Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Have an HP computer? Check for the Conexant keylogger called MicTray

    Home Forums AskWoody blog Have an HP computer? Check for the Conexant keylogger called MicTray

    Tagged: ,

    This topic contains 19 replies, has 10 voices, and was last updated by  anonymous 6 months ago.

    • Author
      Posts
    • #114219 Reply

      woody
      Da Boss

      Post coming in InfoWorld
      [See the full post at: Have an HP computer? Check for the Conexant keylogger called MicTray]

      2 users thanked author for this post.
    • #114272 Reply

      MrJimPhelps
      AskWoody MVP

      Pretty shocking.

      It seems that these days everyone feels it is ok to grab your personal information.

      You could disable all Conexant devices and install a sound card. Or, don’t buy a computer if it has Conexant audio.

    • #114276 Reply

      ax kramer
      AskWoody Lounger

      Would it be quicker just to “search” for “micTray*.*”, or is there something more to this that I have overlooked?

      • #114279 Reply

        woody
        Da Boss

        That’s probably the fastest way to do it, if you scan inside C:\Windows\System32\ for hidden files.

      • #114286 Reply

        John in Mtl
        AskWoody Lounger

        That’s what I did – searched for “MicTray” and “*Tray”.  Nothing found, yay!  But I already knew I had no Conexant chips in the box…

        Still, I’m sitting here going, “Wow, who would ever suspect that their audio driver is recording all their keystrokes!”  Unplug the mic to disable audio spying, yeah makes sense; but how could anyone ever know that the driver records keystrokes?  Wicked!!

        • This reply was modified 6 months, 1 week ago by  John in Mtl.
        • This reply was modified 6 months, 1 week ago by  John in Mtl.
        • #114517 Reply

          mindwarp
          AskWoody Lounger

          Actually, it somewhat makes sense why the driver was looking at keystrokes, since it was looking to see if a keyboard button to toggle the microphone was hit.  Evidently whoever wrote the driver couldn’t think of a better way to do it than borrowing malware techniques.  That said, the next question should be are there any other drivers that are looking for specific keystrokes that were written the same way…

          1 user thanked author for this post.
          • #114519 Reply

            anonymous

            Evidently whoever wrote the driver couldn’t think of a better way to do it than borrowing malware techniques.

            I would much better enjoy reading the programmer’s reason for doing this, not your excuse for them.

    • #114304 Reply

      EP
      AskWoody Lounger

      The sp78991 & sp78993 packages from HP (VERSION: 11.30.1680.45 REV: Q PASS: 52 and VERSION: 11.30.1680.45 REV: Q PASS: 5) also have the mictray.exe & mictray64.exe files included . The mictray files seem to be first included in v8.65.114.0 (a Sept. 2015 driver) for HP

      Seems like the Conexant audio driver from Dell [aka. Conexant CX20722 Audio Driver v8.65.135.91] (in the Audio_Driver_KY3FK_WN32_8.65.135.91_A04.EXE file) also has the mictray files. Fortunately, the Conexant audio driver I use on my family’s Dell Inspiron 620 computer (v8.50.4.0) did not have the mictray files included.

      I’m pretty sure the recent Conexant audio drivers from ASUS & Lenovo (drivers that begin with version 8.66.x) do NOT have the Mictray files.

      • This reply was modified 6 months, 1 week ago by  EP.
      • This reply was modified 6 months, 1 week ago by  EP.
    • #114368 Reply

      BobbyB
      AskWoody Lounger

      Well many thx for the heads up there @woody. Certainly an eye opener that one.I am guessing looking at it its an x64(amd64)64 bit so a big “Phew!” here and then probably 32bit isnt affected all my connexant working drivers are circa 2005 backed up and installed for my ole Win7 (Compaq/HP) machine sitting in the corner. The newer (HP)x64 one doesent use Connexant but checked its Drivers in HP Softpaq mercifully clean as was system32 & Public folders.
      Got to wonder how did that happen can we trust any proprietry or M$ drivers any more? 🙁

    • #114367 Reply

      anonymous

      Oh, that’s nice… HP computers are used in doctor’s offices!

      • #114445 Reply

        anonymous

        Don’t worry. We promise this data is for your protection. – NSA Agent.

        Edit to remove HTML

    • #114554 Reply

      anonymous

      Spyware keylogging in Windows 10 is a feature, now spyware in a driver is bad?  Come on… we should embrace our new spyware overlords and accept them.  Shower them with many taraquads of our personal information and miscellaneous other data.  In the new spyware filled PC landscape there is one scourge that will be eliminated forever … passwords.  If your OS, driver, and applications log your keystrokes for use by their respective companies and people within them whats the point of having passwords?

      500 million Windows 10 users can’t be wrong.  Can they?

      Resistance is futile…

    • #114902 Reply

      anonymous

      A patch issued by Conexant is in Windows Update. I installed it to my HP (Win7 Pro) yesterday.

      • #114935 Reply

        woody
        Da Boss

        What is the exact name of the driver?

        Also note this…. https://twitter.com/__ths__/status/863324677019770880

    • #115163 Reply

      JohnFDoe
      AskWoody Lounger

      Having read the detailed writeup, and knowing the system calls involved better than most, I would like to correct a few misunderstandings:

      1. This was an accidental keylogger, someone at Conexant or HP accidentally shipped multiple builds of the driver with extra code to debug the assignment of the mute/volume per-model hotkeys (e.g. FN+< on one model, FN+F7 on another, etc.).
      2. That debugging code would write to a log file every time a key was pressed, if that key was recognized as a volume mute/down/up key, and (unfortunately) what the key was.  Obviously the idea was to only log this for a few hours on HP’s own test computers while editing the config files, but they slipped up.
      3. The “LL Keyboard Hook” API is the most reliable of the not-unusual Win32 APIs that can make such hotkeys work, it’s not some special malware-only API.  It is not even an API just for hotkeys, there are situations where this can be needed in almost any kind of non-trivial keyboard input code.
      4. MicTray64.exe is a very appropriate name for a program that shows a Microphone icon in the “tray” next to the system clock, and implements hotkeys for muting etc. the Microphone without using the mouse to click the icon.  I would expect the fixed version (without the debug logging, but with the hotkey catching) to still have that name, just a higher version number.
      5. It appears that HP and or Conexant may have worked the developer hard, as one of the vulnerable files was timestamped around 4 AM EST on Dec 24.
      6. It also appears that ModZero AG may have jumped the gun by releasing the details just days after being told they had contacted the wrong company (HPE who makes servers instead of HP who makes laptops and Conexant who wrote MicTray64.exe).
      7. I had nothing to do with the code in question, but I happen to know enough to understand the finer details of the writeup by ModZero AG.
      2 users thanked author for this post.
      • #115177 Reply

        woody
        Da Boss

        I believe you’re correct on all counts.

    • #115185 Reply

      anonymous

      The MicTray64.exe came with Windows Update has a file version of 1.4.0.1 and a timestamp May 9, 2017. After installing the file, MicTray.log is no longer in the \users\Public folder.

      I am not sure it was a patch or because I had deleted the original MicTray64.exe and MicTray.log.

       

       

       

    • #115670 Reply

      gborn
      AskWoody MVP

      @johnfdoe: Your assumption may be right – but they left a “backdoor” within the system, that may have been used easily to send keystrokes remotely.

       

      Anyway, HP released another conexant audio driver with a ‘deactivated’ keylogger …

      … then they released days later just another conexant audio driver, finally with a removed keylogger.

      But not to mention any change log (as far as I’ve seen – I’m not a native English language speaker – on their Security Advisory site with driver update links – seems not too smart (even not informing the ‘finder’ of the keylogger, Mr. Schröder, about their plans).

      BTW: I’ve documented the latest steps within the blog post The HP Conexant audio driver ‘stop key logger’ placebo update.

       

      • This reply was modified 6 months ago by  gborn.
      • This reply was modified 6 months ago by  gborn. Reason: typos
      1 user thanked author for this post.
    • #115801 Reply

      EP
      AskWoody Lounger

      A plethora of updated Conexant HD Audio drivers have been posted at the Microsoft Update Catalog site recently to deal with the “mictray keylogger” problem.

      seems like the 8.65.1xx versions were affected and HP & Microsoft have posted new Conexant audio drivers

    • #116516 Reply

      anonymous

      Microsoft Endpoint Protection started seeing mictray64.exe 8.65.186.50 as a malware threat this week.  HP has just released 8.65.186.51 to fix it.  I haven’t installed it yet to verify.

      -Russell

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Have an HP computer? Check for the Conexant keylogger called MicTray

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.