Your HP device might have a keylogger installed
Fresh from Switzerland comes a report from security firm modzero AG about a keylogger in audio drivers of certain HP devices.
The keylogger is built-into the driver, records all keystrokes made by users of the system, and saves them all to a logfile MicTray.log in the C:\Users\Public\ of the computer system. Note that the log file is written to the Public folder, and not the user specific folder.
The report raises several questions. First, why a keylogger is in the audio driver, and second, how to make sure it is not running on your HP devices.
The second question is more pressing than the first. So, lets start with it and address the first question afterwards.
First thing you need to know is that only HP devices appear to be affected by this. The company lists HP EliteBook, HP ProBook, HP Elite, and HP ZBook models on its website, and the operating systems Windows 7 and Windows 10. You can consult the full list of affected devices here.
Modzero suggests that users check whether the files C:\Windows\System32\MicTray64.exe and C:\Windows\System32\MicTray.exe exist, and if they do, delete or rename the executable files to stop the keylogger.
Additionally, users need to check for the existence of the C:\Users\Public\MicTray.log file, and if it exists, delete it. Since all keystrokes are logged to the text file, it may contain sensitive information such as authentication data, credit card numbers, and personal chat messages or emails. Please note however that the file is overwritten after each login.
While that is better than if it would not be overwritten, backups, file history, or other services that create copies of the file may have saved previous versions of it. If you run these, make sure you delete the information from those as well to avoid potential leaks.
- Check if C:\Windows\System32\MicTray64.exe exists. If it does, delete the file, or rename it.
- Check if C:\Windows\System32\MicTray.exe exists. If it does, delete the file, or rename it.
- Check if C:\Users\Public\MicTray.log exists. If it does, delete the file.
Some background information
The executable file MicTray (in its 64-bit and/or 32-bit variant) is installed with the Conexant audio driver. The program is scheduled to run right after user login, and starts to capture keystrokes as soon as it runs.
Its main function is to provide functionality between key presses on the device, and certain audio driver features such as muting the microphone.
Modzero reveals the following about the keylogging component:
Monitoring of keystrokes is added by implementing a low-level keyboard input hook function that is installed by calling SetwindowsHookEx().
You probably wonder why the keylogger was added to the driver in first place. Modzero has an answer for that as well.
Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive.
Users who operate affected devices need to make sure that the software is not updated. If it is updated, new versions of the keylogging program will be installed on the system, and the logging begins anew.
It is difficult to justify the integration of a keylogger in software, and even harder to understand why the driver passed Microsoft's quality controls as Woody points out over on InfoWorld.Advertisement