Keylogger Found in Audio Driver of HP Laptops

Razer g2s at riseup.net
Thu May 11 19:09:36 PDT 2017 

H/t @Liberationtech @twitter
https://twitter.com/Liberationtech/status/862849917806661634
>
> The audio driver installed on some HP laptops includes a feature that
> could best be described as a keylogger, which records all the user's
> keystrokes and saves the information to a local file, accessible to
> anyone or any third-party software or malware that knows where to look.
>
> Swiss cyber-security firm modzero discovered the keylogger on April 28
> and made its findings public today.
> Keylogger found in preinstalled audio driver
>
> According to researchers, the keylogger feature was discovered in the
> Conexant HD Audio Driver Package version 1.0.0.46 and earlier.
>
> This is an audio driver that is preinstalled on HP laptops. One of the
> files of this audio driver is MicTray64.exe
> (C:\windows\system32\mictray64.exe).
>
> This file is registered to start via a Scheduled Task every time the
> user logs into his computer. According to modzero researchers, the
> file "monitors all keystrokes made by the user to capture and react to
> functions such as microphone mute/unmute keys/hotkeys."
>
> This behavior, by itself, is not a problem, as many other apps work
> this way. The problem is that this file writes all keystrokes to a
> local file at:
>
> C:\users\public\MicTray.log
>
> Audio driver also exposes keystrokes in real-time via local API
>
> If the file doesn't exist or a registry key containing this file's
> path does not exist or was corrupted, the audio driver will pass all
> keystrokes to a local API, named the OutputDebugString API.
>
> The danger is that malicious software installed on the computer, or a
> person with physical access to the computer, can copy the log file and
> have access to historical keystroke data, from where he can extract
> passwords, chat logs, visited URLs, source code, or any other
> sensitive data.
>
> Furthermore, the OutputDebugString API provides a covert channel for
> malware to record real-time keystrokes without using native Windows
> functions, usually under the watchful eye of antivirus software.
> Keylogger feature confirmed in HP laptops
>
> Modzero researchers said they found the Conexant HD Audio Driver
> Package preinstalled on 28 HP laptop models. Other hardware that uses
> this driver may also be affected, but investigators haven't officially
> confirmed that the issue affects other manufacturers.
>
>    HP EliteBook 820 G3 Notebook PC
>    HP EliteBook 828 G3 Notebook PC
>    HP EliteBook 840 G3 Notebook PC
>    HP EliteBook 848 G3 Notebook PC
>    HP EliteBook 850 G3 Notebook PC
>    HP ProBook 640 G2 Notebook PC
>    HP ProBook 650 G2 Notebook PC
>    HP ProBook 645 G2 Notebook PC
>    HP ProBook 655 G2 Notebook PC
>    HP ProBook 450 G3 Notebook PC
>    HP ProBook 430 G3 Notebook PC
>    HP ProBook 440 G3 Notebook PC
>    HP ProBook 446 G3 Notebook PC
>    HP ProBook 470 G3 Notebook PC
>    HP ProBook 455 G3 Notebook PC
>    HP EliteBook 725 G3 Notebook PC
>    HP EliteBook 745 G3 Notebook PC
>    HP EliteBook 755 G3 Notebook PC
>    HP EliteBook 1030 G1 Notebook PC
>    HP ZBook 15u G3 Mobile Workstation
>    HP Elite x2 1012 G1 Tablet
>    HP Elite x2 1012 G1 with Travel Keyboard
>    HP Elite x2 1012 G1 Advanced Keyboard
>    HP EliteBook Folio 1040 G3 Notebook PC
>    HP ZBook 17 G3 Mobile Workstation
>    HP ZBook 15 G3 Mobile Workstation
>    HP ZBook Studio G3 Mobile Workstation
>    HP EliteBook Folio G1 Notebook PC
>
> The Conexant HD Audio Driver Package has versions for the following
> operating systems.
>
>    Microsoft Windows 10 32-Bit
>    Microsoft Windows 10 64-Bit
>    Microsoft Windows 10 IOT Enterprise 32-Bit (x86)
>    Microsoft Windows 10 IOT Enterprise 64-Bit (x86)
>    Microsoft Windows 7 Enterprise 32 Edition
>    Microsoft Windows 7 Enterprise 64 Edition
>    Microsoft Windows 7 Home Basic 32 Edition
>    Microsoft Windows 7 Home Basic 64 Edition
>    Microsoft Windows 7 Home Premium 32 Edition
>    Microsoft Windows 7 Home Premium 64 Edition
>    Microsoft Windows 7 Professional 32 Edition
>    Microsoft Windows 7 Professional 64 Edition
>    Microsoft Windows 7 Starter 32 Edition
>    Microsoft Windows 7 Ultimate 32 Edition
>    Microsoft Windows 7 Ultimate 64 Edition
>    Microsoft Windows Embedded Standard 7 32
>    Microsoft Windows Embedded Standard 7E 32-Bit
>
> HP did not respond to a request for comment from Bleeping Computer in
> time for this article's publication.
>
> Here's how to Check for and Remove the HP MicTray64 Keylogger...
>

BleepingComputer:
https://www.bleepingcomputer.com/news/security/keylogger-found-in-audio-driver-of-hp-laptops/

More information about the cypherpunks mailing list