Security News Keylogger Found in Audio Driver of HP Laptops

[frogboy]

The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user's keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look.

Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today.

Keylogger found in preinstalled audio driver
According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version 1.0.0.46 and earlier.

This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe).

This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file "monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys."

This behavior, by itself, is not a problem, as many other apps work this way. The problem is that this file writes all keystrokes to a local file at:

C:\users\public\MicTray.log
Audio driver also exposes keystrokes in real-time via local API
If the file doesn't exist or a registry key containing this file's path does not exist or was corrupted, the audio driver will pass all keystrokes to a local API, named the OutputDebugString API.

The danger is that malicious software installed on the computer, or a person with physical access to the computer, can copy the log file and have access to historical keystroke data, from where he can extract passwords, chat logs, visited URLs, source code, or any other sensitive data.

Furthermore, the OutputDebugString API provides a covert channel for malware to record real-time keystrokes without using native Windows functions, usually under the watchful eye of antivirus software.

Keylogger feature confirmed in HP laptops
Modzero researchers said they found the Conexant HD Audio Driver Package preinstalled on 28 HP laptop models. Other hardware that uses this driver may also be affected, but investigators haven't officially confirmed that the issue affects other manufacturers.

Full Article. Keylogger Found in Audio Driver of HP Laptops

 

[XhenEd]

Mine is an HP laptop, but has a Realtek audio driver. Hopefully, Realtek doesn't have this issue.

 

[Marko :)]

Mine is an HP laptop, but has a Realtek audio driver. Hopefully, Realtek doesn't have this issue.

Mine too. Even if Realtek has same issue, I don't think it's active on my laptop because I had disabled it from startup in msconfig. There are no audio drivers running in Task Manager as well.

 

[Deletedmessiah]

@XhenEd and @Marko :) Mine too. I checked windows files and there was no Mictray files. But who knows what type of unknown spyware remains there. These people are putting backdoors and spyware everywhere

 

[Solarquest]

Simply UNBELIEVABLE!!!

 

[Weebarra]

Yikes, should i be worried ? As most of you know, i don't have a clue about computer-y stuff but i was sure i had seen that Conexant name somewhere, i don't have an HP laptop either but would welcome your advice. Where would i look to see if i have that ?

 

[SHvFl]

Yikes, should i be worried ? As most of you know, i don't have a clue about computer-y stuff but i was sure i had seen that Conexant name somewhere, i don't have an HP laptop either but would welcome your advice. Where would i look to see if i have that ?

No reason to worry at this point if you don't even have an HP device. If you can check if you use the conexand hd driver then do it to be 100%.

 

[Ink]

Modzero researchers said they found the Conexant HD Audio Driver Package preinstalled on 28 HP laptop models. Other hardware that uses this driver may also be affected, but investigators haven't officially confirmed that the issue affects other manufacturers.

It may affect non-HP devices too, good to know.

 

[Weebarra]

Thank you, i meant to add this to my other post, that's why i was worried.

 

[SHvFl]

Thank you, i meant to add this to my other post, that's why i was worried.

View attachment 149830

You seem to have a conexant driver so you might have the issue.
Go here and see if you have that
C:\windows\system32\mictray64.exe

C:\users\public\MicTray.log

Replace user with your account username.

 

[DJ Panda]

Yeah, I have a decently old HP laptop. Don't use it enough to be worried. Pretty fresh install so I doubt I have it.

 

[Weebarra]

Thanks @SHvFl , i don't seem to have it so no panic i suppose. I didn't even know that part of my pc existed, lol, i never look at the gubbings because i just don't understand them and doubt i ever will . Thanks for talking me through where to look.

 

[SHvFl]

Thanks @SHvFl , i don't seem to have it so no panic i suppose. I didn't even know that part of my pc existed, lol, i never look at the gubbings because i just don't understand them and doubt i ever will . Thanks for talking me through where to look.

None knew this until the article. These are things that are hard to predict. For sure they will push an update and fix the issue now that it was discovered.

 

[Winter Soldier]

Whatever they have to say this absolutely will not be a good "advertisement" for them.

 

[Ana_Filiz]

That`s why it is always wise to monitor every processes that are running in the background of our PCs, we never know what`s their real purpose.

 

[Weebarra]

That`s why it is always wise to monitor every processes that are running in the background of our PCs, we never know what`s their real purpose.

I wish i knew how to, i just let my pc do whatever it wants, i don't even know where to look to find the processes (yes, i am a bit dim)

 

[509322]

This is not something to get all bent out of shape about.

1. Malware has to run on the system; and
2. The malware must target the mictray.log
or
3. A malicious actor must gain physical access to the PC; and
4. they must know about mictray.log

It is not a backdoor or spyware.

Potential mitigations:

1. Allow only the Conexant utility to access the mictray.log (For example, in AppGuard make mictray.log Private)
2. If you are using file sharing, set deny permissions for mictray.log
3. Set a strong WinLogon password
4. Disable the MicTray task if you wish
5. Uninstall the driver and installed audio utility if you wish

 

[Duotone]

Thankfully i got Realtek in my HP...

 

[darko999]

I'm more shocked by the fact of the path, like it doesn't even care. It could be a more hard to find place or use some technique so it will be harder to find, but no.

PD: I don't have an HP laptop but I have always been doubtful about these autorun "trayname" files which comes with certain audio drivers. I have always removed them without getting any issues, since windows 7.

 

[WinXPert]

Mine is HP too 32 bit. Looks like the culprit is 64 bit.