Lenovo Ushers in a New Era of Mobile Workstation Power and Performance with Lenovo ThinkPad P50 and P70
-
Here is where I'm guessing a security researcher actually dissected the problem by reading out the BIOS.
Disclaimer: Unless you really know what you're doing, you really don't want to try this: As for removing it, you need to edit and re-flash your bios. The downloadable bios update from Lenovo doesn't seem to be extractable at least with any methods I know, and using bios dumping tools only gets you 6 of the 8MB of the bios chip, so unfortunately it has to be done the painful way. You'll need a usb flash rom reader/writer(a cheap CH341A one works fine) and SOIC-8 test clips. You can get each of those 2 items for about $10 each. Take the back cover off the laptop, and also disconnect the battery, and locate the bios chip on the motherboard. Connect the test clips to the bios and connect the other end of the other end of the test clips to the usb writer, and connect the usb writer to another computer. On the other computer use the usb reader/writer to dump a copy of the bios. The bios dump will be an 8MB file. You need to split it into 2 files: the first 2MB and the last 6MB. Download UEFITool from github( https://github.com/LongSoft/UEFITool ) and open the 6MB file. Look through the modules and find the one called "NovoSecEngine2" and mark it for deletion. Save a new copy of the 6MB file. Now make a new 8MB file by taking the 2MB beginning from earlier and appending the new 6MB file on to the end. Use the usb reader/writer to flash that new 8MB file to the laptop's bios, then disconnect the wires and put the laptop back together. Reinstall a fresh copy of windows again, and check your C:\Windows\system32\autochk.exe file to make sure it's signed by Microsoft, not Lenovo. If you have the original Microsoft one there, congratulations, your laptop is now clean.
-
@Dashrender said:
True, but when you get the full out technical explanation that someone WAY smarter than me did, you see what files are coming onto the system and where they are coming from. None of them are indicated as malicious. Bloatware, perhaps, even probably.
How is that not malicious? Forced bloatware IS malicious. You keep saying that they are doing malicious things and then saying it isn't malware. It can't do what you are describing and not be malware.
-
@scottalanmiller said:
@Dashrender said:
True, but when you get the full out technical explanation that someone WAY smarter than me did, you see what files are coming onto the system and where they are coming from. None of them are indicated as malicious. Bloatware, perhaps, even probably.
How is that not malicious? Forced bloatware IS malicious. You keep saying that they are doing malicious things and then saying it isn't malware. It can't do what you are describing and not be malware.
We apparently don't agree on what malicious is.
-
@Dashrender said:
We apparently don't agree on what malicious is.
Clearly. I'm shocked that you think that losing control of your machine isn't malicious. If I broke into your house without your permission and got caught because I did anything other than wash up and watch some television would you not consider that malicious?
Their actions alone are malicious. What the files are that they are pushing can't change that. They've breached the malicious acts component before we evaluate what the files are. What they are doing is malicious in its action.
Then there is the additional component that we don't know what the intent is or was. We don't know how this could have been used, would have been used or would have been exploited. Bottom line, this is what malicious looks like. What else can it be?
Do you consider no hacking attempt to be malicious until the stealing of data is completed?
-
I'm not saying that Lenovo's intent was to steal banking data, what I'm saying is that their intent was to rootkit people's desktops. That's a malicious intent, it was accomplished.
-
@scottalanmiller said:
I'm not saying that Lenovo's intent was to steal banking data, what I'm saying is that their intent was to rootkit people's desktops. That's a malicious intent, it was accomplished.
Then so is Dell's and HP's when they install drivers using this method and ergo this method needs to be completely removed from being allowed. But clearly even MS thinks this is a good idea because they built "Windows Platform Binary Table (WPBT)" which specifically has Windows go to the BIOS/UEFI to find these files that vendors put there do do exactly this.
-
According to Wikipedia: "Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems."
Disrupt, yes. Gain access, yes. It meets two of the potential qualifications. It might easily have been used for gathering sensitive information, that it was used or would have been used before stopped we don't know, but that isn't relevant as it is already a recognized malware (all rootkits are by definition malware.)
-
@Dashrender said:
@scottalanmiller said:
I'm not saying that Lenovo's intent was to steal banking data, what I'm saying is that their intent was to rootkit people's desktops. That's a malicious intent, it was accomplished.
Then so is Dell's and HP's when they install drivers using this method and ergo this method needs to be completely removed from being allowed. But clearly even MS thinks this is a good idea because they built "Windows Platform Binary Table (WPBT)" which specifically has Windows go to the BIOS/UEFI to find these files that vendors put there do do exactly this.
Agreed. Are Dell or HP controlling people's desktops without their permission or knowledge? Do you have documentation of that? You said that LoJack was doing this too, do you have a link? This should be huge news.
-
How does it disrupt? Of course it gains access.
But the same could be said of Dell or HP install ONLY drivers into a system.
-
@Dashrender said:
How does it disrupt? Of course it gains access.
Every thread of someone trying to fix their machine is someone who has been disrupted.
So you agree that it is malware by the common Wikipedia definition?
-
@Dashrender said:
But the same could be said of Dell or HP install ONLY drivers into a system.
I've seriously never seen this. What's it called? How can we look it up?
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
I'm not saying that Lenovo's intent was to steal banking data, what I'm saying is that their intent was to rootkit people's desktops. That's a malicious intent, it was accomplished.
Then so is Dell's and HP's when they install drivers using this method and ergo this method needs to be completely removed from being allowed. But clearly even MS thinks this is a good idea because they built "Windows Platform Binary Table (WPBT)" which specifically has Windows go to the BIOS/UEFI to find these files that vendors put there do do exactly this.
Agreed. Are Dell or HP controlling people's desktops without their permission or knowledge? Do you have documentation of that? You said that LoJack was doing this too, do you have a link? This should be huge news.
I never said that. I said that HP and Dell have been reported to have these same files just like Lenovo has regarding the "Windows Platform Binary Table (WPBT)".
As for LoJack - again never said that LoJack is taking over people's computers, but when enabled it does install software that the user probably doesn't realize is happening.
-
@Dashrender said:
As for LoJack - again never said that LoJack is taking over people's computers, but when enabled it does install software that the user probably doesn't realize is happening.
You said that they were doing the same thing. And the "thing" here is rootkitting people's machines without knowledge or permission.
Taking over people's computers is what we are discussing. IF anyone is "doing the same thing" to be used as an excuse why it is okay for Lenovo to do this, they've have to do roughly the same thing. What is LoJack doing that in any way relates?
-
@scottalanmiller said:
@Dashrender said:
But the same could be said of Dell or HP install ONLY drivers into a system.
I've seriously never seen this. What's it called? How can we look it up?
from the Ars link
I would like to know if any non-Lenovo pc's have used this "Windows Platform Binary" method to run software from the firmware, because when I searched for it, I saw people with Dell's and HP's who thought they might have a virus, posting scan logs that contained the text "wpbbin.exe" (which would only be there if Windows found it in the BIOS and put it there) For example see https://www.google.com/search?q="wpbbin.exe"+site%3Aforums.malwarebytes.org (as early as 2013)
-
@Dashrender said:
I never said that. I said that HP and Dell have been reported to have these same files just like Lenovo has regarding the "Windows Platform Binary Table (WPBT)".
So they are not doing this in a malicious way but are just using the same tools?
That sounds like normal installers. You can use an installer to do legitimate software installs, or you can use it to install a Trojan.
What Lenovo is doing here is not a legitimate use of the technology, and Microsoft agreed and shut it down.
-
@scottalanmiller said:
@Dashrender said:
As for LoJack - again never said that LoJack is taking over people's computers, but when enabled it does install software that the user probably doesn't realize is happening.
You said that they were doing the same thing. And the "thing" here is rootkitting people's machines without knowledge or permission.
Taking over people's computers is what we are discussing. IF anyone is "doing the same thing" to be used as an excuse why it is okay for Lenovo to do this, they've have to do roughly the same thing. What is LoJack doing that in any way relates?
If you believe that the POPUP mentioned in the OP in the Ars link is related, and that nothing more is coming down to the machine - then I would say this is similar to how LoJack works, possible exception is that YOU the owner have originally initiate the LoJack thing, but once enabled, if that computer is ever reinstalled, Lojack will reinstall itself from the BIOS - maybe you weren't aware that it could do that?
-
@Dashrender said:
If you believe that the POPUP mentioned in the OP in the Ars link is related, and that nothing more is coming down to the machine - then I would say this is similar to how LoJack works, possible exception is that YOU the owner have originally initiate the LoJack thing, but once enabled, if that computer is ever reinstalled, Lojack will reinstall itself from the BIOS - maybe you weren't aware that it could do that?
The popup is not related to what we are discussing. That's something else. There is NO permissions being requested for the rootkit issue.
I feel that finding one guy somewhere mentioning a popup about something else has led you down the garden path. The issue at hand is not one with a pop up.
-
@scottalanmiller said:
@Dashrender said:
I never said that. I said that HP and Dell have been reported to have these same files just like Lenovo has regarding the "Windows Platform Binary Table (WPBT)".
So they are not doing this in a malicious way but are just using the same tools?
That sounds like normal installers. You can use an installer to do legitimate software installs, or you can use it to install a Trojan.
What Lenovo is doing here is not a legitimate use of the technology, and Microsoft agreed and shut it down.
What? Microsoft said that Lenovo had implemented it poorly - i.e. no security.. but not that it a wrong use of the tech - if they did say wrong use of tech, I'd love a link so I stand corrected.
-
Here is another link that states without any doubt that there can be no popup as the action takes place before the OS is even running...
http://thehackernews.com/2015/08/lenovo-rootkit-malware.html
-
@scottalanmiller said:
@Dashrender said:
If you believe that the POPUP mentioned in the OP in the Ars link is related, and that nothing more is coming down to the machine - then I would say this is similar to how LoJack works, possible exception is that YOU the owner have originally initiate the LoJack thing, but once enabled, if that computer is ever reinstalled, Lojack will reinstall itself from the BIOS - maybe you weren't aware that it could do that?
The popup is not related to what we are discussing. That's something else. There is NO permissions being requested for the rootkit issue.
I feel that finding one guy somewhere mentioning a popup about something else has led you down the garden path. The issue at hand is not one with a pop up.
Other people in that thread mention the popup as well. And the reality is probably most people just didn't see the popup, but If it shows that the popup isn't related.. then I'll ceed the point