Tracking and Analysis of the LoJack/CompuTrace Incident

Tracking and Analysis of the LoJack/CompuTrace Incident

December 9, 2019 | Mina Hao

1. Introduction to LoJack

With a history of 20 years, Absolute Software has been a leading provider for device security, management, and tracking. Its products have set an industry standard for persistent endpoint security and data risk management for computers, laptops, tablets, and smartphones. In 2005, Absolute Software released LoJack for Loaptops, also known as Computrace. This software is used to trace stolen laptops, with features including the abilities to remotely lock, delete files from, and locate the stolen laptop on a map.

With these anti-theft features built into the BIOS of a device, this software can continuously trace the stolen computer, as long as the device is connected to the Internet. LoJack for Laptops periodically phones home to Absolute Software’s server to both announce its location and to check to see if the machine has been reported stolen.

Additionally, LoJack for Laptops provides additional services of an investigations and recovery team who partners with law enforcement agencies around the world to return stolen laptops to their owners.

Currently, LoJack for Laptops has been preinstalled in many BIOS images by most laptop vendors.

Figure 1 Vendors that trust and have preinstalled LoJack

If a device installed with LoJack is stolen, It owner can take the following measures to retrieve the device.

  1. Contact the local law enforcement to file a report about the theft.
  2. Log in with your own account to file a report about the theft to Absolute Software.

With LoJack of Absolute Software, major laptop vendors can effectively improve the recovery probability of stolen laptops and protect consumers’ rights and interests, including personal privacy, data security, and property security.

2. Application of LoJack

By preinstalling LoJack in the BIOS of laptops, Absolute Software’s partners can make sure that the devices, once stolen, can be retrieved through technical and legal means.

Dell, a Fortune 500 company headquartered in Landrock, Texas, USA, is famous for producing, designing and selling home and office computers. The following figure is an introduction to services provided by LoJack on Dell’s website.

Figure 2 Introduction to LoJack on Dell’s official website

Dell, as one of Absolute Software’s partners, will preinstall LoJack in the BIOS of its computers and package it as an anti-theft service for customers, making their products more competitive than those of competitors.

All Dell Smart Selection laptops come standard with 1-year LoJack* Antitheft protection (activation is required).

Figure 3 Default option for Computrace in the BIOS of Dell G7 7588 (deactivated)

3. Security History of LoJack

3.1 Deactivate the Rootkit in 2009

At the Black Hat Briefings conferences in 2009, Anibal Sacco and Alfredo Ortega from Core Security Technologies delivered a speech titled “Deactivate the Rootkit: Attacks on BIOS Anti-Theft Technologies”. They said that an exploitable security risk was hidden in Computrace/LoJack agent software which is built in the computer BIOS, noting that “this anti-theft agent is a high dangerous form of BIOS-enhanced rootkit that allows an attacker to bypass all chipset or installation restrictions to take full control of the devices.”

Figure 4 Deactivate the Rootkit, Black Hat 2009

Absolute Software rejected security issues involved in the research, and claimed that “installing the Computrace/LoJack module will never weaken the security of BIOS”. Later, Core Security Technologies demonstrated their researchers’ findings by publicly posting some evidence on its website, such as POCs, videos and utilities.

3.2 Absolute Backdoor Revisited in 2014

At BlackHat USA 2014, researchers Vitaliy Kamlyuk (Kaspersky Lab), Sergey Belov (Kaspersky Lab) and Anibal Sacco (Cubica Labs) demonstrated the local and remote use of CompuTrace/LoJack agent software (used for a full version installation of rootkit after activating LoJack or reinstalling Windows). Since LoJack’s dropper agent software is whitelisted by several antivirus vendors, an attacker can use these whitelist settings to initiate some local attacks, such as downloading and installing software from different servers.

Figure 5 LoJack persistence mechanism (Absolute Backdoor Revisited, BlackHat 2014)

Figure 6 Remote code execution example (Absolute Backdoor Revisited, BlackHat 2014)

3.3 LoJax Rootkit in 2018

In May 2018, an Arbor Networks blog post described several trojanized samples of the rpcnetp.exe agent of Absolute Software’s LoJack. These malicious samples communicated with a malicious C&C server instead of the legitimate Absolute Software server, because their hardcoded settings had been altered. Furthermore, as this series of malicious software used the LoJack agent during delivery, we dubbed it LoJax.

Figure 7 Rpcnetp.exe trojan sample revealed by Arbor Networks

On September 27, 2018, ESET found a rootkit called LoJax in the wild, which infected the vulnerable LoJack configuration. Our homology analysis shows that LoJax is related to Sednit APT, because the C&C server for malicious samples of LoJax is the same as that used by the Sednit APT organization for SedUploader.

Figure 8 ESET finding that LoJax exploits LoJack configurations

3.4 Summary

Such research findings reveal that LoJack-targeted attacks are all practices based on security issues revealed by Anibal Sacco and Alfredo Ortega from Core Security Technologies in 2009.

Almost all attacks are launched by reference to the speech delivered by Vitaliy Kamlyuk (Kaspersky Lab), Sergey Belov (Kaspersky Lab) and Anibal Sacco (Cubica Labs) in 2014.

LoJax, discovered in 2018, is an example of putting the research theory into practice.

4. Security Tips and Solutions

Users are advised to check their own computers for this software and handle it as required by their own business requirements. Following are our recommendations on handling this threat.

  1. Access the BIOS in your computer, check the status of the CompuTrace module interface in the “Security” option. Generally, this interface can be in any of the following states:
  • Deactive: indicates that the CompuTrace module interface is available but not activated. This is the default state for many vendors.
  • Disable: indicates that the CompuTrace module interface is disabled.
  • Active: indicates that the CompuTrace module interface is available and activated.

Currently, the status setting for this interface can be changed only once, and therefore the configuration, once changed, cannot be changed again.

Users are advised to set the status for the CompuTrace module to “Disable” to permanently disable it. If the status is “Active” and cannot be changed, users should contact the vendors to replace the motherboard.

  1. Open the registry editor and locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager. Back up the BootExecute key value (autocheck autochk * by default) before deleting it to stop this program from being launched upon system startup.
  2. If the rpcnet.exe, rpcnetp.exe, rpcnet.dll, and rpcnetp.dll files exist in the System32 directory in the Windows system, terminate the related processes and delete these files. Remember not to restart the system at this time.
  3. Create the above four files with empty contents in the System32 directory. Perform the following steps for each file: Right-click the file and select Properties to open the Properties page. Then click the Security tab and set Permissions for each user or group (including SYSTEM) to Deny Full control.
  4. If you want to retain factory BIOS settings and related Windows files and configurations, you need to edit the “hosts” file in the C:\Windows\System32\drivers\etc directory to deny access from certain domain names by adding the following information and saving it:
  1. 0. 0. 1 search. namequery. com
  2. 0. 0. 1 search. namequery. com
  3. 0. 0. 1 search2. namequery. com
  4. 0. 0. 1 search64. namequery. com
  5. 0. 0. 1 search. us. namequery. com
  6. 0. 0. 1 bh. namequery. com
  7. 0. 0. 1 namequery. nettrace. co. za
  8. 0. 0. 1 m229. absolute. com

At the same time, configure the firewall to block access from rpcnet.exe and rpcnetp.exe.

5. Reference

https://en. wikipedia. org/wiki/LoJack_for_Laptops

https://securelist. com/absolute-computrace-revisited/58278/

https://www. blackhat. com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER. pdf

https://www. blackhat. com/docs/us-14/materials/us-14-Kamluk-Computrace-Backdoor-Revisited-WP. pdf

https://www. blackhat. com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited. pdf

https://www. coresecurity. com/system/files/publications/2016/05/Slides-Deactivate-the-Rootkit-ASacco-AOrtega. pdf

https://www. coresecurity. com/corelabs-research/publications/deactivate-rootkit

https://www. welivesecurity. com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

https://www. welivesecurity. com/wp-content/uploads/2018/09/ESET-LoJax. pdf

https://www. netscout. com/blog/asert/lojack-becomes-double-agent

https://www. dell. com/content/topics/segtopic. aspx/lojack