Security News Keylogger Found in Audio Driver of HP Laptops

frogboy

frogboy

In memoriam 1961-2018
Thread author
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
69,342
7,679
Western Australia
The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user's keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look.

Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today.

Keylogger found in preinstalled audio driver
According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version 1.0.0.46 and earlier.

This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe).

This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file "monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys."

This behavior, by itself, is not a problem, as many other apps work this way. The problem is that this file writes all keystrokes to a local file at:

C:\users\public\MicTray.log
Audio driver also exposes keystrokes in real-time via local API
If the file doesn't exist or a registry key containing this file's path does not exist or was corrupted, the audio driver will pass all keystrokes to a local API, named the OutputDebugString API.

The danger is that malicious software installed on the computer, or a person with physical access to the computer, can copy the log file and have access to historical keystroke data, from where he can extract passwords, chat logs, visited URLs, source code, or any other sensitive data.

Furthermore, the OutputDebugString API provides a covert channel for malware to record real-time keystrokes without using native Windows functions, usually under the watchful eye of antivirus software.

Keylogger feature confirmed in HP laptops
Modzero researchers said they found the Conexant HD Audio Driver Package preinstalled on 28 HP laptop models. Other hardware that uses this driver may also be affected, but investigators haven't officially confirmed that the issue affects other manufacturers.

Full Article. Keylogger Found in Audio Driver of HP Laptops
 
  • Like
Reactions: giants8058, orphyone, Ana_Filiz and 17 others
XhenEd said:
Mine is an HP laptop, but has a Realtek audio driver. Hopefully, Realtek doesn't have this issue.
Click to expand...
Mine too. Even if Realtek has same issue, I don't think it's active on my laptop because I had disabled it from startup in msconfig. There are no audio drivers running in Task Manager as well. :)
 
  • Like
Reactions: WinXPert, frogboy, shmu26 and 8 others
Weebarra said:
Yikes, should i be worried ? As most of you know, i don't have a clue about computer-y stuff but i was sure i had seen that Conexant name somewhere, i don't have an HP laptop either but would welcome your advice. Where would i look to see if i have that ?
Click to expand...
No reason to worry at this point if you don't even have an HP device. If you can check if you use the conexand hd driver then do it to be 100%.
 
  • Like
Reactions: Deletedmessiah, frogboy, LASER_oneXM and 4 others
Thank you, i meant to add this to my other post, that's why i was worried.

Untitled.jpg
 
  • Like
Reactions: Deletedmessiah, LASER_oneXM, Winter Soldier and 2 others
Weebarra said:
Thank you, i meant to add this to my other post, that's why i was worried.

View attachment 149830
Click to expand...
You seem to have a conexant driver so you might have the issue.
Go here and see if you have that
C:\windows\system32\mictray64.exe

C:\users\public\MicTray.log

Replace user with your account username.
 
  • Like
Reactions: Deletedmessiah, frogboy, LASER_oneXM and 3 others
Weebarra said:
Thanks @SHvFl , i don't seem to have it so no panic i suppose. I didn't even know that part of my pc existed, lol, i never look at the gubbings because i just don't understand them and doubt i ever will :oops:. Thanks for talking me through where to look.
Click to expand...
None knew this until the article. These are things that are hard to predict. For sure they will push an update and fix the issue now that it was discovered.
 
  • Like
Reactions: Deletedmessiah, XhenEd, frogboy and 3 others
Ana_Filiz said:
That`s why it is always wise to monitor every processes that are running in the background of our PCs, we never know what`s their real purpose.
Click to expand...

I wish i knew how to, i just let my pc do whatever it wants, i don't even know where to look to find the processes (yes, i am a bit dim)
 
  • Like
Reactions: Winter Soldier, Deletedmessiah, XhenEd and 1 other person
This is not something to get all bent out of shape about.

1. Malware has to run on the system; and
2. The malware must target the mictray.log
or
3. A malicious actor must gain physical access to the PC; and
4. they must know about mictray.log

It is not a backdoor or spyware.

Potential mitigations:

1. Allow only the Conexant utility to access the mictray.log (For example, in AppGuard make mictray.log Private)
2. If you are using file sharing, set deny permissions for mictray.log
3. Set a strong WinLogon password
4. Disable the MicTray task if you wish
5. Uninstall the driver and installed audio utility if you wish
 
  • Like
Reactions: Deletedmessiah, XhenEd, WinXPert and 1 other person
I'm more shocked by the fact of the path, like it doesn't even care. It could be a more hard to find place or use some technique so it will be harder to find, but no.

PD: I don't have an HP laptop but I have always been doubtful about these autorun "trayname" files which comes with certain audio drivers. I have always removed them without getting any issues, since windows 7.
 
  • Like
Reactions: Deletedmessiah, XhenEd and frogboy
You must log in or register to reply here.

You may also like...