back to article Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the Kremlin

LoJack for Laptops, a software tool designed to rat on computer thieves, appears to be serving a double purpose – by seemingly working with a Russian state-sponsored hacking team. The application allows administrators to remotely lock and locate, and remove files from, stolen personal computers. It's primarily aimed at …

  1. J. Cook Silver badge

    Worrisome? Yes. Surprising? Not really.

    It's worrisome, because part of the software's residency is at the BIOS/firmware level, which is one of the ways it's able to remain persistent.

    Not surprising, because I had long suspected them of using 'security by obscurity' to protect themselves.

    1. Mark 65

      Re: Worrisome? Yes. Surprising? Not really.

      What is more worrisome to me is that the method of persistence is modification of the BIOS/firmware. I understand why it is done, but that would want to be some pretty well quality assured, controlled and secure software to be allowed to do that. I'm also guess a firmware flash by a competent thief nullifies this anyway.

  2. This post has been deleted by a moderator

  3. Doctor Syntax Silver badge

    "four suspicious command-and-control domains, three of which have been associated with Fancy Bear in the past"

    I suppose the good news is that it's exposed the 4th domain.

  4. dvvdvv

    So wait. Fancy Bear are still using those domains? What a bunch of idiots…

    1. Voland's right hand Silver badge

      So wait. Fancy Bear are still using those domains?

      More lilkely Arbor came up across some old "unexploded munitions".

      The idiotism here is not cleaning up after act and leaving evidence. If the evidence is theirs to start off with and not yet another double-act in the game of cat and mouse between Kasperski and the 5 eye 3 letters.

      The probability of the latter is also on the table. The whole set of cloak and dagger idiocies around Kasperski is hugely counterproductive and replicates the affair with Alisa Shevchenko from 2 years ago. You ensure that someone who is imminently dangerous, but mostly benign at present has no other choice but to go to the dark side to make the ends meet. Then you claim that this is a jolly good idea and done in the name of the [ Star Spangled Banner | Union Jack ].

    2. Destroy All Monsters Silver badge
      Paris Hilton

      Is it because IPv4 is running out...

      Completely unrelated: Kanye West outed as Russian Asset by Renowned Analyst:

      Kanye's recent coordinations with Trump, along with his use of inflammatory rhetoric and symbols (Confederate Flag) reek of "provokatsiya."

      Eric Garland 10:57 am - 2 May 2018

      1. Mark 65

        Nah, pretty sure Kanye is just a dick.

  5. dvvdvv
    Trollface

    And oh, you guys, take a guess: are Виталий Камлюк и Сергей Белов now or have they ever been m̶e̶m̶b̶e̶r̶s̶ associated with Kaspersky Lab?

    1. Voland's right hand Silver badge

      And your point is?

      Are you claiming that the like of GRU, CIA, MI6, BND, etc never send any moles to any blackhat conferences, never read any of the conference materials and never implement any of what is presented there?

      The really retarded part here is that people are trusting the security of their assets to a company which has not fixed a weakness which has been made public in 2014.

      1. dvvdvv

        Are you claiming you are not a quadruple NSA/יחידה 8200/GCHQ/Роскомнадзор agent embedded here to plant FUD amongst us? Ah yes, that's _exactly_ what a quadruple agent would claim…

        Anyway, my point is that ElReg gratuitously slapped Kaspersky and "Russian state-backed hackers" together again, while conveniently forgetting to mention that it was the Kaspersky folks who unearthed the LoJack vulnerability in the first place.

      2. Mark 65

        Read conference materials? I'd be incredibly surprised if they didn't have people writing the materials and making presentations as "researchers" etc.

  6. YetAnotherJoeBlow Bronze badge

    hmmm

    Виталий Камлюк was Kaspersky Labs Japan. Chief Security Expert

  7. Jonbays

    Absolute Software aren't concerned for the customers safety yet so all is fine then?

  8. Anonymous Coward
    Anonymous Coward

    Well...F*ck

    LoJack / Absolute Computrace Revisited from February 12, 2014

    From a previous collection of statistics, It's literally on every brand of computer out there. They even have a searchable list here.

    Here's some Indicators of Computrace Agent Activity

    1.One of the following processes is running:

    rpcnet.exe

    rpcnetp.exe

    32-bit svchost.exe running on 64-bit system (can’t serve as complete indicator)

    2.One of the following files exist on the hard drive:

    %WINDIR%System32rpcnet.exe

    %WINDIR%System32rpcnetp.exe

    %WINDIR%System32wceprv.dll

    %WINDIR%System32identprv.dll

    %WINDIR%System32Upgrd.exe

    %WINDIR%System32autochk.exe.bak (for FAT)

    %WINDIR%System32autochk.exe:bak (for NTFS)

    I am still speechless.

    1. Destroy All Monsters Silver badge

      Re: Well...F*ck

      Sounds like an Intel ME in Software

      1. TheVogon

        Re: Well...F*ck

        "Sounds like an Intel ME in Software"

        No it's in hardware. Reimage the PC / replace the HDD and it will reinstall itself.

    2. Joe Drunk
      Linux

      Re: Well...F*ck

      @AC - thanks for the informative link. Have an upvote.

      Looks like this is a win for the Penguinistas. This malware will only run on Windows systems. Time to installl Mint and use Wine for Office apps etc. for the work PC.

      1. Nimby
        Thumb Down

        F*ck D@t

        Or, you know, just don't install LoJack.

    3. Anonymous Coward
      Anonymous Coward

      Re: Well...F*ck

      This is why I build my own PC's, and my laptops are so ancient, this company didn't exist when they were made.

      My next laptop will be a barebones self build me thinks...

      1. Destroy All Monsters Silver badge
        Facepalm

        Re: Well...F*ck

        Pretty appalling stuff overall.

        From this and from events like the Superfish Lenovo or the Dell Remote Management pratfalls I can only conclude that the manufacturers don't even know what is going on in the basement of the tech gnomes any longer and that the legal department is out to lunch. This unprotected, eminently hijackable data exchange with parties unknown that the customer didn't agree to is likely to break laws in a few places.

  9. Anonymous Coward
    Anonymous Coward

    Does anyone know if the autocheck.exe will run periodically in a "normal" setting?

    I could have sworn I saw the autocheck.exe running on Process Exlporer a week ago and wondered what it was.

    It is present in the System32 folder but isn't running now.

    I did however just flash the BIOS recently with the Spectre patch.

    1. Anonymous Coward
      Anonymous Coward

      Re: Does anyone know if the autocheck.exe will run periodically in a "normal" setting?

      autochk.exe is a normal windows file. If your machine contains autochk.exe.bak or autochk.exe:bak, depending on your OS type, then you have a problem.

  10. jason.bourne
    Childcatcher

    Asking for a friend

    How much would it cost to get my dropper / C&C added to all the AV whitelists?

  11. Sixtysix
    WTF?

    I have trust issues...

    </quote>

    Arbor <...> spokesperson said. "At this time, we do not believe that this has impacted any customers or partners,

    </quote>

    No shit Sherlock? I think that's entirely the point - you won't know... and neither will the affected parties.

    *THIS* is why I have trust issues: the AV companies have chosen not to flag it. For corporate compliance, the AV tools should flag EVERYTHING suspicious, and allow the Corporate administrator get to tick a box that says "We note and accept that install in our environment because..." NOT just ignore things that could be FAR from benign.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021