Keylogger in Hewlett-Packard Audio Driver

Keylogger spotted in Hewlett-Packard Driver

An honest “mistake” can become quickly malicious in the wrong hands – so the best course of action is to simply correct the mistake. We believe that a keylogger recording user activities in clear text is a bad idea – regardless of whether this was an honest mistake or part of a nefarious plan – so we are flagging and removing this manufacturer-installed keylogger from selected Hewlett-Packard laptops.

The other day, Thorsten Schröder, a security researcher from Modzero published an article about a vulnerable driver MicTray64.exe from Conexant that is pre-installed on Hewlett-Packard-Notebooks series EliteBook, ProBook, Elite x3 and ZBook.

Keylogger in Hewlett-Packard Audio Driver

What does the Hewlett-Packard driver do?

This driver connects to the Windows keyboard input functions, which are used, for example, for turning on or off a microphone or controlling the recording LED on the computer. But this driver does even more and records most all key inputs on the device and writes them into a plain, unencrypted and not protected text file C:\Users\Public\MicTray.log. This file would provide critical data like personal information, user accounts, and even password and card codes. It could be exploited by cybercriminals to steal a wealth of information. Older versions are using the Windows-Debug-API (OutputDebugString()) for recording the keyboard codes.

This triggers all sorts of alarms for us as a security company and the measures we take to protecting our customers. Currently, we are not seeing on our threat landscape any signs that criminals are abusing this vulnerability. But as the recent WannaCry ransomware shows, we want to make sure that they can’t.


Related article

https://blog.avira.com/wannacrypt0r-ransomware/


Yes, you’re protected!

Therefore, we decided to protect our customer by releasing new detection pattern with a classification of these related files as security privacy risk ‘SPR/Keylogger’. Avira customer are already protected by Avira Protection Cloud. Also, Avira will remove the created log file as soon as this file is detected.

“Having the best protection for our customers is our highest value – and this extends to legit applications from companies like this that have a highly potential risk.” Alexander Vukcevic, Director Avira Protection Services

Meanwhile, Hewlett-Packard has already apologized for this issue and has promised to update impacted users.

Team Leader Virus Lab Disinfection Service