the blog @ ConsumerPla.net: UPDATED: No Keyloggers on Samsung Laptops

UPDATED: GFI Labs, manufacturer of the anti-malware scanner VIPRE used by Mohamed Hassan, confirms that there is no keylogger on Samsung laptops, and that detection was a false positive. Our headline was changed to reflect the news.

Computer security: we generally expect to get spyware from infected mails or sites. It is unusual to get some directly from a computer manufacturer, and even more unusual for spyware in a brand new computer to have been put there voluntarily by the manufacturer. Yet a professor of Information Systems at the University of Phoenix has discovered keyloggers on two brand new models of Samsung laptops (R525 and R540), apparently installed by Samsung itself.

Mohamed Hassan, an adjunct professor of Information Systems in the School of Business at the University of Phoenix, and the founder of the security firm NetSec Consulting Corp, found a copy of the commercial keylogger StarLogger in a Samsung R525 laptop that he had purchased for his personal use. After returning it and buying a Samsung R540 model instead, he found the same keylogger in the same directory of his new laptop. He contacted several Samsung staff. A support supervisor confirmed that the keylogger had been installed by Samsung "to monitor the performance of the machine and to find out how it is being used." Samsung PR did not respond to requests by Dr. Hassan for a week, after which Dr. Hassan went public.

A keylogger is able to capture any keystroke you type on your computer, including passwords, and send them to an outside party. Softpedia describes StarLogger's capabilities as follows:

"Do you want to know what your buddy, colleague or employee is typing? What are they doing on the computer? StarLogger records every keystroke made on your computer on every window, even on password protected boxes.

This key logger is completely undetectable and starts up whenever your computer starts up. See everything being typed: emails, messages, documents, web pages, usernames, passwords, and more. StarLogger can email its results at specified intervals to any email address undetected so you don't even have to be at the computer your are monitoring to get the information. The screen capture images can also be attached automatically to the emails as well as automatically deleted."

If you have a Samsung laptop, find out if it has a special guest: CNET already published instructions to find out if StarLogger is present on your laptop, and to remove it if you find it there. If you are shopping for a laptop - do try to avoid buying one that comes with a keylogger.

It is hard to believe that a company of Samsung's size and reputation would do take such an idiotic - and probably illegal- step. If they truly did it - what were they thinking? Who had the bright idea - and - who authorized it? This would be a hard story to pass on your resume.

Update 3/31/2011, 10:55AM PST: as indicated in our earlier twitter post 6 hours ago (:-), the keylogger detection was a false positive by scanning software VIPRE. Early on, ZDNet figured out how to duplicate the false positive by creating an empty directory with the right (or wrong...) name. Security company F-Secure, shortly afterwards, posted that they could not find keyloggers on Samsung laptops. Samsung came out denying the allegations, and pointing at malware scanner VIPRE as the culprit for a false positive detection. Later this morning, GFI Labs, maker of VIPRE, confirmed that the keylogger detection was a false positive:

"A Network World article has alleged Samsung laptops of having a keylogger. Unfortunately (and to our dismay), the evidence was based off of a false positive by VIPRE for the StarLogger keylogger.

The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic. I want to emphasize “rarely”, as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process. (It’s not common knowledge, but folder path detections are actually used by a good number of antimalware products, but are generally frowned upon as a folder that looks clearly like one for malware has the potential of generating just this kind of result — a false positive.)

The directory in question was C:\WINDOWS\SL, and is the Slovenian language directory for Windows Live. This same directory path is used by the StarLogger keylogger."

So all's well that ends well. The hubbub about this story, however, points out a few issues of interest:

How did Network World, who broke the story, check it prior to publishing? It would not have been difficult to line up a couple of *real* security experts to look over the event and confirm the finding. In fact, it appears, post facto, that a simple inspection of the suspicious directory would have been enough to find out that there was no keylogger.

Why did it take a week for Samsung to respond (or not respond) to such an allegation? This was a very serious issue, yet nobody seems to have minded the store.

False detections are a very common occurrence in virus/spyware scanning software. We do not feel that GFI Labs really needed to apologize for it., On the other hand, the original security "expert" would have been well inspired to have double or triple checked its keylogger detection by the use of additional tools, along with visual inspection, prior to leveling a major accusation, which now turns out to be unfounded.

If you run into a suspicious malware issue, you can upload the file in question to virustotal, a web-based malware analyzer which runs multiple malware detection engines to validate detection.