Samsung installs keylogger on its laptops

1665 Views 1 Reply 1 Participant Last post by McNinja, Mar 31, 2011

McNinja

Discussion Starter · Mar 31, 2011

NetFlash: Samsung installs keylogger on its laptops

UPDATE: Samsung has launched an investigation into the matter and is working with Mich Kabay and Mohamed Hassan in the investigation. Samsung engineers are collaborating with the computer security expert, Mohamed Hassan, MSIA, CISSP, CISA, with faculty at the Norwich University Center for Advanced Computing and Digital Forensics, and with the antivirus vendor whose product identified a possible keylogger (or which may have issued a false positive). The company and the University will post news as fast as possible on Network World. A Samsung executive is personally delivering a randomly selected laptop purchased at a retail store to the Norwich scientists. Prof. Kabay praises Samsung for its immediate, positive and collaborative response to this situation.]

A user discovered a keylogger pre-installed on two brand-new Samsung laptops that the company admitted was there to "monitor the performance of the machine and to find out how it is being used."

Mohamed Hassan wrote in Mich Kabay’s Security Strategies newsletter that as soon as he received his Samsung R525 laptop, he ran a full system scan and found a commercial keylogger called StarLogger.

StarLogger claims it records every keystroke made on the computer, even on password-protected boxes, starting up whenever the computer starts up. The software emails results at intervals to a specified email address and will even include screen captures.

Hassan ended up buying a second Samsung laptop, a model R540, and found the same keylogger installed on that one.

"The fact that on both models the same files were found in the same location supported the suspicion that the hardware manufacturer, Samsung, must know about this software on its brand-new laptops," he writes.

Hassan reports that at first Samsung Support personnel denied that they installed the software and directed him to Microsoft, but then eventually admitted that Samsung was responsible.

As Hassan notes, the incident is reminiscent of the Sony BMG rootkit fiasco of 2005. At the time, Sony BMG used a rootkit to monitor computer user behavior and limit how music CDs were used on the computer.

Kabay says that Samsung has not responded to further requests for comment.

Save

Status: Not open for further replies.

1 - 2 of 2 Posts

Confirmed: Samsung is Not Shipping Keyloggers

Confirmed: Samsung is Not Shipping Keyloggers - F-Secure Weblog : News from the Lab

We now have confirmation for what we wrote in our previous blog post: Samsung is not shipping keyloggers on their laptops.

The whole saga was caused by a false alarm of the VIPRE Antivirus product. Apparently VIPRE detects the StarLogger keylogger by searching for the existence of a directory called "SL" in the root of the Windows directory. This is a bad idea.

As an example, here's a screenshot showing VIPRE alerting on a completely clean Windows computer after an empty "SL" folder was created:

As some Samsung laptops do indeed have a folder called "C:\WINDOWS\SL" on them by default, VIPRE would alert on them with a similar warning.

Unfortunately Mohamed Hassan (CISSP) who did the original analysis did not double-check his findings and blamed Samsung instead. Apparently he did not look at the contents of the "SL" folder at all.

Samsung is innocent.

Many thanks to fellow Twitterers @the_pc_doc, @SecurityLabsGR and @paulmutton who helped with the investigation!

Updated to add: Alex Eckelberry has posted a blog post explaining further why VIPRE had the false alarm.

See less See more

Save

1 - 2 of 2 Posts

Status: Not open for further replies.

Top Contributors this Month