Lenovo ships laptops with preinstalled malware – archived source

Lenovo Caught Using Rootkit to Secretly Install Unremovable Software

August 12, 2015Swati Khandelwal

Two years ago Chinese firm Lenovo got banned from supplying equipment for networks of the intelligence and defense services various countries due to hacking and spying concerns.

Earlier this year, Lenovo was caught red-handed for selling laptops pre-installed with Superfish malware.

One of the most popular Chinese computer manufacturers ‘Lenovo’ has been caught once again using a hidden Windows feature to preinstall unwanted and unremovable rootkit software on certain Lenovo laptop and desktop systems it sells.

The feature is known as “Lenovo Service Engine” (LSE) – a piece of code presents into the firmware on the computer’s motherboard.

If Windows is installed, the LSE automatically downloads and installs Lenovo’s own software during boot time before the Microsoft operating system is launched, overwriting Windows operating system files.

More worrisome part of the feature is that it injects software that updates drivers, firmware, and other pre-installed apps onto Windows machine – even if you wiped the system clean.

So even if you uninstall or delete the Lenovo’s own software programs, the LSE hidden in the firmware will automatically bring them back as soon as you power-on or reboot your machine.

Users at a number of online forums are criticizing Lenovo for this move and suspecting that the Chinese computer maker has installed a “bootkit” that survives a full system wipe-and-reinstall.

The issue was first discovered and reported by users back in May when using new Lenovo laptops but was widely reported Tuesday.

What these Unwanted Program Does?

For Desktops:

In case of desktops, Lenovo’s own description states that the software doesn’t send any personally identifying information, but sends some basic information, including the system model, date, region, and system ID, to a Lenovo server.

Moreover, the company claims that this process is done only one-time, sending the information to its server only when a machine first connects to the Internet.

For Laptops:

However, in case of Laptops, the software does rather more. LSE installs a software program called OneKey Optimizer (OKO) that bundles on many Lenovo laptops.

According to the company, the OKO software is used for enhancing computer performance by “updating the firmware, drivers, and pre-installed apps” as well as “scanning junk files and find factors that influence system performance.

OneKey Optimizer falls under the category of “crapware“. The worst part is that both LSE as well as OKO appears to be insecure.

Back in April, security researcher Roel Schouwenberg reported some security issues, including buffer overflows and insecure network connections, to Lenovo and Microsoft.

This forced Lenovo to stop including LSE on its new systems that built since June. The company has also provided firmware updates for vulnerable laptops and issued instructions to disable the option on affected machines and clean up the LSE files.

Among others, many Flex and Yoga machines running an operating system including Windows 7, Windows 8, and Windows 8.1 are affected by this issue. You can see the full list of affected notebooks and desktops on Lenovo’s website.

Lenovo has since released an official statement, which notes that the systems made from June onwards have BIOS firmware that eliminates the issue, and it’s no longer installing Lenovo Service Engine on PCs.

Expert way! How to Remove Lenovo Service Engine (Rootkit)

In order to remove LSE from your affected machines, you have to do it manually. Follow these simple steps in order to do so:

  1. Know your System Type (whether it’s a 32-bit or 64-bit version of Windows)
  2. Browse to the Lenovo Security Advisory, and select the link for your specific Lenovo machine.
  3. Click the “Date” button for the most recent update.
  4. Search for “Lenovo LSE Windows Disabler Tool” and Click the download icon next to the version that matches your version of Windows.
  5. Open the program once it downloads. It will remove the LSE software.