TechViews News …..
Security firm ‘Modzero AG’ in Switzerland released a white paper (PDF) that contains details about a keylogger in some HP audio drivers. The keylogger is built-into the driver, by Conexent, and records of all of your keystrokes into a text file located in the public folder C:\Users\Public\MicTray.log.
The Security Advisory, lists almost 30 HP machines known to use the bad drivers, including EliteBook, ProBook, ZBook, and Elite x2 models running both Windows 10 and Win7. It’s an large lineup, including many current models.
Conexant’s MicTray64.exe is installed with the Conexant audio driver package and registered as a Microsoft Scheduled Task to run after each user login. The program monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys.
Modzero says it found evidence of the problematic behavior going all the way back to December 2015. It’s still there today with driver Version 1.0.0.46.
The report raises several questions. First, why a keylogger is in the audio driver, and second, how to make sure it is not running on your HP devices.
First thing you need to know is that only HP devices appear to be affected by this. Modzero suggests that users check whether the files C:\Windows\System32\MicTray64.exe and C:\Windows\System32\MicTray.exe exist, and if they do, delete or rename the executable files to stop the keylogger.
Additionally, users need to check for the existence of the C:\Users\Public\MicTray.log file, and if it exists, delete it. Since all keystrokes are logged to the text file, it may contain sensitive information such as authentication data, credit card numbers, and personal chat messages or emails. Please note however that the file is overwritten after each login.
While that is better than if it would not be overwritten, backups, file history, or other services that create copies of the file may have saved previous versions of it. If you run these, make sure you delete the information from those as well to avoid potential leaks.
Removal Process:
- Check if C:\Windows\System32\MicTray64.exe exists. If it does, delete the file, or rename it.
- Check if C:\Windows\System32\MicTray.exe exists. If it does, delete the file, or rename it.
- Check if C:\Users\Public\MicTray.log exists. If it does, delete the file.
Users who operate affected devices need to make sure that the driver software is not updated. If it is updated, new versions of the keylogging program will be installed on the system, and the logging begins anew.
It is difficult to justify the integration of a keylogger in software, just one more way that software manufacturers want to steal private sensitive information from users.
Be Safe – Backup Your Data Regularly!
**********
And don’t forget to take advantage of our FREE subscription to the TechViews.org Newsletter. A must-read if you are interested in Internet Security.
TechViews News 