Yet malicious software found on Lenovo PCs

Pierluigi Paganini August 13, 2015

Chinese computer manufacturers Lenovo has been caught once again using a hidden Windows feature to preinstall unwanted and unremovable rootkit.

Lenovo firm was accused several times to supplying equipment for networks of the intelligence and defense services various countries that allowed the Chinese Government to run espionage operations. In 2013, Spy agencies reportedly have a long-standing ban on Lenovo PCs due to backdoor vulnerabilities that could allow an attacker to remotely access to the computers.

Early 2015, security experts discovered that Lenovo was selling laptops pre-installed with Superfish malware.

Now it seems that the Chinese computer manufacturers has been caught once again using a hidden Windows feature to preinstall unwanted and unremovable rootkit software on certain Lenovo laptop model and desktop PCs.

The controversial feature is called “Lenovo Service Engine” (LSE), it is a function implemented in the firmware of computer sold by Lenovo.

According to the security experts, if Windows is installed on the computer, the LSE automatically downloads and installs Lenovo software. The operations start during bootstrap before the Microsoft operating system is launched, overwriting some of the Windows operating system files.

The Lenovo Service Engine injects software that updates drivers, and firmware onto Windows machine even if users completely reinstall the OS and remove pre-installed software.

On various forums, users speculate the existence of a Lenovo “bootkit” impossible to remove.

According to the company, its service doesn’t collect user data neither personally identifying information, but sends back some basic information, including the system model, date, region, and system ID.

lenovo Superfish

The company clarified that the process is done only when the machine is connected for the first time to the Internet. The service appears more invasive in laptop, the Lenovo Service Engine installs a software program called OneKey Optimizer (OKO) that bundles on several Lenovo laptops.

Lenovo explains that the OKO software is used for improving laptop performance by “updating the firmware, drivers, and pre-installed apps” as well as “scanning junk files and find factors that influence system performance.

Security experts consider functionalities implemented by the OneKey Optimizer similar to the ones used by malware to infect PCs. The OKO software is considered by experts not stable and insecure,

in April the security researcher Roel Schouwenberg reported a number of some security issues, including buffer overflows to Lenovo and Microsoft.

The company in response stopped including the LSE on its computers and issued firmware updates to fix the problems.

Lenovo has issued an official statement, which clarifies that computers sold from don’t present the issue.

Colleagues at TheHackerNews provided the instructions to remove Lenovo Service Engine:

  1. Know your System Type (whether it’s a 32-bit or 64-bit version of Windows)
  2. Browse to the Lenovo Security Advisory, and select the link for your specific Lenovo machine.
  3. Click the “Date” button for the most recent update.
  4. Search for “Lenovo LSE Windows Disabler Tool” and Click the download icon next to the version that matches your version of Windows.
  5. Open the program once it downloads. It will remove the LSE software.

Pierluigi Paganini

(Security Affairs – Lenovo, rootkit)

you might also like

leave a comment