Detecting and removing Absolute persistence technology
Absolute persistence technology amounts to a persistent rootkit pre-installed by many device manufacturers (Acer, Asus, Dell, HP, Lenovo, Samsung, Toshiba, etc) to facilitate LoJack for laptops, and other backdoor services:
The Absolute persistence module is built to detect when the Computrace and/or Absolute Manage software agents have been removed, ensuring they are automatically reinstalled, even if the firmware is flashed, the device is re-imaged, the hard drive is replaced, or if a tablet or smartphone is wiped clean to factory settings.
Absolute persistence technology is built into the BIOS or firmware of a device during the manufacturing process.
The protocol used by the Small Agent provides the basic feature of remote code execution [and] creates numerous opportunities for remote attacks in a hostile network environment. ... A typical attack on a local area network would be to redirect all traffic from a computer running Small Agent to the attacker’s host via ARP-poisoning. Another possibility is to use a DNS service attack to trick the agent into connecting to a fake C&C server. We believe there are more ways to accomplish such attacks, though this is beyond the scope of the current research.
If a user legally purchases, secondhand or new, a device that originally had Absolute persistence technology built-in and may even have had it activated, and wishes:
- to detect whether the technology is still present in the device; and, if so,
- to remove that technology from the device (i.e. disinfect the device),
how best should the user go about this?
I'm guessing that Coreboot is part of the answer.
Unless there is a dedicated chip onboard for storing such preinstalled modules, flashing with a clean or moded version of BIOS is enough. Coreboot also can be used. To detect the presence, the best way is to observe the system deeply and carefully, check settings in bios, reverse engineer the BIOS etc.
@Nikhil_CV, I've no idea whether there is a dedicated chip, or indeed if the rootkit persists by homing itself in multiple chips/firmwares/etc (e.g. is it related to "Intel Anti-Theft Technology" in many modern Intel CPUs?). If you know more than I do, then please expand on your comment in an answer, and provide sources for your information. Thanks!
"Absolute persistence technology is built into the BIOS or firmware of a device during the manufacturing process."
So, in addition to removing the agent, you will need to flash the BIOS or firmware of the device, with a version without the technology.
Since "core boot is a Free Software project aimed at replacing the proprietary BIOS (firmware) found in most computers", it is potentially part of an answer.
Of course, you haven't specified a device, so it's impossible to provide you with a detailed answer. The only correct answer is 'it depends'.
The functionality of the technology requires that removing it remain infeasible, so its quality/repuation hinges on us being unable to provide you with a detailed answer.
It's really not one technology, but many; review the NSA's ANT technology codenamed DEITYBOUNCE, IRONCHEF, FEEDTROUGH, GOURMETTROUGH, etc; see https://commons.wikimedia.org/wiki/Category:NSA_ANT...
I didn't specify a device because I'm interested in in the general case and I don't know whether there's a common implementation or if implementation varies from model to model. Still, if you want a specific suggestion, how about the ThinkPad X60?
That's cool. The only correct answer is 'it depends', because the implementation varies from model to model. I don't have specifics for the ThinkPad X60. For the Juniper brand, for example, there are three implementations in the NSA toolbox. Can these be detected? Not readily. There is no answer to your question 'till someone knows what the technology is in a specific case. How to go about knowing that? Buy the tech, and compare a protected system to an unprotected one.
The only way I know of is to contact Absolute Software and request removal of the agent. They are friendly enough, they will ask for some identifying information on the laptop, and then they will send a message to the original owner and ask if they sold it or got rid of it (I guess).
I waited on the order of six months for the final resolution, just got my message. Here is what it looks like:
The agent has been removed from device XXXXXXXX, make sure that the device is connected to a wired network, must have Windows O.S. installed, perform some reboots and please allow 24.5 hours in order to complete the whole process. Please let us know if you need further assistance.
Interesting to know that this option is available. However, it requires the user to trust MS and to place even more trust in *Absolute Software* than might otherwise be so. I.e. it requires the user to: trust *AS* with (pseudonymous?) contact info associated w/the PC in question; trust *AS* (& anyone they share info with) not to misuse their ability to correlate that identity w/the PC's connections to the Internet; trust the agent to do no harm while still present; trust *AS* to get back to you; and trust *AS* to be have been truthful if/when they finally tell you they have removed the agent.
Upvoted, because this is *plausibly the approach that AS intends for users who wish to remove the agent*. So, thank you for pointing it out. However, I have not marked this answer as "accepted", because the approach outlined in it seems to me to be slow, dangerous, and unverifiable; and because it does not address the "[how] to detect whether the technology is still present in the device" part of my question.
You could, as I did, write a windows service that loads early in the windows boot order ,in my case before network service, and waits for the service injected by the apm module to load. Once detected it will stop the apm service and delete the services file. I kept my service running in the background just in case the apm module could somehow re-inject and run the apm service.
This method worked with my acer travelmate from 2012, maybe things have come along since then.
According to the FAQ:
What if the Absolute software agent needs to be removed from a device?
IT administrators that have been authorized to do so, may carry out this function themselves within the Absolute Customer Center for Computrace, or from within the Absolute Manage console for Absolute Manage software agent removal.
I.e. you have to allow CompuTrace to be installed, persuade Absolute that you are the authorised user now, get control transferred to you, and de-activate it using their managed service.
Which will certainly involve sending them money.
I am guessing that CompuTrace will be detected by any competent antivirus as "remote management software" which you can probably flag not to run.
I'm afraid this FAQ answer ("*What if the Absolute software agent needs to be removed from a device?*") doesn't address my question, as it would only remove the software agent, not the Active persistence technology.
I reached Absolute Software tech support at the provided number and gave him the PC serial number. He told me that their records said that Computrace had been disabled by the original PC owner 5 years ago, however there is nothing that Absolute Software can do to help, that my only recourse is to see about purchasing a replacement motherboard from the manufacturer.
My Thinkpad T490 has a bios option in the
securitytab to "permanently disable the Absolute Persistence Module". It's in no way clear what this option actually does, but I've just disabled it on my system. This option, or similar options, are available for many Thinkpads. For discussion, see https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T/BIOS-option-to-quot-permanently-disable-quot-Computrace/td-p/104500
I have CTES From Absolute on my Dell laptop board and consider it Corporate spyware. This is how I defeated it. I went to C:\Windows\system32\ and grouped everything by manufacturer, made a list of everything from Absolute so I could create a .cmd file to delete it all, hey It's gonna come back right? Did the same in SysWOW64. There is 5 services to stop, CscService, Ctes Manager, CtesHostSvc, rpchdp and rpcnet. These were stopped using NET STOP in my .cmd file, before I deleted everything like this:
@Echo Off NET STOP CscService /Y Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\CscService" /v "Start" /t REG_DWORD /d "4" /f NET STOP Ctes Manager /Y Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\Ctes Manager" /v "Start" /t REG_DWORD /d "4" /f NET STOP CtesHostSvc /Y Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\CtesHostSvc" /v "Start" /t REG_DWORD /d "4" /f NET STOP rpchdp /Y Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\rpchdp" /v "Start" /t REG_DWORD /d "4" /f NET STOP rpcnet /Y Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\rpcnet" /v "Start" /t REG_DWORD /d "4" /f DEL /F /Q /A C:\Windows\SysWOW64\cshost.dll DEL /F /Q /A C:\Windows\SysWOW64\CTLojack.dll DEL /F /Q /A C:\Windows\SysWOW64\DIAGDLL64.DLL DEL /F /Q /A C:\Windows\SysWOW64\identprv.dll DEL /F /Q /A C:\Windows\SysWOW64\pkgmgr.dll DEL /F /Q /A C:\Windows\SysWOW64\pcnet.dll DEL /F /Q /A C:\Windows\SysWOW64\wceprv.dll DEL /F /Q /A C:\Windows\SysWOW64\instw64.exe DEL /F /Q /A C:\Windows\SysWOW64\pkgslv.exe DEL /F /Q /A C:\Windows\SysWOW64\rpcnet.exe DEL /F /Q /A C:\Windows\System32\cshost.dll DEL /F /Q /A C:\Windows\System32\CTLojack.dll DEL /F /Q /A C:\Windows\System32\DIAGDLL64.DLL DEL /F /Q /A C:\Windows\System32\identprv.dll DEL /F /Q /A C:\Windows\System32\pkgmgr.dll DEL /F /Q /A C:\Windows\System32\pcnet.dll DEL /F /Q /A C:\Windows\System32\wceprv.dll DEL /F /Q /A C:\Windows\System32\instw64.exe DEL /F /Q /A C:\Windows\System32\pkgslv.exe DEL /F /Q /A C:\Windows\System32\rpcnet.exe RD /S /Q C:\ProgramData\CTES RD /S /Q C:\ProgramData\Rpcnet PAUSE
OK services stopped, everything deleted. CTES is now off the system temporally, temporally because it's on the motherboard and it will reinstall to your system, but now you have your .cmd file you can run but that's not enough, CTES must contact a server to update itself and then upload data, and it's considerable. Go to the CTES folder and have a look at CtesPersistence.txt to get an idea of what's happening. I stopped that Internet traffic cold by blocking these servers in the hosts file:
127.0.0.1 search.namequery.com 127.0.0.1 search2.namequery.com 127.0.0.1 search64.namequery.com 127.0.0.1 eol.absolute.com 127.0.0.1 si.namequery.com 127.0.0.1 d.namequery.com 127.0.0.1 a.fc.namequery.com 127.0.0.1 fo.fc.namequery.com 127.0.0.1 resources.namequery.com 127.0.0.1 cdta.namequery.com 127.0.0.1 eum.absolute.com 127.0.0.1 api.absolute.com 127.0.0.1 ps.namequery.com 127.0.0.1 amp.namequery.com 127.0.0.1 ps.absolute.com 127.0.0.1 ctm.server.absolute.com 127.0.0.1 gcm-http.googleapis.com 127.0.0.1 bh.namequery.com 127.0.0.1 sv.symcb.com 127.0.0.1 s.symcb.com 127.0.0.1 s1.symcb.com 127.0.0.1 s2.symcb.com 127.0.0.1 crl.thawte.com 127.0.0.1 cdp.thawte.com 127.0.0.1 cacerts.thawte.com
I have effectively disabled a rather well thought out piece of Corporate Spyware. CTES service still installs because it's on my laptop board. I have Process Hacker from Source Forge, it notifies me when the CTES service installs, so I give it an hour then go to %ProgramData%\CTES and confirm that nothing was updated or uploaded.
To understand just how persistent this is, have a look at Administrator’s Guide for Absolute Agents Once the software is activated, you can only block it. And most laptops are shipped with it activated. Please note this is my system, yours may be different, but it's a jumping-off point.
So to answer the question, I will say quite definitively that this technology is not coming off that board... ever. It can only be managed.
Here's some reference:
search.namequery.com 184.108.40.206 80 and 443 Absolute agent communication for Windows and Mac search2.namequery.com 220.127.116.11 80 Data Delete & Device Freeze search64.namequery.com 18.104.22.168 80 Absolute Consumer agent eol.absolute.com 22.214.171.124 443 End of Life (EOL) Data Delete si.namequery.com 126.96.36.199 80 Absolute Persistence 2.x d.namequery.com 188.8.131.52 80 Absolute Persistence 2.x a.fc.namequery.com fo.fc.namequery.com 184.108.40.206 80 Real-Time-Technology over IP (RTT-IP) resources.namequery.com 220.127.116.11 443 Absolute 7 components resources.namequery.com 18.104.22.168 443 Absolute 7 components delivered from Microsoft Azure Content Delivery Network cdta.namequery.com 22.214.171.124 80 Data Transfer eum.absolute.com .and embedded URL 126.96.36.199 443 End User Messaging api.absolute.com 188.8.131.52 443 Web Services API ps.namequery.com 184.108.40.206 443 Professional Services amp.namequery.com 220.127.116.11 443 Professional Services ps.absolute.com 18.104.22.168 443 Professional Services ctm.server.absolute.com 22.214.171.124 443 Absolute agent communication for Android and Chromebook chrome.google.com 126.96.36.199 443 Absolute for Chromebooks Extension Web Store gcm-http.googleapis.com 188.8.131.52 443 Google Cloud Messaging for Android and Chromebook bh.namequery.com 184.108.40.206 80 Absolute holding account sv.symcb.com 220.127.116.11 80 CRL Distribution Point s.symcb.com 18.104.22.168 80 CRL Distribution Point s1.symcb.com 22.214.171.124 80 CRL Distribution Point s2.symcb.com 126.96.36.199 80 Authority Info Access - On-line Certificate Status Protocol ts-ocsp.ws.symantec.com 188.8.131.52 80 Authority Info Access - On-line Certificate Status Protocol ts-aia.ws.symantec.com 184.108.40.206 80 Authority Info Access Certification Authority Issuer ts-crl.ws.symantec.com 220.127.116.11 80 CRL Distribution Point ocsp.thawte.com 18.104.22.168 80 Authority Info Access - On-line Certificate Status Protocol crl.thawte.com 22.214.171.124 80 CRL Distribution Point cdp.thawte.com 126.96.36.199 80 CRL Distribution Point cacerts.thawte.com 188.8.131.52 80 Authority Info Access Certification Authority Issuer ocsp.digicert.com 184.108.40.206 80 Authority Info Access - On-line Certificate Status Protocol crl3.digicert.com 220.127.116.11 80 CRL Distribution Point