SIGforum.com    Main Page  Hop To Forum Categories  The Lounge    JESU CHRISTO: Keylogger PRE-INSTALLED on 28 HP laptop models; in Conexant HD Audio Driver Package ver. 1.0.0.46 and earlier
Go
New
Find
Notify
Tools
Reply
  
JESU CHRISTO: Keylogger PRE-INSTALLED on 28 HP laptop models; in Conexant HD Audio Driver Package ver. 1.0.0.46 and earlier Login/Join 
Sig2340
Step by step walk the thousand mile road
Picture of Sig2340
posted
Okay, now software installed at the FACTORY contains malware.

We need to find these people and make a real example of them.

I'm talking Brazen Bull or John Clark's recompression chamber example. Live.

quote:
JESU CHRISTO!! This is a Bloody Big Damned Deal!!

The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user's keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look.

Swiss cyber-security firm modzero [thanks, guys!] discovered the keylogger on April 28 and made its findings public today.

According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version 1.0.0.46 and earlier.

This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe).

This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file "monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys."

This behavior, by itself, is not a problem, as many other apps work this way. The problem is that this file writes all keystrokes to a local file at:

C:\users\public\MicTray.log

Audio driver also exposes keystrokes in real-time via local API

If the file doesn't exist or a registry key containing this file's path does not exist or was corrupted, the audio driver will pass all keystrokes to a local API, named the OutputDebugString API.

The danger is that malicious software installed on the computer, or a person with physical access to the computer, can copy the log file and have access to historical keystroke data, from where he can extract passwords, chat logs, visited URLs, source code, or any other sensitive data.

Furthermore, the OutputDebugString API provides a covert channel for malware to record real-time keystrokes without using native Windows functions, usually under the watchful eye of antivirus software.
Keylogger feature confirmed in HP laptops

Modzero researchers said they found the Conexant HD Audio Driver Package preinstalled on 28 HP laptop models. Other hardware that uses this driver may also be affected, but investigators haven't officially confirmed that the issue affects other manufacturers.

HP EliteBook 820 G3 Notebook PC
HP EliteBook 828 G3 Notebook PC
HP EliteBook 840 G3 Notebook PC
HP EliteBook 848 G3 Notebook PC
HP EliteBook 850 G3 Notebook PC
HP ProBook 640 G2 Notebook PC
HP ProBook 650 G2 Notebook PC
HP ProBook 645 G2 Notebook PC
HP ProBook 655 G2 Notebook PC
HP ProBook 450 G3 Notebook PC
HP ProBook 430 G3 Notebook PC
HP ProBook 440 G3 Notebook PC
HP ProBook 446 G3 Notebook PC
HP ProBook 470 G3 Notebook PC
HP ProBook 455 G3 Notebook PC
HP EliteBook 725 G3 Notebook PC
HP EliteBook 745 G3 Notebook PC
HP EliteBook 755 G3 Notebook PC
HP EliteBook 1030 G1 Notebook PC
HP ZBook 15u G3 Mobile Workstation
HP Elite x2 1012 G1 Tablet
HP Elite x2 1012 G1 with Travel Keyboard
HP Elite x2 1012 G1 Advanced Keyboard
HP EliteBook Folio 1040 G3 Notebook PC
HP ZBook 17 G3 Mobile Workstation
HP ZBook 15 G3 Mobile Workstation
HP ZBook Studio G3 Mobile Workstation
HP EliteBook Folio G1 Notebook PC

The Conexant HD Audio Driver Package has versions for the following operating systems.

Microsoft Windows 10 32-Bit
Microsoft Windows 10 64-Bit
Microsoft Windows 10 IOT Enterprise 32-Bit (x86)
Microsoft Windows 10 IOT Enterprise 64-Bit (x86)
Microsoft Windows 7 Enterprise 32 Edition
Microsoft Windows 7 Enterprise 64 Edition
Microsoft Windows 7 Home Basic 32 Edition
Microsoft Windows 7 Home Basic 64 Edition
Microsoft Windows 7 Home Premium 32 Edition
Microsoft Windows 7 Home Premium 64 Edition
Microsoft Windows 7 Professional 32 Edition
Microsoft Windows 7 Professional 64 Edition
Microsoft Windows 7 Starter 32 Edition
Microsoft Windows 7 Ultimate 32 Edition
Microsoft Windows 7 Ultimate 64 Edition
Microsoft Windows Embedded Standard 7 32
Microsoft Windows Embedded Standard 7E 32-Bit

HP did not respond to a request for comment from Bleeping Computer in time for this article's publication.
Here's how to Check for and Remove the HP MicTray64 Keylogger

According to modzero, to check for and remove the HP MicTray64.exe keylogger, you should follow these steps:

Open Task Manager and check for a running process called MicTray64.exe. If this process exists, close it.

Navigate to c:\Windows\System32\MicTray64.exe and move the file to your Desktop.

Now check if the file C:\Users\Public\MicTray.log exists. If it does, move this file to the Desktop as well.

Now that the keylogger has been removed and you have isolated the log files, let's take a look at what was logged.

Open the MicTray.log file on your desktop and examine the contents. If you notice that login names, passwords, banking info, or any other sensitive login info has been logged, you should immediately change your passwords at the associated accounts.

After following the steps, the keylogger will no longer be active and will not start on reboot.




Nice is overrated

"It's every freedom-loving individual's duty to lie to the government."
Airsoftguy, June 29, 2018
 
Posts: 32311 | Location: Loudoun County, Virginia | Registered: May 17, 2006Reply With QuoteReport This Post
jbcummings
Member
Picture of jbcummings
posted Hide Post
The NSA is getting cocky...


———-
Do not meddle in the affairs of wizards, for thou art crunchy and taste good with catsup.
 
Posts: 4306 | Location: DFW | Registered: May 21, 2012Reply With QuoteReport This Post
nhtagmember
Political Cynic
Picture of nhtagmember
posted Hide Post
yep - running on my machine

looking for the files now


[B] Against ALL enemies, foreign and DOMESTIC

 
Posts: 53983 | Location: Tucson Arizona | Registered: January 16, 2002Reply With QuoteReport This Post
Rey HRH
His Royal Hiney
Picture of Rey HRH
posted Hide Post
quote:
Originally posted by jbcummings:
The NSA is getting cocky...


First thing that came to my mind. they got found out.


"It did not really matter what we expected from life, but rather what life expected from us. We needed to stop asking about the meaning of life, and instead to think of ourselves as those who were being questioned by life – daily and hourly. Our answer must consist not in talk and meditation, but in right action and in right conduct. Life ultimately means taking the responsibility to find the right answer to its problems and to fulfill the tasks which it constantly sets for each individual." Viktor Frankl, Man's Search for Meaning, 1946.
 
Posts: 20200 | Location: The Free State of Arizona - Ditat Deus | Registered: March 24, 2011Reply With QuoteReport This Post
Yellow Jacket
Member
Picture of Yellow Jacket
posted Hide Post
Just checked my Dell desktop. It's ok. Will check my wife's Dell laptop just to be sure.

edit: The laptop was ok as well. Hopefully, only the HP's have the issue.

This message has been edited. Last edited by: Yellow Jacket,


God's mercy: NOT getting what we deserve!
God's grace: Getting what we DON'T deserve!

"If the enemy is in range, so are you." - Infantry Journal

Bob
P239 40 S&W
Endowment NRA
Viet Nam '69-'70
 
Posts: 1099 | Location: Fayette County, GA | Registered: April 14, 2014Reply With QuoteReport This Post
Hound Dog
Official Space Nerd
Picture of Hound Dog
posted Hide Post
Any idea HOW this happened? Is HP actually, consciously, putting this in there, or is it done unknowingly by a third party?

Either way, HP should be responsible (legally AND morally) for this, as it is part of THEIR product.

And, the most sinister aspect of these sort of revelations, is that this one case is the only one we know of yet. . .


Fear God and Dread Nought
Admiral of the Fleet Sir Jacky Fisher
 
Posts: 21959 | Location: Hobbiton, The Shire, Middle Earth | Registered: September 27, 2004Reply With QuoteReport This Post
Deqlyn
stupid beyond
all belief
Picture of Deqlyn
posted Hide Post
yup, I smell a class action coming. If I had stock I would dump it


What man is a man that does not make the world better. -Balian of Ibelin

Only boring people get bored. - Ruth Burke
 
Posts: 8247 | Registered: September 13, 2012Reply With QuoteReport This Post
1967Goat
Shit don't
mean shit
posted Hide Post
My work issued laptop is a HP Elitebook 850 G3 (listed above). I have the log file, but it's empty (C:\Users\Public\MicTray.log).
 
Posts: 5827 | Location: 7400 feet in Conifer CO | Registered: November 14, 2006Reply With QuoteReport This Post
nhtagmember
Political Cynic
Picture of nhtagmember
posted Hide Post
Microsoft has to be involved in this

would not surprise me if its buried in the auto-updates

perhaps its a way of getting back at those that don't want to downgrade to Windows 10 because of all of the automatic data gathering and reporting that it enabled as it installed


[B] Against ALL enemies, foreign and DOMESTIC

 
Posts: 53983 | Location: Tucson Arizona | Registered: January 16, 2002Reply With QuoteReport This Post
  Powered by Social Strata  
 

SIGforum.com    Main Page  Hop To Forum Categories  The Lounge    JESU CHRISTO: Keylogger PRE-INSTALLED on 28 HP laptop models; in Conexant HD Audio Driver Package ver. 1.0.0.46 and earlier

© SIGforum 2024