Security researchers have warned that HP machines could turn into a spyware thanks to an audio driver developed by Conexant Systems, Inc. which comes pre-installed in more than a dozen of HP devices.
According to a security advisory published by Switzerland-based security consulting firm Modzero Conexant, responsible for making audio drivers comes with a component “MicTray64.exe” which is an executable file capable of recording all the keystrokes, which are then stored on the computer’s C drive in a log file C:\Users\Public\MicTray.log.
— Johan Arwidmark (@jarwidmark) May 11, 2017
The keylogger recently spotted dates back to the version 220.127.116.11, released in December 2015 and even the latest version 18.104.22.168 has the same functionality. Medzero researchers who found out this keylogger said that:
“This type of debugging turns the audio driver effectively into a keylogging spyware. On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015.”
Conexant’s MicTray64.exe is installed with the Conexant audio driver package and registered as a Microsoft Scheduled Task to run after each user login. The program monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys. Monitoring of keystrokes is added by implementing a low-level keyboard input hook function that is installed by calling SetwindowsHookEx().
In addition to the handling of hotkey/function keystrokes, all key-scancode information is written into a log file in a world-readable path (C:\Users\Public\MicTray.log). If the log file does not exist or the setting is not yet available in Windows registry, all keystrokes are passed to the OutputDebugString API, which enables any process in the current user context to capture keystrokes without exposing malicious behavior. Any framework and process with access to the MapViewOfFile API should be able to silently capture sensitive data by capturing the user’s keystrokes. In version 10.0.0.31, only OutputDebugString was used to forward key scancodes and nothing was written to files.
The affected devices are HP EliteBook G3 Notebook series, HP ProBook G2 Notebook series, HP ProBook G3 Notebook series, HP ZBooks and HP Elitebooks. To check whether or not your computer is safe, search for:
C:\Windows\System32\MicTray.exe or C:\Windows\System32\MicTray64.exe.
If your device contains any of the above files, your device is also infected.
The big problem
The keylogger, according to researchers, stores all the logs pressed in a session including emails, passwords, contacts, etc. Although the logs stored by the keylogger are overwritten everytime the PC is rebooted, it could still be a big problem as sometimes these files can be recovered.
While researchers couldn’t find the purpose of the keylogger, they believe that storing the data of keylogs is unnecessary and shows the negligence of developer of the driver. ModZero’s CEO, Thorsten Schroeder said:
- “If the developer would just disable all logging, using debug logs only in the development environment, there wouldn’t be problems with the confidentiality of the data of any user.”
HP and Conexant officials have been warned of this keylogger and an HP official told media that “HP is committed to the security of its customers, and we are aware of an issue on select HP PCs. We have identified a fix and will make it available to our customers.”
Until the authorities release an official patch, users are advised to delete or rename the file C:\Windows\System32\MicTray.exe or C:\Windows\System32\MicTray64.exe files. Though it might result in disabling the audio for special function keys.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.