Re: [NTSysADM] Keylogger Found in Audio Driver of HP Laptops

2017-05-11 Thread Erik Goldoff 
In and of itself, maybe a case of blowing out of proportion.  But looking
at the potential for misuse/abuse, this *could* become something serious :(

On Thu, May 11, 2017 at 1:33 PM, Susan E Bradley 
wrote:

> https://community.spiceworks.com/topic/1993834-keylogger-
> in-hp-audio-driver
>
> "
>
> Edit: however, after reading the original article.. holy mother of blowing
> this out of proportion... good grief lol. So the purpose of the keylogging
> functionality in the actual driver is because many/most HP computers that
> use the driver have Conexant audio chips embedded, and that component of
> the driver is used to catch/register the function keys on the device that
> are used to modify sound volume etc.
>
> So while the driver does technically read all keystrokes, it is not
> actually supposed save any of them to any file except under specific
> circumstances. The file is blank intentionally, and used for the sake of
> diagnostic debugging only, supposedly. The purpose being that many HP
> notebooks use this for microphone, volume, and even recording LED controls
> all built into the driver, and the driver needs to know if any of the
> applicable special keys or key combinations are pressed. The capability to
> read and write all keystrokes is supposedly a debugging and diagnostic
> feature only, that can only be called if the driver is placed into
> diagnostic or debugging mode. The driver file mentioned  is designed to be
> automatically rewritten blank on every restart.
>
> The newest version or two of the driver however, does apparently write the
> keystrokes more liberally, and drops the output of keystrokes in an
> insecure API if the file is locked or deleted, which is a far greater
> problem to me, although all of those issues would require someone accessing
> the computer directly to make use of the information. Apparently, the
> functionality of capturing keystrokes is also extremely common, but
> outputting the data to a file for diagnostic or debugging purposes is new
> and (I concur) may not be a particularly wise implementation if the
> keystroke data is written anywhere except when in debug mode."
>
> On 5/11/2017 10:05 AM, Mike wrote:
>
> The Conexant software must be present on other laptops in the OEM image. I
> wonder if this is HP specific somehow or if other manufacturers have the
> same issue.
>
> On Thu, May 11, 2017 at 10:08 AM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
>> https://www.bleepingcomputer.com/news/security/keylogger-fou
>> nd-in-audio-driver-of-hp-laptops/
>>
>> According to researchers, the keylogger feature was discovered in the
>>> Conexant HD Audio Driver Package version 1.0.0.46 and earlier.
>>>
>>
>>
>> This is an audio driver that is preinstalled on HP laptops. One of the
>>> files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64
>>> .exe).
>>>
>>
>>
>> This file is registered to start via a Scheduled Task every time the user
>>> logs into his computer. According to modzero researchers, the file
>>> "monitors all keystrokes made by the user to capture and react to functions
>>> such as microphone mute/unmute keys/hotkeys."
>>>
>>
>>
>> *This behavior, by itself, is not a problem, as many other apps work this
>>> way. The problem is that this file writes all keystrokes to a local file
>>> at:*
>>
>>
>>> *C:\users\public\MicTray.log*
>>
>>
>> --
>> Espi
>>
>>
>
>
>

Re: [NTSysADM] Keylogger Found in Audio Driver of HP Laptops

2017-05-11 Thread Micheal Espinola Jr 
On Thu, May 11, 2017 at 10:33 AM, Susan E Bradley 
wrote:

> Apparently, the functionality of capturing keystrokes is also extremely
> common, but outputting the data to a file for diagnostic or debugging
> purposes is new and (I concur) may not be a particularly wise
> implementation if the keystroke data is written anywhere except when in
> debug mode."
>


Yes, this is inherently the way most of these function-key trap functions
work. Nothing particularly new unfortunately.  But logging or otherwise
repurposing that data is a serious faux pas. Modzero's advisory is a bit
flamboyant, which is why I didn't link to it directly.

--
Espi

Re: [NTSysADM] Keylogger Found in Audio Driver of HP Laptops

2017-05-11 Thread Micheal Espinola Jr 
We can only hope that its just HP's mistake of leaving this sort of debug
option enabled in the driver during testing, and that its not something
from the OEM chip provider.

--
Espi


On Thu, May 11, 2017 at 10:05 AM, Mike  wrote:

> The Conexant software must be present on other laptops in the OEM image. I
> wonder if this is HP specific somehow or if other manufacturers have the
> same issue.
>
> On Thu, May 11, 2017 at 10:08 AM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
>> https://www.bleepingcomputer.com/news/security/keylogger-fou
>> nd-in-audio-driver-of-hp-laptops/
>>
>> According to researchers, the keylogger feature was discovered in the
>>> Conexant HD Audio Driver Package version 1.0.0.46 and earlier.
>>>
>>
>>
>> This is an audio driver that is preinstalled on HP laptops. One of the
>>> files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64
>>> .exe).
>>>
>>
>>
>> This file is registered to start via a Scheduled Task every time the user
>>> logs into his computer. According to modzero researchers, the file
>>> "monitors all keystrokes made by the user to capture and react to functions
>>> such as microphone mute/unmute keys/hotkeys."
>>>
>>
>>
>> *This behavior, by itself, is not a problem, as many other apps work this
>>> way. The problem is that this file writes all keystrokes to a local file
>>> at:*
>>
>>
>>> *C:\users\public\MicTray.log*
>>
>>
>> --
>> Espi
>>
>>
>
>

Re: [NTSysADM] Keylogger Found in Audio Driver of HP Laptops

2017-05-11 Thread Micheal Espinola Jr 
We can only hope that its just HP's mistake of leaving this sort of debug
option enabled in the driver during testing, and that its not something
from the OEM chip provider.

--
Espi


On Thu, May 11, 2017 at 10:05 AM, Mike  wrote:

> The Conexant software must be present on other laptops in the OEM image. I
> wonder if this is HP specific somehow or if other manufacturers have the
> same issue.
>
> On Thu, May 11, 2017 at 10:08 AM, Micheal Espinola Jr <
> michealespin...@gmail.com> wrote:
>
>> https://www.bleepingcomputer.com/news/security/keylogger-fou
>> nd-in-audio-driver-of-hp-laptops/
>>
>> According to researchers, the keylogger feature was discovered in the
>>> Conexant HD Audio Driver Package version 1.0.0.46 and earlier.
>>>
>>
>>
>> This is an audio driver that is preinstalled on HP laptops. One of the
>>> files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64
>>> .exe).
>>>
>>
>>
>> This file is registered to start via a Scheduled Task every time the user
>>> logs into his computer. According to modzero researchers, the file
>>> "monitors all keystrokes made by the user to capture and react to functions
>>> such as microphone mute/unmute keys/hotkeys."
>>>
>>
>>
>> *This behavior, by itself, is not a problem, as many other apps work this
>>> way. The problem is that this file writes all keystrokes to a local file
>>> at:*
>>
>>
>>> *C:\users\public\MicTray.log*
>>
>>
>> --
>> Espi
>>
>>
>
>

Re: [NTSysADM] Keylogger Found in Audio Driver of HP Laptops

2017-05-11 Thread Susan E Bradley 

https://community.spiceworks.com/topic/1993834-keylogger-in-hp-audio-driver

"

Edit: however, after reading the original article.. holy mother of 
blowing this out of proportion... good grief lol. So the purpose of the 
keylogging functionality in the actual driver is because many/most HP 
computers that use the driver have Conexant audio chips embedded, and 
that component of the driver is used to catch/register the function keys 
on the device that are used to modify sound volume etc.


So while the driver does technically read all keystrokes, it is not 
actually supposed save any of them to any file except under specific 
circumstances. The file is blank intentionally, and used for the sake of 
diagnostic debugging only, supposedly. The purpose being that many HP 
notebooks use this for microphone, volume, and even recording LED 
controls all built into the driver, and the driver needs to know if any 
of the applicable special keys or key combinations are pressed. The 
capability to read and write all keystrokes is supposedly a debugging 
and diagnostic feature only, that can only be called if the driver is 
placed into diagnostic or debugging mode. The driver file mentioned  is 
designed to be automatically rewritten blank on every restart.


The newest version or two of the driver however, does apparently write 
the keystrokes more liberally, and drops the output of keystrokes in an 
insecure API if the file is locked or deleted, which is a far greater 
problem to me, although all of those issues would require someone 
accessing the computer directly to make use of the information. 
Apparently, the functionality of capturing keystrokes is also extremely 
common, but outputting the data to a file for diagnostic or debugging 
purposes is new and (I concur) may not be a particularly wise 
implementation if the keystroke data is written anywhere except when in 
debug mode."



On 5/11/2017 10:05 AM, Mike wrote:
The Conexant software must be present on other laptops in the OEM 
image. I wonder if this is HP specific somehow or if other 
manufacturers have the same issue.


On Thu, May 11, 2017 at 10:08 AM, Micheal Espinola Jr 
mailto:michealespin...@gmail.com>> wrote:



https://www.bleepingcomputer.com/news/security/keylogger-found-in-audio-driver-of-hp-laptops/




According to researchers, the keylogger feature was discovered
in the Conexant HD Audio Driver Package version 1.0.0.46 and
earlier.

This is an audio driver that is preinstalled on HP laptops.
One of the files of this audio driver is MicTray64.exe
(C:\windows\system32\mictray64.exe).

This file is registered to start via a Scheduled Task every
time the user logs into his computer. According to modzero
researchers, the file "monitors all keystrokes made by the
user to capture and react to functions such as microphone
mute/unmute keys/hotkeys."

*This behavior, by itself, is not a problem, as many other
apps work this way. The problem is that this file writes all
keystrokes to a local file at:*

*
*

*C:\users\public\MicTray.log*


--
Espi

Re: [NTSysADM] Keylogger Found in Audio Driver of HP Laptops

2017-05-11 Thread Mike 
The Conexant software must be present on other laptops in the OEM image. I
wonder if this is HP specific somehow or if other manufacturers have the
same issue.

On Thu, May 11, 2017 at 10:08 AM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> https://www.bleepingcomputer.com/news/security/keylogger-
> found-in-audio-driver-of-hp-laptops/
>
> According to researchers, the keylogger feature was discovered in the
>> Conexant HD Audio Driver Package version 1.0.0.46 and earlier.
>>
>
>
> This is an audio driver that is preinstalled on HP laptops. One of the
>> files of this audio driver is MicTray64.exe (C:\windows\system32\
>> mictray64.exe).
>>
>
>
> This file is registered to start via a Scheduled Task every time the user
>> logs into his computer. According to modzero researchers, the file
>> "monitors all keystrokes made by the user to capture and react to functions
>> such as microphone mute/unmute keys/hotkeys."
>>
>
>
> *This behavior, by itself, is not a problem, as many other apps work this
>> way. The problem is that this file writes all keystrokes to a local file
>> at:*
>
>
>> *C:\users\public\MicTray.log*
>
>
> --
> Espi
>
>