Lenovo PCs and Laptops seems to have hidden a rootkit in their BIOS
The Chinese computer and laptop maker, Lenovo is once again in the eye of the storm after users have found that their PCs/Laptops are shipped with a hidden backdoor at the BIOS level. Earlier in the year, it was found that all Lenovo PCs/Laptops are shipped with a spyware called Superfish.
The secret UEFI level spyware installer kit discovery was made by a user, willSmith1701 on Ars Technica Forum. He had purchased a Lenovo G50-80 and did a clean install using a retail disc. However when he tried to reboot the system he got a pop up message saying
“Note: This is from the product itself and not from the network. To help you continue to upgrade system firmware and software, in order to make your system more stable, safe and high performance, download and install the Lenovo system optimization software. The software download process needs to connect to the internet. Click here to read the Lenovo License Agreement LLA”
The popup has a option to either cancel, or to agree and install. However that is not the issue here. Since the user tried a clean install, he shouldnt be getting such a message in the first place. This message may be a indication of UEFI/BIOS level spyware in the Lenovo PCs.
Another user, Chuck11 found many entries in the Windows system which contain files like LenovoCheck.exe and LenovoUpdate.exe. These entries appear again on reboot, even if the user deletes them
“Uh oh – check your Services tab in Task Manager – “Lenovo Update” service is there and running for me (even though I said NO to the popup!) And there’s a bunch of crap in c:\windows\system32 like LenovoCheck.exe, LenovoUpdate.exe and various things in the registry.
If you delete those files, or just overwrite them with junk, they reappear when you reboot. If you Disable the service, it is Running when you reboot!
See this thread for someone else who noticed this, with more details – nobody believes him! He thinks it’s UEFI”
Another user, ge814, gave a detailed reply about how the files, LenovoCheck.exe and LenovoUpdate.exe are being created by Lenovo PCs and Laptops.
He says that before booting windows 7 or 8, the BIOS checks if C:\Windows\system32\autochk.exe is the Lenovo one or the original Microsoft one. If it is not the lenovo one, it moves it to C:\Windows\system32\0409\zz_sec\autobin.exe, and then writes it’s own autochk.exe.
During boot, the Lenovoautochk.exe writes a LenovoUpdate.exe and a LenovoCheck.exe file to the system32 directory, something it should not be doing. Then it sets up a services to run one of them when an internet connection is established.
Once it is connected to the Internet, it visits the site > https://download.lenovo.com/ideapad/wind … 2_oko.json.
That itself is very serious issue for Lenovo PC users because of combination of “ForceUpdate” parameter and the lack of ssl, makes it vulnerable to a man-in-the-middle attack and remote code execution by anyone who can intercept the users traffic.
The only way to escape these two backdoors created by Lenovo PCs and Laptops are to flash your BIOS. Having said that, only those users who are fairly conversant with flashing BIOS/Firmware may proceed or else you may brick your PC/Laptop.
- First you’ll need a USB Flash ROM reader/writer(a cheap CH341A one works fine) and SOIC-8 test clips.
- Take the back cover off the laptop, and also disconnect the battery, and locate the BIOS chip on the motherboard.
- Connect the test clips to the BIOS and connect the other end of the other end of the test clips to the USB writer you have bought.
- Now connect the USB writer to another computer.
- On the other computer use the USB reader/writer to dump a copy of the BIOS.
- The BIOS dump will be an 8MB file. You need to split it into 2 files: the first 2MB and the last 6MB.
- Download UEFITool from github(https://github.com/LongSoft/UEFITool ) and open the 6MB file.
- Look through the modules and find the one called “NovoSecEngine2” and mark it for deletion.
- Save a new copy of the 6MB file.
- Now make a new 8MB file by taking the 2MB beginning from earlier and appending the new 6MB file on to the end.
- Use the USB reader/writer to flash that new 8MB file to your PC/Laptop’s BIOS
- Once your are done, disconnect the wires and put the laptop back together.
- Reinstall a fresh copy of windows again, and check your C:\Windows\system32\autochk.exe file to make sure it’s signed by Microsoft, not Lenovo.
- If you have the original Microsoft one there, congratulations, your laptop is now clean.
It is clear that Lenovo is shipping their PCs/Laptops with boot level rootkit that force installs unwanted spyware and bloatware. The files created by the rootkit are further connecting
Update : Lenovo has issued a statement about its LSE Rootkit saying that LSE is no longer being installed on Lenovo PCs. It has also added that its popular Think-Pad and other Think branded PCs/Laptops are not affected by this vulnerability.
It has also requested its customers to immediately update their firmware with the recent release so that the LSE can be disabled.
Microsoft recently released updated security guidelines (see page 10 of this linked PDF) on how to best implement this Windows BIOS feature. Lenovo’s use of LSE was not consistent with these new guidelines. As a result, LSE is no longer being installed on Lenovo systems. It is strongly recommended that customers update their systems with the new BIOS firmware which disables and or removes this feature.
List of LSE rootkit affected Lenovo Products are given below :
- Flex 2 Pro 15 (Broadwell)
- Flex 2 Pro 15 (Haswell)
- Flex 3 1120
- Flex 3 1470/1570
- G40-80/G50-80/G50-80 Touch
- Yoga 3 11
- Yoga 3 14
- Horizon 2 27
- Horizon 2e(Yoga Home 500)
- Horizon 2S
- YT A5700k
- YT A7700k
- YT M2620n
- YT M5310n
- YT M5790n
- YT M7100n
- YT S4005
- YT S4030
- YT S4040
- YT S5030