Certain Asus motherboards installing software from their UEFI/BIOS

[Billiam29]

Apologies if this has been discussed before. I searched for some of the key terms and didn’t find them here. This news is about a year old but today was the first I’ve heard of it.

The UEFI on some Asus motherboards uses a Windows mechanism to install software directly from the BIOS into your Windows OS. Even if you don’t use ASUS motherboards, the Windows mechanism that ASUS is utilizing is potentially a pretty serious security concern and probably a good thing to be aware of.

The ASUS UEFI firmware exposes an ACPI table to Windows 10, called "WPBT" or "Windows Platform Binary Table". WPBT is used in the pre-built OEM industry, and is referred to as "the Vendor's Rootkit." Put simply, it is a script that makes Windows copy data from the BIOS to the System32 folder on the machine and execute it during Windows startup - every single time the system is booted. According to the Microsoft WPBT reference, which describes this feature as useful for "anti-theft software", this binary is a "native, user-mode application that is executed by the Windows Session Manager during operating system initialization.", which means "before all other programs, with administrative privileges". This gives pretty much full control over everything, including protected folders and the registry.

via https://www.techpowerup.com/248827/...-push-software-into-your-windows-installation

 

[Austinian]

Apologies if this has been discussed before. I searched for some of the key terms and didn’t find them here. This news is about a year old but today was the first I’ve heard of it.

The UEFI on some Asus motherboards uses a Windows mechanism to install software directly from the BIOS into your Windows OS. Even if you don’t use ASUS motherboards, the Windows mechanism that ASUS is utilizing is potentially a pretty serious security concern and probably a good thing to be aware of.

The ASUS UEFI firmware exposes an ACPI table to Windows 10, called "WPBT" or "Windows Platform Binary Table". WPBT is used in the pre-built OEM industry, and is referred to as "the Vendor's Rootkit." Put simply, it is a script that makes Windows copy data from the BIOS to the System32 folder on the machine and execute it during Windows startup - every single time the system is booted. According to the Microsoft WPBT reference, which describes this feature as useful for "anti-theft software", this binary is a "native, user-mode application that is executed by the Windows Session Manager during operating system initialization.", which means "before all other programs, with administrative privileges". This gives pretty much full control over everything, including protected folders and the registry.

via https://www.techpowerup.com/248827/...-push-software-into-your-windows-installation

Very interesting! I haven't noticed anything similar on my Gigabyte mobo, or found online references to WPBT issues with it, but I'll be checking our laptops to see what their various OEMs may have done.

Looks like a way to check is this:

"You can check your own PC to see if the manufacturer has included software in the WPBT. To find out, open the C:\Windows\system32 directory and look for a file named wpbbin.exe. The C:\Windows\system32\wpbbin.exe file only exists if Windows copies it from the UEFI firmware. If it’s not present, your PC manufacturer hasn’t used WPBT to automatically run software on your PC."

https://www.howtogeek.com/226308/th...crapware-can-come-back-after-a-clean-install/

 

[Robert Zanatta]

The mechanism is fine as its been around for a few years and is fine. If you don't trust it, then you can't trust the BIOS or Windows.

 

[Robert Zanatta]

There's a decent chance that something similar exists on your laptop.

 

[Austinian]

There's a decent chance that something similar exists on your laptop.

There's no C:\Windows\system32\wpbbin.exe on the Dell XPS 15, the Asus ultrabook or the Surface Pro. That may be due to them having had clean Windows installs; I've been annoyed by OEM utilities too many times in the past.

Also, FWIW none of my PCs have any entry in their UEFI BIOS that looked like the Asus motherboard's.

 

[Billiam29]

The mechanism is fine as its been around for a few years and is fine. If you don't trust it, then you can't trust the BIOS or Windows.

It's not the BIOS that can't be trusted. It's what the PC makers (Lenovo) and motherboard manufacturers (ASUS) are doing with this BIOS-based feature that can't be trusted.

And a wag of the finger to Microsoft for apparently not allowing any way to bypass this. You should have a choice in the matter. It would be understandable if you had to jump through several hoops, but you should have a choice. Perhaps they feel that their "guidelines" now including the ability to disable the feature from within the BIOS is enough but that seems like somewhat of a feeble gesture to me.

 

[LongTimeNikonUser]

To the OP: Are you describing ASUS systems, or ASUS motherboards that people like me buy as part of a home- built system?

If that vendor file (wppin.exe ?) is deleted, does it automatically regenerate the next time the system is booted?

Has anyone done a decompile on one of these files?

 

[Billiam29]

To the OP: Are you describing ASUS systems, or ASUS motherboards that people like me buy as part of a home- built system?

I honestly don’t know if it’s just motherboards or if it could be an issue with complete Asus systems as well. I came across a reference at Ars Technica which pointed to the small thread below on Asus’ RoG forum.

I’m only ankle deep versed in Asus’ product line so I don’t know if the RoG moniker means anything as far as what software is included with motherboards vs. complete systems. The Tech Power Up article that I linked was centered on a motherboard so that’s all I was comfortable mentioning.

https://rog.asus.com/forum/showthread.php?111012-AsusUpdateCheck-exe-reappears-after-reboot

 

[Sean Nelson]

It's not the BIOS that can't be trusted. It's what the PC makers (Lenovo) and motherboard manufacturers (ASUS) are doing with this BIOS-based feature that can't be trusted.

BIOS code is ALWAYS run before the OS boots - it's the BIOS that loads the OS in the first place. Therefore, you HAVE to trust the motherboard manufacturer and, by implication, the PC manufacturer. There's no technical reason why the BIOS can't access the boot drive on its own BEFORE the OS is booted and write whatever the heck it wants into whatever files it fancies. Even on encrypted drives, the BIOS could install it's own rootkit prior to OS initialization.

We are as much at the mercy of motherboard and PC manufacturers as we are the OS manufacturers themselves. We are also at the mercy of router and firewall manufacturers, writers of device drivers, and a whole host of other avenues that can be used as backdoors into our systems.

 

[Joep van Steen]

It's not the BIOS that can't be trusted. It's what the PC makers (Lenovo) and motherboard manufacturers (ASUS) are doing with this BIOS-based feature that can't be trusted.

BIOS code is ALWAYS run before the OS boots - it's the BIOS that loads the OS in the first place.

This is nothing new and has been for decades. However this appears fundamentally different as the 'BIOS' now seems capable of:

- Copying files to a formatted drive

- Have access to Windows startup vectors to make sure their installed software and services run

Until now a BIOS has always been about executing code already there, do POST, load MBR and execute whatever code it finds there. It's now pushing it's code 'into' Windows.

--
Joep

 

[Robert Zanatta]

It's been capable of doing this for years, and has done so on a lot of machines.

 

[Joep van Steen]

Yes, but not ALWAYS which is what I was responding to. It works different from what I assumed though.

--
Joep

 

[Joep van Steen]

Any BIOS manufacturer could I recon, not at all ASUS specific. https://borncity.com/win/2017/12/06/vendors-rootkit-windows-platform-binary-table-wpbt/

It's basically an option to make Windows load a 'native' executable at a very early stage during boot process.

 

[Joep van Steen]

The mechanism is fine as its been around for a few years and is fine. If you don't trust it, then you can't trust the BIOS or Windows.

Well maybe that's a bit naive, I wonder. Is this the same mechanism Lenovo used to load it's rootkit perhaps?

 

[Janoch]

Wonder how it would look, if you installed Linux on such a BIOS?

Or will it prevent it, ie an OS lock??

 

[Billiam29]

A lot of the discussion seems to have shifted to the WPBT mechanism. That’s not really the issue here, IMO. As I said elsewhere in the thread, it’s what’s being done with that mechanism that’s cause for concern.

I have no problem with the use of WPBT for anti-theft software. I *do* have a problem with WPBT being used for an “update checker” which I could otherwise disable or choose to uninstall if it were implemented as a normally installed piece of software.

Even if you’re OK with the software that’s being implemented with WPBT, what about the consequences of flaws in that software? With a normally installed application you again could simply choose disable it or uninstall it until the problem is fixed. These routine actions aren’t valid with WPBT. And what about when the problem is fixed? It seems that you’ll need to do a BIOS update just to implement what would otherwise be a standard application patch.

 

[Joep van Steen]

From what I understand right now it works the other way around (this particular feature). So the OS, Windows in this case 'pulls' the native exe from UEFI BIOS and allows it to execute.

 

[Joep van Steen]

A lot of the discussion seems to have shifted to the WPBT mechanism. That’s not really the issue here, IMO. As I said elsewhere in the thread, it’s what’s being done with that mechanism that’s cause for concern.

Exactly. Apart from every mechanism being offered for benign purposes can also be exploited.

I have no problem with the use of WPBT for anti-theft software. I *do* have a problem with WPBT being used for an “update checker” which I could otherwise disable or choose to uninstall if it were implemented as a normally installed piece of software.

Yes, the tendency (I think) that takes away control from the end user.

 

[Patco]

The mechanism is fine as its been around for a few years and is fine. If you don't trust it, then you can't trust the BIOS or Windows.

Well maybe that's a bit naive, I wonder. Is this the same mechanism Lenovo used to load it's rootkit perhaps?

I'm by no means an expert in this area, but at first glance, that seems to me to be the case:

https://www.google.com/search?clien...hUKEwjglZPmmMflAhUIRqwKHSSmCSwQ4dUDCAo&uact=5

--
Patco
A photograph is more than a bunch of pixels.

 

[Sean Nelson]

A lot of the discussion seems to have shifted to the WPBT mechanism. That’s not really the issue here, IMO. As I said elsewhere in the thread, it’s what’s being done with that mechanism that’s cause for concern.

I have no problem with the use of WPBT for anti-theft software. I *do* have a problem with WPBT being used for an “update checker” which I could otherwise disable or choose to uninstall if it were implemented as a normally installed piece of software.

The real issue isn't the mechanism, it's the trust. What you fear can be done with or without WPBT.

Do you trust the BIOS and motherboard manufacturer? If not, choose a different one.