Computer manufacturer Lenovo is using a rootkit to make sure their software remains installed, even on clean Windows installs. The rootkit is able to have the BIOS overwrite Windows system files on bootup.
An user discovered the rootkit when a file on his Lenovo laptop was automatically overwritten every time he rebooted his computer. Lenovo also states on its website that the software called Lenovo Service Engine is installed on its PCs which automatically downloads OneKey Optimizer. According to the computer manufacturer OneKey Optimizer is "powerful, next-generation system optimization software designed specifically for Lenovo computers."
Lenovo also specifically reports the software phones home but promises this is non-personally identifiable system data. The software optimizes the PC by, "updating firmware, drivers, and pre-installed apps."
The method is possible because Microsoft allows PC manufacturers to add the option to load a .EXE file to the BIOS when the system boots. This feature is called the Windows Platform Binary Table (WPBT) and is the technology that takes care of running the file just before the user logs in. WPBT is a Windows feature that can't be turned off.
Lenovo is using this technique on Windows 8. On Windows 7 the company simply overwrites the file autochk.exe which in its turn starts services and downloads updates from the internet, when available.
To make it worse, the Lenovo Service Engine contained a vulnerability that allowed attackers to install malware on the computer by using a malicious server. Lenovo patched this vulnerability with an update, however users have to installed it manually which means most users probably are still vulnerable.
Check whether your computer is using these techniques with these methods (credits to chuckup):
Windows 8(.1) & Windows 10
- Check the Event Log for "Microsoft-Windows-Subsys-SMSS" and if there's an entry "A platform binary was successfully executed."
- Or, check for a file with the name wpbbin.exe in the c:\windows\system32 directory, if it's there, Lenovo has a rootkit on your PC.
Windows 7
- Go into your command line as Administrator
- And run sfc /VERIFYFILE=c:\windows\system32\autochk.exe or /sfc /VERIFYONLY and check whether it outputs an error and/or the date matches that of your installation date. The VERIFYONLY file will tell you in which log to look.
