A keylogger was detected on Samsung laptops, probably installed by the manufacturer [not confirmed]
We all remember the 2005 story with the Sony rootkit installed on the system from music CDs. Hard pressure in the media, collective claims, the intervention of the US Federal Trade Commission ... The story cost Sony is not cheap, more than half a billion dollars. It would seem that all manufacturers should have learned a lesson from this ...
But, as Mark Russinovich, who discovered the rootkit, prophetically remarked , “Consumers have no guarantees that other companies will not decide on this.” How he was right.
So, February 2011. Mohamed Hassan, a recent graduate of Norwich University (England) with a degree in information security and owner of NetSec Consulting, buys a new Samsung R525 laptop from the store and begins to customize it. After installing the Axis and the initial settings, it does not immediately rush to putOpera, ICQ, and torrents application software. First of all, he installs a security package (unnamed) and starts a full system scan. To his surprise, the Starlogger keylogger, who lives in the : \ Windows \ SL folder, is discovered.
')
StarLogger is a commercial keylogger, which, in addition to the developer’s website, can be found on various file dumping machines and globular directories. Judging by the description, it records all keystrokes in all windows, including password fields. Logs regularly sends to soap; can also take and attach screenshots. After more thorough investigation of the system, Mohamed concludes that the malware could only be installed by the manufacturer. Apparently, not believing it to the end, he cleaned out the system and continued to use his laptop.
However, after a while there were problems with the video drivers. He, without hesitation, just returned the laptop to the store (not bad, right?) And bought an older model R540 in another store. Well, you guessed it, right? The same StarLogger in the same folder. The version of the false positive could be safely rejected, especially since the scanner used for 6 years had never been wrong.
Googling a little on this topic, Hassan found a discussion one year old ago, where people complained about the hangs when scanning Samsung laptops for rootkits. But a direct link to StarLogger was not found in the search engines.
Hassan phoned Samsung support with the intention of sorting out an adult. The incident was registered at number 2101163379 (we shake a whisker on how to begin communication with a support). Initially, the support stubbornly denied (as well as Sony at one time) the possibility of the presence of such software on their laptops. However, after they were slowly and clearly explained that the program was found in the same place, on two laptops of two different models purchased in different places , they changed tactics and began to translate arrows to Microsoft. "We only produce hardware, and all the software from Microsoft, and contact them." After a new series of altercations, realizing that it was fraught with an angry client, the support of the first line gave up and turned the incident on to the older one.
The elder himself at the beginning could not understand how this program could be on a new laptop, and asked Mohamed to hang on a bit. Then he confirmed that yes, Samsung deliberately installed this program on a laptop so that, as he put it, “monitor the performance of the machine and understand how it is used . ” In other words, Samsung wanted to collect data on the use of a laptop without obtaining the consent of the owner.
Compared to Sony, whose rootkit was installed from a music disc purchased separately, Samsung went even further and installed its keylogger right at the factory. Will the same wave of collective claims await him? Other manufacturers will certainly be watching developments with interest.
Before publishing this information to Network World, the editors contacted three representatives of the Samsung PR service and asked for comments. For the week given to them, no one answered.
via Network World
PS Well, the owners of R525, R540 and indeed Samsung, we report in the comments. :)
UPDATE:
PCWorld reports that Samsung still responded in the face of Jason Redmond that the company is investigating Hassan’s statements. “We take these statements very, very seriously,” he said. Previously, he did not know about this problem, nor about Willebois Consulting, the developer of the keylogger.
UPD2:
A certain comment appeared www.samsungtomorrow.com/1071 , which English-speaking bloggers already cite as the official response of Samsung (the resource according to whois belongs not to Samsung)
The folder allegedly contains multilingual resources for the Slovene language (SL). Similar folders can be created for other languages ​​(EN, KO, etc.)
Posted by Hassan, asked for details.
UPD3:
It seems that everyone who wrote about this earlier refuted the version with the keylogger. In addition to the Samsung and our hero Hassan. Even a representative of GFI (manufacturer VIPRE) in his blog apologized for the false positives and explained how this happened. This heuristic (path) for the StarLogger detector was included in the product back in those shaggy times when Windows Live applications with their multilingual content were not mentioned, and the SL folder in% SystemRoot% was considered a sufficient sign, because otherwise it had no place to take . And then Windows Live appeared, Samsung began to pre-install it, and with all the languages, ... then you know.
Well, the intrigue was tense, the exposure took place, you can disperse.
But, as Mark Russinovich, who discovered the rootkit, prophetically remarked , “Consumers have no guarantees that other companies will not decide on this.” How he was right.
So, February 2011. Mohamed Hassan, a recent graduate of Norwich University (England) with a degree in information security and owner of NetSec Consulting, buys a new Samsung R525 laptop from the store and begins to customize it. After installing the Axis and the initial settings, it does not immediately rush to put
')
StarLogger is a commercial keylogger, which, in addition to the developer’s website, can be found on various file dumping machines and globular directories. Judging by the description, it records all keystrokes in all windows, including password fields. Logs regularly sends to soap; can also take and attach screenshots. After more thorough investigation of the system, Mohamed concludes that the malware could only be installed by the manufacturer. Apparently, not believing it to the end, he cleaned out the system and continued to use his laptop.
However, after a while there were problems with the video drivers. He, without hesitation, just returned the laptop to the store (not bad, right?) And bought an older model R540 in another store. Well, you guessed it, right? The same StarLogger in the same folder. The version of the false positive could be safely rejected, especially since the scanner used for 6 years had never been wrong.
Googling a little on this topic, Hassan found a discussion one year old ago, where people complained about the hangs when scanning Samsung laptops for rootkits. But a direct link to StarLogger was not found in the search engines.
Hassan phoned Samsung support with the intention of sorting out an adult. The incident was registered at number 2101163379 (we shake a whisker on how to begin communication with a support). Initially, the support stubbornly denied (as well as Sony at one time) the possibility of the presence of such software on their laptops. However, after they were slowly and clearly explained that the program was found in the same place, on two laptops of two different models purchased in different places , they changed tactics and began to translate arrows to Microsoft. "We only produce hardware, and all the software from Microsoft, and contact them." After a new series of altercations, realizing that it was fraught with an angry client, the support of the first line gave up and turned the incident on to the older one.
The elder himself at the beginning could not understand how this program could be on a new laptop, and asked Mohamed to hang on a bit. Then he confirmed that yes, Samsung deliberately installed this program on a laptop so that, as he put it, “monitor the performance of the machine and understand how it is used . ” In other words, Samsung wanted to collect data on the use of a laptop without obtaining the consent of the owner.
Compared to Sony, whose rootkit was installed from a music disc purchased separately, Samsung went even further and installed its keylogger right at the factory. Will the same wave of collective claims await him? Other manufacturers will certainly be watching developments with interest.
Before publishing this information to Network World, the editors contacted three representatives of the Samsung PR service and asked for comments. For the week given to them, no one answered.
via Network World
PS Well, the owners of R525, R540 and indeed Samsung, we report in the comments. :)
UPDATE:
PCWorld reports that Samsung still responded in the face of Jason Redmond that the company is investigating Hassan’s statements. “We take these statements very, very seriously,” he said. Previously, he did not know about this problem, nor about Willebois Consulting, the developer of the keylogger.
UPD2:
A certain comment appeared www.samsungtomorrow.com/1071 , which English-speaking bloggers already cite as the official response of Samsung (the resource according to whois belongs not to Samsung)
The claims that Samsung installs the keylogger on the R525 and R540 laptops are false.
Our results show that a friend from the article used VIPRE, which, when scanning, mistakenly took the folder created by Microsoft Live Application as a keylogger.
VIPRE results screen after creating an empty SL folder.
The folder allegedly contains multilingual resources for the Slovene language (SL). Similar folders can be created for other languages ​​(EN, KO, etc.)
Posted by Hassan, asked for details.
UPD3:
It seems that everyone who wrote about this earlier refuted the version with the keylogger. In addition to the Samsung and our hero Hassan. Even a representative of GFI (manufacturer VIPRE) in his blog apologized for the false positives and explained how this happened. This heuristic (path) for the StarLogger detector was included in the product back in those shaggy times when Windows Live applications with their multilingual content were not mentioned, and the SL folder in% SystemRoot% was considered a sufficient sign, because otherwise it had no place to take . And then Windows Live appeared, Samsung began to pre-install it, and with all the languages, ... then you know.
Well, the intrigue was tense, the exposure took place, you can disperse.
Source: https://habr.com/ru/post/116526/
All Articles