Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bios-based spyware?


  • Please log in to reply
7 replies to this topic

#1 g1a1m1e1s1

g1a1m1e1s1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 22 October 2012 - 06:41 AM

Hi!

I guess I'm infected with some sort of BIOS-based spyware, more precisely a backdoor called lojack, produced by Absolute Software.
I bought the netbook new from a shop and did a BIOS upgrade. Now I can see lojack activated, namely that the files rpcnetp.exe, rpcnet.exe and so on run as service (and phone back home).
As far as I can understand, ths is actually a backdoor. If someone at Absolute (or someone with the appropriate key) wanted to, he or she could upload to my machine and activate any spyware tool available.
Is there a way to remove this backdoor from BIOS and OS?

Thank you!

OS: Windows server 2008 r2
Computer: Acer AO756-877

BC AdBot (Login to Remove)

 


#2 jburd1800

jburd1800

  • Members
  • 565 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 22 October 2012 - 08:43 AM

You might take a look at this for ininstall.. http://www.ehow.com/how_7612898_remove-lojack-bios.html I know nothing about this software but it looks like you must register to activate it.

“May the sun bring you new energy by day, may the moon softly restore you by night, may the rain wash away your worries, may the breeze blow new strength into your being, may you walk gently thorugh the world and know it's beauty all the days of your life.”


#3 rotor123

rotor123

  • Moderator
  • 8,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:34 PM

Posted 22 October 2012 - 09:17 AM

Hi, It isn't an infection nor is it spyware. It is a value added feature put into your model by the manufacturer.

Lojack for laptops is a recovery software in case the laptop is stolen. If you activate and pay for the service it can help get your laptop back. I do not consider it spyware and more than I would consider Lojack in a car malicious. They both serve the same purpose, recovery after a theft.

More information http://www.absolute.com/lojackforlaptops/

We Get Stolen Laptops Back

Every 50 seconds a laptop goes missing. Every day hundreds know the panic laptop theft brings. Only LoJack for Laptops has a dedicated Theft Recovery Team that works to find and recover your stolen laptop, while giving you tools to remotely protect your private and sensitive data.


Hope this helps
Roger

Edited by rotor123, 22 October 2012 - 09:19 AM.

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#4 g1a1m1e1s1

g1a1m1e1s1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 22 October 2012 - 10:33 AM

Dear Roger, you must be kidding.

1. "isn't an infection nor is it spyware." As far as I know rcpnetp.exe is just the backdoor module for booth Absolute Manage and lojack. See here what absolute manage can do: http://en.wikipedia.org/wiki/Absolute_Manage . Call me an idiot, but I can't call this anything other than spyware.


2. "It is a value added feature put into your model by the manufacturer." here you're right. If you subscribe for Absolute Manage and lend your laptop to someone (see the Wikipedia link above).

3. "Lojack for laptops is a recovery software in case the laptop is stolen." My netbook costs new about EUR250. If I pay cca EUR100 for a 2 year lojack subscription, it's residual value becomes EUR150.
Should I want to sell it, I'd probably get EUR170, if I'm lucky. Minus the EUR100 for lojack, I end up with EUR70, which is pocket money.
Protecting such a low value machine with lojack makes no economical sense. Encrypting your data does and can be done using free software, but this is another story.

Edited by g1a1m1e1s1, 22 October 2012 - 10:34 AM.


#5 rotor123

rotor123

  • Moderator
  • 8,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:34 PM

Posted 22 October 2012 - 10:56 AM

I wasn't trying to imply that in your case it made a lot of sense to pay for it. However keeping in mind many are using Netbooks as a lightweight inexpensive business model, recovery or the remote wipe of data could be useful. If the remote wipe feature can save your business from expensive fines for lost data it would be worth it. Imagine it has medical information as regards patients? HIPA in the USA. Yes it should have been encrypted too.

I suppose it is a matter of terminology. However when it is installed by the maker on purpose can it really be an infection? I just can't see a legitimate business spying on their customers. The logistics would be terrible and to what end?

However since you have researched and decided you do not want it then removal makes sense. In the laptops I've seen with Lojack it was enabled and disabled in the BIOS settings.

If I used my laptops where I worried about losing them to a thief then I'd want Lojack on them. Since I do not do anything on the laptop that I would not do in front of family I do not worry about that. Some might say I lead a dull life. I have settings in the browser to wipe history when I shut the browser down since I do Bill paying and online banking on one laptop. However that one I am the only user. No email, no browsing the Internet, No Google. I do my bill paying and online banking, shop at Amazon, Newegg, TigerDirect, Income Tax, and a clothing site and that is it. Even then I also run a good Antivirus.

I'm frugal but I decided that using one computer for everything was not a good security move for my finances. So, 1 laptop @$329 for banking, One for browsing the Internet and a Nice desktop for working with Video.

Anyway good Luck removing it.
Roger

Edited by rotor123, 22 October 2012 - 10:58 AM.

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#6 g1a1m1e1s1

g1a1m1e1s1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 22 October 2012 - 11:11 AM

Dear Roger,

I wouldn't rely on "...recovery or the remote wipe of data could be useful.". Is the thief after the data, he will remove the laptop battery 5 minutes after the theft and then do some forensics on the HDD. Encryption, TPM and backup is the only way to go here.

"I just can't see a legitimate business spying on their customers. The logistics would be terrible and to what end?" No idea. Are they forced by some law enforcement agency to do so? Do they get payed? I have no idea. All I can see are the effects.

"In the laptops I've seen with Lojack it was enabled and disabled in the BIOS settings." My BIOS has no lojack switch and, from what I've read it can only be turned on, not off.

Can you please recommend me a good (free) decompiler so I can see at least the machine code of these files?

...and please tell me where else to ask for help?

[EDIT:]sorry for the late edit. I didn't see your reply as I was still editing when you replied.

Edited by g1a1m1e1s1, 22 October 2012 - 01:13 PM.


#7 rotor123

rotor123

  • Moderator
  • 8,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:34 PM

Posted 22 October 2012 - 11:25 AM

Dear Roger,

My BIOS has no lojack switch and, from what I've read it can only be turned on, not off.

Can you please recommend me a good (free) decompiler so I can see at least the machine code of these files?

...and please tell me where else to ask for help?

Hi, I think I would go here for a decompiler recommendation.
Programming
This forum is for the discussion of programming and programming related software.

this may be to obvious but have you talked to tech support form the Netbooks manufacturer?
And maybe you can turn off the functionality in services, Go to services, In windows 7 I just click the start Orb, type services in the search box and pick the one that looks like two gears. Then you need to look for those services and set to disable, restart and see if they stayed disabled.

Good Luck
Roger

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#8 g1a1m1e1s1

g1a1m1e1s1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 22 October 2012 - 01:09 PM

Dear Roger,

Thank you for the Programming link. I'll look into it asap.

About the other things...

"this may be to obvious but have you talked to tech support form the Netbooks manufacturer?" Not yet. I want first to make sure (see an exploit) what I found is or can be used as a backdoor. And then I'll ask them in some public forum and/or over my lawyer.

"...Go to services, In windows 7 I just click the start Orb..." Editing the service in services.msc does not survive restart. I guess the BIOS edits the registry value at startup(I edited the registry once myself from a linux box, it worked, so I know it's easy) and copies that useful piece of, well, software.

Besides this, here in the EU IP addresses are considered PII. I guess storing (or even just accessing) IP's and computer serial numbers (and this data is sent daily) could mean some sort of privacy law breach. Since I'm no lawyer, I can't say that for sure.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users