Hacker News new | past | comments | ask | show | jobs | submit login
Rootkit on a Brand new Toshiba laptop (jitbit.com)
188 points by jitbit on Apr 30, 2011 | hide | past | web | favorite | 52 comments

In a defense of Absolute software - I met with them few years ago and they are a fairly large and very technical company, not a bunch of hacks. Their CTO is a guy who wrote QEMM [1] back in 80-90s. Younglings may not know what this is, but it was one of the most impressive and useful bits of software to ever hit MS-DOS.

With regards to the CompuTrace - it is their primary product and it has been in the development for quite a while. From what I remember they have went to great pains to standardize the placement of the tracing software on bootable disks, i.e. create an open standard through RFC process with disk/OS vendors and what not. As I said they are not some random hacks, and they fully understand the importance of being open and transparent.

In other words, if you want to point a finger here, point it at Toshiba that failed to disclose the placement of ComputTrace on their laptops. Also understand that the software is designed to be hard to detect as its primary usage is tracking, recovery and remote wipe of stolen laptops, hence it being very similar to a rootkit.

[1] http://en.wikipedia.org/wiki/QEMM

I think the point here is that the computer was recording and transmitting information about him and his wife without either of their knowledge or consent. If he had wanted LoJack for his laptop, he could have signed up for one of the services that offers it. Once again, hardware manufacturers seem to think they still own the device once you've bought it.

To be fair to Absolute and Toshiba, there are advantages to this sort of tracking/anti-theft software being integrated by the manufacturer. Building it into the BIOS, though scary and rootkit-like, gives the software persistence across re-installs of Windows, a feature I doubt the standalone competitors boast. If I was a laptop thief, the first thing I'd do would be to image then wipe the drive.

But yes, consent is a must. Absolute and Toshiba should have avoided this issue by adding a clear, detailed notice/consent screen on the first boot.

It's not even consent. Toshiba should be listing this "feature" as a security feature, letting potential buyers know that there is non-removable software that allows this laptop to be tracked in event of theft. Marketing this has the potential to turn it around from "Toshiba plants rootkits" to "Toshiba has some of the best anti-theft protection"

I don't see this listed in the official specifications, so if it were me that found it, on a laptop that doesn't say it has it, I would also agree that this is malware.


Sorry, but I want to be able to run the CHKDSK tool. No matter how "technical" the company is and how respectful is their CTO.

Their software kills the standard "autochk.exe" file, making it impossible to fix basic disk errors.

My black-hat days are behind me, but isn't it SOP to copy a version of the uncorrupted file under another name, and run it when you're done with your cruftiness? Or incorporate the old code into the .exe along with your insertion?

Nope, because Windows auto-starts the file named "autochk.exe"

right -- so a proper black hat would make autochk.exe do its bad stuff and then go ahead and do a proper checkdisk, so the user doesn't notice anything amiss.

Oh, you mean - the Absolute Software guys should have done that? Yes, totally, I'm with you! I thought you were suggesting a solution for me - a laptop user who's not able to run checkdisk.

How has Absolute ensured that other malware authors won't be able to piggyback off their system?

Can my malware add a hosts file entry and cause this data to be sent to my servers instead? Could I replace the Absolute software with a botnet node and still use their nigh-irremovable persistence mechanism?

Selling laptops with a pre-installed surveillance framework, however well you meant, is not acceptable. Your software's security is likely no stronger than that of the software you exploit.

Should non-technical buyers of electronic devices simply expect to be subject to malicious behavior?

This is an especially important point and should be at the top of this page. Makes me miss the karma indicators...

The problem with arbitrary surveillance isn't just that it's icky, unfair and (hopefully) illegal. It's that it is easily used by criminals.

This is fucking outrageous. Imagine what would have ensued if new cars were equipped with concealed GPS tracker, which sends location info to some unknown place, along with pictures taken by hidden camera, without any clue given to owners.

I do not give a shit if it actually helps one to recover a stolen laptop, when I am not even told about this, let alone given the possibility to opt out.

I think you haven't heard of OnStar, have you?

But it's pretty obvious that your car is equipped with OnStar. Plus, you have to pay for that service.

I actually haven't, but it is not available here where I live.

The funny thing is that if I point a video camera at a police officer in a public space, I'll get charged with 'illegal wiretapping,' but if Toshiba implants a spying device without user knowledge/consent will they get charged with illegal wiretapping? Doubtful. Even though they are 'spying' on customers behind their backs, it will get less punishment than openly filming a police officer in a public space.

You're a private person, Toshiba is a multinational corporation.

Diffusion of responsibility at its finest. As a private individual, I get crushed under the wheels of the system, while Toshiba gets to ride in the backseat.

I don't think arguments containing implicit assumptions of the form, "if I did X, Y would happen," lead to insight.

Arguments by symmetry are incredibly powerful and useful. Why do you think they don't get to the heart of things? (Granted, X must be chosen so that it is a fair comparison, but when it's not, that choice is what should be attacked, not the structure of the argument.)

What's an argument by symmetry?

This, "if I X, then Y would happen," setup is dependent upon accepting various preconditions, which go conveniently unmentioned.

An argument by symmetry is that something shouldn't change when some irrelevant bit is changed -- such as the identity of the actors. Yes, the preconditions for using "If I X then Y" when trying to argue that "when someone else X', then Y' " is wrong are that X' is relevantly similar enough to X, and Y' is distinctly different than Y.

Previous discussion (including a few Blackhat links, though I haven't looked at those).


That page has been removed from Absolute's website; cache here: http://webcache.googleusercontent.com/search?q=cache:vb0e0b5...

edit: Or Absolute updated their site map; list here: http://www.absolute.com/en/partners/bios-compatibility.aspx

It is possible, though not the easiest thing in the world, to rebuild your bios while removing the lojack option rom.


This article gives an overview, there may be better sources or you could refer to forums people use for bios modification of SLIC tables to get a better introduction to the tools.

An incentive to support coreboot/openbios?

The Toshiba Satellite sitting beside me is running slackware like a champ. Problem solved ;-)

The T135 is a pretty old laptop which explains why it was present after vendors stopped using it - I bought one around January or February last year, it doesn't seem to have the rootkit but it's a Latin American model which might have been exempt.

The fault lies with Toshiba. I have a Dell Studio laptop and CompuTrace is an option in the BIOS - once enabled, it can't be disabled (I haven't actually tried wiping the EEPROM) but it's an option nonetheless.

This reflects badly on CompuTrace and they could certainly have taken steps to ensure that Toshiba's use of their tools didn't affect their business prospects. That they have a "Hey, do what you want with it. We don't care." approach to sales makes me wonder who else is buying from them. As above it appears IBM is on the list as well (unverified).

i understand the frustration, but how else would a laptop tracking software work if not by connecting to the web and listening for commands, etc? It seems that this app is created by: http://www.absolute.com/en-GB/

For a start, user could be notified that he can install that system, instead of getting a laptop with such software preinstalled. I don't really see a reason to have this installed when users are not aware of it. How many people go to the producer after their laptop is stolen and ask "Have you by any chance installed some laptop tracking software on my laptop by default? I cannot identify my laptop anymore in any meaningful way - it's one of toshiba ones." ?

If the user isn't aware of it, it's useless. If the user didn't agree to the way it's done, it's pretty much an illegal spying device.

Yeah, correct. But what if some Absolute's employee turns out to be dishonest? A non-removable process, not detected by most antiviruses, that listens to the commands from the Net... Seems like a botnet to me.

When we asked this question in the context of the laptops at the big enterprise that I worked for, the response from Absolute was "most of our employees are ex-cops, so that isn't a problem".

Wow. Even setting aside the question of whether all cops are trustworthy, one does wonder why they are "ex" cops.

Why should something like that be present/active without the owner's knowledge and consent?

It's not the sort of thing I'd allow to run on my machine.

Found Computrace in my ThinkPad X201's BIOS. However, there's an option to permanently disable it.

Blogpost says it actually isn't a "brand new" laptop and Toshiba has since removed the crapware.

Where does it say that?

By the way, I purchased a Toshiba T135 last year from Amazon and updated the BIOS several times. I can't find any trace of the CompuTrace backdoor, but I must say that my trust in Toshiba, DELL, and other laptop manufacturers has been severely shaken. This is infuriating.

Picking nits here, but this is a trojan (if that, really), not a rootkit, no?

I think this adds to the advantages of using linux and scrapping windows,after all with the security features of linux nothing like this would have happened.


448675 2011-05-01 Dell.Service.Tag.Editor.iso.rar initial scan seems ok on opensuse LINUX. http://www.coreboot.org/SeaBIOS

backup BIOS first

call warantee service. IE is frozen with 100% cpu. install anti-virus?? then get rid of the compu ERASE or lojack problem - then, go to warantteee.

do it at the beginning before your important pictures are on the computer and been sent to outsource india for compu ERASE

How do I check this on my laptop?

Check your process list for 'rcpnetp.exe'. Just checked my six month old Toshiba Satellite Pro C650, happily it was clean.

I see related Google results for 'rpcnet.exe'. Not sure if they are related yet (spelling error?).

Also, I wonder how quickly they could rename the executable to deter removal, given the nature of their 'Persistence Module' and antivirus industry cooperation.

rpcnet.exe seems to be essentially same thing as rpcnetp.exe, only without the BIOS persistence hack.

Isn't this "unauthorized access to computer systems[1]"?

When buying a laptop on Amazon, is there some sort of agreement/contract between the buyer and the "security" firm where one signs his privacy away?

Especially the screenshot taking would be a concern to me. What if you were working on secret company files while screens are being taken?

[1] http://www.ncsl.org/default.aspx?tabid=13494

I'm sure they've got it in the fine print somewhere. The (commercial) tracking software almost certainly has an EULA, which I'm sure buyers are required to agree to.

You can ask Absolute to remove it: http://www.ehow.com/how_7683954_disable-computrace-laptop-bi...

So, aside from not being informed about it, this isn't a big deal.

Personally, I wouldn't trust them to not break things myself. I know they may not be "amateurs" at low level things like they do to make this happen, but I still wouldn't trust it. This is why my suggestion would be to use some kind of disk/filesystem encryption. TrueCrypt should be able to defeat them putting it back on and allow you to restore (from a clean copy) the original files and get your CHKDSK back.

On another note, I don't think I'd have ever noticed this myself, every laptop I've had I end up installing Linux on because of all the crapware that gets included with the OS in the first place.

Wait, just by providing the SN of a device you can get them to modify the BIOS? (assuming that is how they would get rid of this BIOS-executed payload)

I wonder what else you can social engineer out of them with just SN. . .

How would you react if you find the builder of your home has installed hidden cameras in every single room? If you somehow find about it and call him he'll turn them off. No big deal, right? If you're a proper person you have nothing to hide anyway ...

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact