations from CISA and NSA
November 17, 2023The SBOM concept is still half-baked, but CISA and NSA want to help change that with new best practices for software vendors, developers and buyers. Plus, there’s new guidance about the Royal ransomware gang – as ransomware attacks grow. In addition, Google highlights a new typosquatting trend impacting cloud storage. And much more!
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
- Malware
- Nessus
- Plugins