Comments on: The BIOS-Embedded Anti-Theft Persistent Agent that Couldn’t: Handling the Ostrich Defense http://blog.coresecurity.com/2009/08/11/the-bios-embedded-anti-theft-persistant-agent-that-couldnt-response-handling-the-ostrich-defense/ Penetration testing and other topics from the world of IT security. Tue, 23 Feb 2010 08:00:40 +0000 http://wordpress.org/?v=2.8.5 hourly 1 By: ivan arce http://blog.coresecurity.com/2009/08/11/the-bios-embedded-anti-theft-persistant-agent-that-couldnt-response-handling-the-ostrich-defense/comment-page-1/#comment-431 ivan arce Wed, 19 Aug 2009 00:13:20 +0000 http://blog.coresecurity.com/?p=5201#comment-431 Mary, Is there anything in particular that makes you think the issues you experienced are related specifically to the computrace agent? Note that the code that was found in BIOS by Anibal and Alfredo only supported dropping a "phone home" executable on Windows operating systems and you mentioned un-removable files on Linux so you may have a different form of malware on your systems. Python is an interpreted programming language, Python programs require the runtime execution engine to installed on the system, so there are many tools or programs that may use it and be responsible for its presence on your systems. The tool to dump the BIOS and detect the computrace agent was written in Python, but not the agent itself. The agent is jsut a windows executable that runs as a service. A simple way of checking if you have the Computrace agent running on your system is to look for a Windows service running with the name "Remote Procedure Call Net" Mary,
Is there anything in particular that makes you think the issues you experienced are related specifically to the computrace agent? Note that the code that was found in BIOS by Anibal and Alfredo only supported dropping a “phone home” executable on Windows operating systems and you mentioned un-removable files on Linux so you may have a different form of malware on your systems.
Python is an interpreted programming language, Python programs require the runtime execution engine to installed on the system, so there are many tools or programs that may use it and be responsible for its presence on your systems.
The tool to dump the BIOS and detect the computrace agent was written in Python, but not the agent itself. The agent is jsut a windows executable that runs as a service.
A simple way of checking if you have the Computrace agent running on your system is to look for a Windows service running with the name “Remote Procedure Call Net”

]]> By: Mary Anderson http://blog.coresecurity.com/2009/08/11/the-bios-embedded-anti-theft-persistant-agent-that-couldnt-response-handling-the-ostrich-defense/comment-page-1/#comment-421 Mary Anderson Mon, 17 Aug 2009 22:52:11 +0000 http://blog.coresecurity.com/?p=5201#comment-421 I am an IT mgr at a school. I own 3 laptops and 3 pcs at home and he been in support/it since the mid-80's. (1986+). I believe I have this issue on my laptop. I have files -- persistent -- cannot be removed in linux , windows, or a kill disk. I have had equipment turn on -- run something -- and then shut down incorrectly (while it was off and I was sleeping). It escaped all antivirus applications (Norton, mcafee, AVG, Trend and Kapersky). I believe I now have it embedded at the school -- but just have picecs of evidence. I have an open ticket with Trend and Microsoft and now people are now thinking that this is plausible. I need some help -- and am willing to work with someone (share the info)....... I have the computrace on my laptop -- my families bioses were flashed (I have evidence of python22 on a laptop where it was not installed.....Any help would be appreciated. I have been personally hit ....and trying to prove that it exists at work. I am an IT mgr at a school. I own 3 laptops and 3 pcs at home and he been in support/it since the mid-80’s. (1986+). I believe I have this issue on my laptop. I have files — persistent — cannot be removed in linux , windows, or a kill disk. I have had equipment turn on — run something — and then shut down incorrectly (while it was off and I was sleeping).

It escaped all antivirus applications (Norton, mcafee, AVG, Trend and Kapersky). I believe I now have it embedded at the school — but just have picecs of evidence. I have an open ticket with Trend and Microsoft and now people are now thinking that this is plausible. I need some help — and am willing to work with someone (share the info)…….

I have the computrace on my laptop — my families bioses were flashed (I have evidence of python22 on a laptop where it was not installed…..Any help would be appreciated.

I have been personally hit ….and trying to prove that it exists at work.

]]> By: ivan arce http://blog.coresecurity.com/2009/08/11/the-bios-embedded-anti-theft-persistant-agent-that-couldnt-response-handling-the-ostrich-defense/comment-page-1/#comment-401 ivan arce Fri, 14 Aug 2009 16:22:46 +0000 http://blog.coresecurity.com/?p=5201#comment-401 Steven, The list of laptops that may ship with the rootkit is provided by the vendor <a href="http://www.absolute.com/partners/bios-compatibility" rel="nofollow">here</a> but will be better of asking before you buy. Interestingly enough, Sony does not seem to include the rootkit in their computers and they are no strangers to the perils of shipping rootkits to their customers Steven,

The list of laptops that may ship with the rootkit is provided by the vendor
here but will be better of asking before you buy.
Interestingly enough, Sony does not seem to include the rootkit in their computers and they are no strangers to the perils of shipping rootkits to their customers

]]> By: Steven H http://blog.coresecurity.com/2009/08/11/the-bios-embedded-anti-theft-persistant-agent-that-couldnt-response-handling-the-ostrich-defense/comment-page-1/#comment-371 Steven H Wed, 12 Aug 2009 21:32:13 +0000 http://blog.coresecurity.com/?p=5201#comment-371 Do you know of a PC manufacturer that does not put this crap on the computer? I think I will buy a Mac instead. Do you know of a PC manufacturer that does not put this crap on the computer? I think I will buy a Mac instead.

]]> By: golem http://blog.coresecurity.com/2009/08/11/the-bios-embedded-anti-theft-persistant-agent-that-couldnt-response-handling-the-ostrich-defense/comment-page-1/#comment-351 golem Wed, 12 Aug 2009 15:45:52 +0000 http://blog.coresecurity.com/?p=5201#comment-351 Ivan: We've been looking at this for a while now. I find that such folks are best served boiled in their own snake oil. /golem Ivan:

We’ve been looking at this for a while now. I find that such folks are best served boiled in their own snake oil.

/golem

]]>