A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #5554  by kareldjag/michk
 Fri Mar 18, 2011 8:32 pm
hi,
Lojack features are known since years in forensic world,and covered for BlackHat2009 by the Corelabs team which provides a good summary on this page:
http://blog.coresecurity.com/2009/08/11 ... h-defense/
It is now technically possible to develop a kind of anti-forensic rootkit that will resist to a format or hard disk replacement (hide itself in the BIOS and HPA).
The features will be complete with live memory analysis resistance and covert cannels connections.
Unlike MBR rootkits family, there is currently no risk to see mass infection and botnet.
How it works: http://www.absolute.com/Shared/FAQs/L4L ... .sflb.ashx
http://blog.absolute.com/tag/lojack-for-laptops/
Defeating lojack (might be outdated): http://cryptome.org/lojack-hack.pdf
Before trying (if it is not already embended) it, check the Bios compatibility: http://www.absolute.com/en/products/bio ... ility.aspx
Anti-forensic rootkit: http://www.slideshare.net/amiable_india ... c-rootkits
Anti-forensic:the rootkit connection: https://www.blackhat.com/presentations/ ... -PAPER.pdf

"Rootkit technology" has already been used in software piracy and gaming solutions (be evil to combat the evil?).

Rgds
 #14369  by kareldjag/michk
 Fri Jun 29, 2012 8:27 pm
I suggest only the possibilities of this kind of persistent code...
As pointed out by the previous post, there is a world between the labotory environmemt and the in the wild industrial infections...
But with a physical access to a machine, this is with no doubt an interesting cyber weapon...
http://www.finmeccanica.co.uk/capabilit ... tions.aspx

Rgds
 #14841  by kareldjag/michk
 Mon Jul 23, 2012 4:34 pm
hi
For sure...all that come from China is not backdoored, but after the routers, mobile phones and co catious is necessary for any critical IT...the US govnt for instance has changed its computers when Lenovo has aquired IBM pc division...and others dilema... http://www.bunniestudios.com/blog/?p=2037
And some PCI espansion Rom backdoor technologies are quite documented http://resources.infosecinstitute.com/p ... nsion-rom/
Planting hardware backdoor is just a question of opportunity and ressource for a hacker, a mafia or a govnt agency...as for instance there is some rebuilding material available for sale http://www.scotle.com/en/bga-rework-acc ... tions.html
As a Toshiba laptop fan, i have taken into consideration Lojack to avoid bad system discoveries
http://blog.jitbit.com/2011/04/rootkit- ... aptop.html
The complete list of compatible laptop is here http://absolute.com/en/company/bios-compatibility.aspx

Rgds
 #22337  by kareldjag/michk
 Sun Mar 02, 2014 12:30 pm
hi
A focus on it by Kaspersky labs
Overview by general media http://securitywatch.pcmag.com/software ... e-wipe-pcs
And by Kaspersky http://www.kaspersky.com/about/news/vir ... Can-Go-Bad
The analysis on the av editor site http://www.securelist.com/en/analysis/2 ... _Revisited

Computrace reaction http://www.theregister.co.uk/2014/02/17 ... omputrace/
http://www.absolute.com/en/about/pressr ... /kaspersky
http://www.absolute.com/en/resources/in ... sky-report
http://www.absolute.com/en/resources/fa ... -kaspersky

As usual and as things in general, all is not black, all is not white, but often grey.
Kasperky labs makes buzz with old and already known material.
In adition to the Deactivate the rootkit BH ressource
http://securitynirvana.blogspot.de/2012 ... using.html
http://bot24.blogspot.de/2012/08/vulner ... ystem.html
http://seclists.org/isn/2013/Sep/93

As we live in a business world, it appears difficult to forget the financial goals behind this study.
Absolute Software provides certainly one of the most reliable anti-theft solution for laptops on this profitable market
http://www.cantechletter.com/2014/02/ab ... rol-olsen/
Due to their cooperation with law enforcement authorities.
But does the NSA needs Lojack to get control of laptops?
After the Stuxnet buzz, Kaspersky was active in the press about their future Secure OS
http://www.theregister.co.uk/2012/10/16 ... announced/
So let's forget Windows...for millions and millions users...as Kaspersky will save us, and the wold too.
And Kaspersky and Absolute are both present in the anti-theft mobile market...
SpyVision is a tool mentioned about Lojack as a remover.
But this is an adware, and not totally effective http://www.softpedia.com/get/Security/S ... sion.shtml
https://www.virustotal.com/en/file/2e36 ... 393764916/

ps. Attached my personal solution/detector/protection on Toshiba laptop
Also effective vs BadBios evil rootkit
Edited virus total links

Rgds
Attachments
berly.jpg
Ruusian Blue Cat firmware/hadware/HPA/DCO/BIOS rootkit detector
berly.jpg (23.57 KiB) Viewed 914 times
 #22947  by Xylitol
 Wed May 21, 2014 4:27 pm
kareldjag/michk wrote: The analysis on the av editor site http://www.securelist.com/en/analysis/2 ... _Revisited
Related File Hashes of securelist:
e583977f36980125c01898f9e86c6c87 >> 8/53
5829887d2304c08237a5f43c42931296 >> 8/52
ef8d08b07756edc999fbc8cfac32dc23 >> 6/53
f259382b6fa22cae7a16d2d100eb29e4 >> 4/52
aaaee16f8cbd6a35c0f6b37358b3ce54 >> 3/52
cf8bcf7138cc855d885271c4ee7e8a75 >> 2/51
3a1ed2730cee3ec7d6d5091be5071eaa >> 2/53
5a5bb037b8e256a3304f113a187b1891 >> 1/53
5235a32d018b79f065c64b06bd4001be >> 1/52
d2561d67e34ff53f99b9eaab94e98e2a >> 1/53
c6089ec6ae62fe264896a91d951d0c79 >> 1/52
1f2d10f767c7145a8d2a3fbbf66bed7a >> 1/51
130206a40741aa57f3778bb70e593e16 >> 1/52
5515c17117a37fc808fc7a43a37128b0 >> 1/52
e2e9dcce8d87608e4ba48118b296407f >> 1/53
c1b19ad11821780b67f4c545beb270c0 >> 0/52
ed9b58f56a13fbb44c30d18b9b5c44d0 >> 0/52
925f2df6a96637d23c677b33a07b52c1 >> 0/52
f03f740fde80199731c507cdd02eb06e >> 0/52
01a19f74cfb19cc61d62009bcfa59961 >> 0/52
19e67bd685019dafadfe524517dab145 >> 0/52
f42dbd110320b72d8ff72f191a78e5d5 >> 0/52
e57892858a7d3a7799eacb06783bd819 >> 0/53
961d7bbefa57d1b260db075404454955 >> 0/52
78c696e5fd0041d8a5ce5e5e15b6f2f3 >> 0/52
4a3b02ac2e1635c0a4603b32d447fbb2 >> 0/53
4476ccfd883c603cebbc317c6c41c971 >> 0/52
fc0ba4c9a301b653ee2c437e29ed545e >> 0/53
77f57671b08e539e3232bf95a2ac8aec >> 0/52
8282e68524af7a46afc1bac2105c6cda >> 0/51
86332af92a6a80660bb8659711378140 >> 0/52
cde233aa0676f5307949c0a957a2f360 >> 0/53
19a51da66e818f0e10973e1082c79a70 >> 0/52
b4c3723eb687b0e63aeea2974b8d73ba >> 0/52
--
65e67c5c7a73282669474aa9cde9c5b0 >> 0/52
840da1c7afde3aa5077e4c995c4314ef >> 0/52
Attachments
infected
(412.89 KiB) Downloaded 44 times
infected
(1.17 MiB) Downloaded 44 times
 #22956  by kareldjag/michk
 Thu May 22, 2014 10:21 am
hi

Tks for your effort Xylitol.
Well...after 3 years after our focus on this board, Kaspersky folloyed by the French community make their own...
A Lojack detector for average users Computrace Lojack Checker http://sourceforge.net/projects/computr ... k-checker/
The scan on the new malware.lu scan platform AVCaesar http://avcaesar.malware.lu/
http://avcaesar.malware.lu/sample/8983b ... 91515ca95b

rgds