Apr 30 2011 :: by Alex Yumashev
Sorry for the offtopic, this post has nothing to do with startups, web-development or entrepreneurship, but I felt I should still write this
I've just discovered a built-in rootkit in my wife's brand new Toshiba laptop. A non-removable malicious software application right from the manufacturer. That even captured and sent-out screenshots of my wife's work... But first things first.
First, let me apologize for the tone of this post and kinda incoherent writing. Please try to imagine where I am right now and please accept my apologies - I just finished dealing with this issue, like, 10 minutes ago. And, to be honest, I'm angry as a bear.
It all started with some corrupted files & folders on my wife's laptop. No problem - I launched the "CHKDSK" utility and scheduled a disk scan on restart. No big deal, right?
Except - there was no disk scan when I rebooted. I tried again - no scan. I tried everything: rebooting to safe-mode, marking the disk as a "dirty" one with the "CHKNTFS" tool, booting with recovery disk - nothing helped. I just couldn't launch checkdisk or schedule it for the next startup. So, I figured that the checkdisk file itself might be corrupted, so I ran "SFC /scannow" command that, supposedly, should restore it.
The command went up to 47% and aborted with the error message "Windows Resource Protection could not perform the requested operation". Hmmm... May be there's a virus preventing this? So I opened the Process Explorer
tool (God bless SysInternals) and found a suspicious process called "rcpnetp.exe
Why hello there! The process has no "Description" and "Company Name" fields, it loads "rcpnetp.dll" via AUTOCHK.EXE
. A-ha! The tool that is supposed to launch startup disk scan!
This can't be a coincidence. I opened Autoruns
(God bless SysInternals #2) trying to find some registry key or something that launched this "rcpnetp" process.
Surprisingly, I found nothing. I decided to kill the process, delete those files from the "System32" folder and reboot the laptop. Imagine my frustration when those processes were back there, up and running!
I spent hours trying to figure, where this monster launches from... I tried several antiviruses, manual registry search, SysInternals tools... Nothing. So I turned to Google. And found some links
(the second link is in Russian).
It turns out the files are loaded from BIOS:
It's a "security" software built into the BIOS of many laptops called CompuTrace. It is sorta like "LoJack" for laptops. If your laptop is stolen, CompuTrace can notify a server where your laptop is. It is written by Absolute Software and provided to laptop manufacturers so they can include it in the BIOSes they supply for their laptops.
CompuTrace is a rootkit <...> it will hijack the AUTOCHK.EXE process that normally runs during Windows boot, and instead run its own code. One issue this rootkit may cause: chkdsk will not run during boot like it is supposed to.
So, what is this thing?
I'll summarize what I've found out so far:
- This thing lives in your BIOS.
When the system starts, it searches for "autochk.exe" in your system folder, supporting both FAT and NTFS drives. Then it hijacks "autochk.exe" substituting its own code instead, which unpacks and starts the "rcpnetp" process. It also verifies the registry key [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\Session Manager] "BootExecute"= autocheck autochk.
- When the Internet connection is up, it updates itself via the internet (connecting to 209.53.113.xxx - xxx.absolute.com), tries to send some personal info to the server and then listens to the instructions.
- This crap is white-listed by most known antivirus packages that's why it was not found by my antivirus.
- This crap has even created screenshots of my wife's activity and placed the JPG files into the %WinDir% folder, it gathered system reports about the laptop, our external IP-address etc. etc. etc.
How to fight this
If you find this process ("rcpnetp.exe") in the processes list, follow these steps:
- Delete the files rpcnetp.exe, rpcnetp.dll from your system
- Move autochk.exe to another folder
- Edit the registry:
- Note that this crap will come back after reinstalling Windows
- Note that you can forget about the checkdisk tool forever.
What's the big deal?
Now, this rootkit does no harm.
- I don't like that someone collects my personal info without my permission
- I don't want my computer running programs I never approved
- I don't like the possibility that a dishonest employee at Absolute Software can execute remote commands on millions of laptops. There's a name for this. It's called a botnet.
- I don't like the possibility that some malware authors can piggyback this system.
- I want to be able to CHKDSK my hard-drive for Pete's sake!!!
UPDATE: After some more Googling I discovered that this was a big news story about a year ago, and some
(not all) laptop manufacturers have released BIOS updates that remove this rootkit... But my wife's laptop was bought on Amazon only 2 months ago, it's a Toshiba Satellite T135, and the rootkit is still there. I just tried downloading the latest BIOS for our Toshiba - and the "rcpnetp" is still there even after reflashing BIOS. So check your laptops! Esp ASUS and Toshibas. UPDATE 2: Turns out that the AVG free antivirus detects this as a rootkit and tries to remove the files. But - of course - it's back up after a system restart. UPDATE 3: Here's the patent
for this thing.
UPDATE 4: I've just sent a support ticket to Absolute Software requesting to remove this tool, let's wait for their reply...
Alex has founded Jitbit in 2005 and is a software engineer passionate about customer support. Alex holds a degree in computer science is a Microsoft Certified Solution Developer