Lenovo’s Rootkit like Technique to Install Bloatware

Lenovo used a Rootkit like technique to reload bloatware into clean installs of Windows operating systems, leaving customers open to attack.

Not long after Lenovo were caught selling computers with SSL hijacking malware pre-installed on them, another breach of their customers trust has been unveiled.

Lenovo have been selling computers with an altered BIOS firmware that automatically downloads Lenovo tools and services. The BIOS is the first piece of software that runs when a PC is turned on. Its job is to test the system hardware, then initiate the boot loader or an operating system. Every BIOS is made specifically for the motherboard that it resides on. With Lenovo’s altered BIOS, even if a user were to completely wipe their hard drive and reinstall Windows, the bloatware would be injected into the clean Windows operating system files during the boot sequence.  This is made possible by a feature in the Windows operating system called Windows Platform Binary Table (WPBT). Windows created the WPBT for installing hardware drivers on systems to aid functionality without having a user manually install them. This feature has gone unnoticed for some time, until Lenovo started using it to forcefully install bloatware.

The WPBT contains a list of addresses where programs are located on the physical memory. In Lenovo’s case, this points to a program called Lenovo Service Engine (LSE). If Windows is installed, LSE will start during the secure boot sequence, unbeknown the the user. During the boot sequence, LSE checks if C:\Windows\system32\autochk.exe is Lenovo’s variant of the file or the original Windows file. If the file is not Lenovo’s, it is replaced. Lenovo’s variant of autochk.exe then ensures that LenovoUpdate.exe and LenovoCheck.exe are in the file system. If these programs are uninstalled by the user, they will be reinstalled when the computer next enters the boot sequence.

After LenovoUpdate.exe and LenovoCheck.exe have been checked they are then executed with full administrator access. They automatically connect to the internet and download and install Lenovo’s choice of bloatware package. Finally, LSE will send non-personal details about the system back to Lenovo.

Because Windows Platform Binary Table can be used to execute code during the boot sequence, it’s critical that it has hardened security so users are not vulnerable to exploits. Unfortunately, researcher Roel Schouwenberg found a buffer-overflow vulnerability in LSE that can be used to escalate privileges to administrator-level, allowing a potential attacker full control over the system.

Once Lenovo had learned about their breach of Microsoft’s security guidelines for Windows Platform Binary Table tool, Lenovo Service Engine was pulled from new machines. A tool was silently released on the 31st July allowing users to remove LSE and all of its artefacts. Lenovo released this statement after the matter was picked up by the media:

“LSE uses the Microsoft Windows Platform Binary Table (WPBT) capability. Microsoft has recently released updated security guidelines on how to best implement this feature. Lenovo’s use of LSE was not consistent with these guidelines and Lenovo recommends customers disable this utility by running a disabler program that disables LSE and removes the LSE files from the system.”

Perhaps the most worrying aspect of this all is that Microsoft’s WPBT is made specifically for the purpose of allowing manufacturers to silently inject executable files into Windows. It is from developments such as this that Richard Stallman, renowned software freedom activist, starts to sound a little less crazy. Customers of Lenovo are essentially loosing control of their very own hardware.

Lenovo Service Engine Removal Guide


Leave a Reply

Your email address will not be published. Required fields are marked *