Without this extensibility the Agent would be larger and require frequent updates to add or change functionality. Having read that, it becomes clear that we should not expect to find any classic implementation of an update mechanism. Basically, this is the core mechanism of running arbitrary code on the remote computer, sufficient to accomplish a download task.
The server replies with a special HTTP header, Tag Id, that will be used until the end of conversation with the agent. HTTP is used in a very simple mode just as a carrier of the agent packets.
While we see that the agent initiates an HTTP session and sends the first HTTP request to the server, the direction of real communication is opposite to that. The server responses are treated as request to the client and the client responds to these requests in the data added to the following HTTP POST request.
This byte is used as a packet border indicator packet separator. The following 4-byte field contains an Address of memory to work with. If the packet is of read-type, then the Small Agent will read memory starting from this address. The number of bytes to read is specified in the following Size field 2-bytes long. Each packet is appended with special 3 bytes: 1 byte for Seq value and 2 bytes for Cksum.
Seq is a special 8-bit value used as a sequence number that is incremented by server and client according to their sequence algorithm. Cksum is a 2-byte value having a short custom hash of all the fields after packet separator and before the Cksum. If Seq or Cksum values are not what Small Agent expects, then current requests is disposed and the last response is used instead.
The first packet of the server is special and is used for a basic handshake with the client. It looks like this:. The value of Session ID should be used by the client in all responses to the server. Client response has a fixed format:. Like in the server packets, the response packet must always start and end with a packet separator.
The first 4 bytes after that are set to a fixed Session ID value defined by the server in the Handshake Packet. Next, the 2-byte field is the size of Response Data which is following that value. After that Seq and Cksum fields are used as with the server packets. An additional byte modification rule escaping may be applied if any of the fields between the packet separator contain a byte with hex-code 0x7E which matches the packet separator.
In this case the 0x7E byte is transformed into a sequence of two bytes 0x7D 0x5E, which would increase the packet size and affect the checksum. However, interpretation of the packet and calculation of the checksum is only accomplished after unescaping the packet. If the 0x7D byte is met in the packet before escaping, it must also be escaped and 0x7D is replaced with a sequence of 0x7D 0x5D bytes.
This completes the protocol according to what we have observed. The protocol provides two basic primitives:. In addition to that, the Handshake Packet provides the basic address of the Session object in the memory of the Small Agent. This might be sufficient to execute arbitrary code. However, on systems with DEP and ASLR enabled some extra steps may significantly ease the process of running code and make the process smoother and more stable.
That is why there is extra processing implemented in the Small Agent. Upon receiving and writing data to a defined memory location it checks a special field in the Session object which defines a built-in basic command to execute. The following commands are implemented in the module we analyzed:.
This adds extra flexibility and allows an engineer to precisely allocate memory, transfer data in it and execute any extra code if required. The protocol used by the Small Agent provides the basic feature of remote code execution. Although encryption seems to be added to the protocol at some later stages of communication, an attacker may utilize the basic unencrypted protocol to successfully hijack the system remotely.
We believe there are more ways to accomplish such attacks, though this is beyond the scope of the current research. When we first found and analyzed Computrace we mistakenly thought it was malicious software, because it used so many of the tricks that are popular in current malware.
It has specific anti-debugging and anti-reverse engineering techniques, injects into the memory of other processes, establishes secret communication, patches system files on disk autochk. Such aggressive behavior by Computrace Agent was the reason it was detected as malware in the past. Here is how Microsoft describes this generic threat name:. Nevertheless, detection of Computrace modules was later removed by Microsoft and some AV vendors.
Computrace executables are currently allowlisted by most AV companies. We believe that Computrace was designed with good intentions, but our research shows that vulnerabilities in this software can turn a useful tool into a powerful weapon for cybercriminals.
We believe that such a powerful tool needs to have powerful authentication and encryption mechanisms to continue fighting the good fight. Although there was no evidence of intentional secret activation of Computrace modules on the computers we analyzed, we believe that the number of computers with Computrace activated may be surprisingly high.
Otherwise, these orphaned agents will keep on running unnoticed and provide opportunities for remote exploitation. Your email address will not be published. I have purchased 4 new laptops over the past 5 months. All of them had absolute software running and active on them. The computers were basically crippled by this software. Millions of events were written into the registry and numerous queries, as well as programs connecting constantly to the Internet.
I returned all of these laptops and I am searching for a laptop that does not have absolute software installed on it. If one reads patent information on this company it is easy to believe that the company is funded by the NSA. This software also is now on many popular smart phones including the galaxy S5. Windows update and tiworker tend to create massive slow down on Windows 8 once they both try to fight for disk access.
I got a person who is stuck with absolute software locked EE phone only good thing for EE Is it makes the phone worthless. I am sure there are bios chip makers that do not install this into the chip. No, we are not 40 year old virgins. Thank you so much for this article. Though I do not understand half of the technical details, It gives me a better understanding of what I am faced with with my Lenovo X61s with activated Computrace, though Absolute Software denies having my serial number on their database.
Like your other user, I am installing dropping windows and turning it into a Linux box bliss Cheers!. My LH Lifebook is computrace enabled. I see the process, the files, the traffic. Nowhere in the BIOS setup screens is there any reference to it. No wonder it was so cheap at Frys. I-5 processor, fine display but crappy sound. However I has never enabled it in first place.
Computrace LoJack bricked my brand new Dell XPS 13 tre week after i buy it and next day black out bricked my Asus who i buy in may Next day i finding Windows softa run brick on my Acer my father buy to me fuor years ago and later same day Copytrace LoJack bricked it. I really worry about cyber criminals warning about Coputrace Lojack hijack warning in larger scale about reason Computrace bricked all my fuor laptops. First Coputrace bricked my Dell XPS 13 and next day my Asus i buy in may month black out bricked and i sending it to warranty service.
And they not accept serial number maybe Asus was reported theft. Later i buy a cheap Asus who Computrace bricked after tre week and another Asus i first find. Windows softa run bricks ans later same day Computrace LoJack bricked it and i was really worried about the potential of this weapon and i suspect they training in smaller scale for comin soon cyber attack in larger scale. Computrace LoJack can in teorethy bricked all worldwide computers Android and Windows phone in a few minutes so easy so it,s was for a normal person to buy a pizza.
I wonder if the LoJack HiJack a Apple laptop are the Apple laptop blocked the re installation of the operative system. The secrecy around it and apparent black arts deployed suggests that the equipment manufacturers have a vested interest in NOT making it an big issue that people will rise up against…. Multiple Linux distribution of Linux have been installed on that laptop during that period, none showed any trace of computrace.
My laptop was purchased in If rpcnetp. If I am negligent one day, and Rpcnetp. Reaper is a nation-state sponsored APT actor. Recently, we had an opportunity to perform a deeper investigation on a host compromised by this group. The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports.
This is our latest installment, focusing on activities that we observed during Q3 I have seen other posts about this problem, but can't seem to find my solution among them. I tried to boot from a Windows XP CD, but when I choose the repair windows option, it asks me for the administrator password. I never set a password for this computer, and in the setup utility, it says "clear" for supervisor password. There isn't one. I am running a Toshiba laptop, which has worked beautifully since I can't replace the autochk.
I have only one partition NTFS , so the partitioning responses don't help me any. For those who see the message above on the blue screen but your computer continues through the bootup process, I am glad for you, but mine does not. It just cycles back and forth, as I stated above. I talked with Toshiba, who told me that without a recovery CD I could do nothing. If that is the case, I'll have to buy another one, as I simply cannot find mine. Please tell me there's another way to fix this!
I am typing this message on my desktop computer. I need to get onto my laptop! Shelley Saunders. Share Flag. All Comments. Collapse -. Data recovery. Try this. Go to Synmatec. Not Helpful. Solved it successfully yesterday on Windows-XP. I believe it would help your laptop booting in to win XP 0 Votes. I solved this autochk problem today.
Wow, what a mess. However, a long delay means that the computer does not start until the time elapses or until you press a key to cancel autochk. Skip to main content. This browser is no longer supported.
Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful?
0コメント