Have an HP computer? Check for the Conexant keylogger called MicTray

Topic

New Reply

Post coming in InfoWorld
[See the full post at: Have an HP computer? Check for the Conexant keylogger called MicTray]

2 users thanked author for this post.

Elly, SueW

Reply | Quote

Replies

Pretty shocking.

It seems that these days everyone feels it is ok to grab your personal information.

You could disable all Conexant devices and install a sound card. Or, don’t buy a computer if it has Conexant audio.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Would it be quicker just to “search” for “micTray*.*”, or is there something more to this that I have overlooked?

Reply | Quote

That’s probably the fastest way to do it, if you scan inside C:\Windows\System32\ for hidden files.

Reply | Quote

That’s what I did – searched for “MicTray” and “*Tray”.  Nothing found, yay!  But I already knew I had no Conexant chips in the box…

Still, I’m sitting here going, “Wow, who would ever suspect that their audio driver is recording all their keystrokes!”  Unplug the mic to disable audio spying, yeah makes sense; but how could anyone ever know that the driver records keystrokes?  Wicked!!

Reply | Quote

Actually, it somewhat makes sense why the driver was looking at keystrokes, since it was looking to see if a keyboard button to toggle the microphone was hit.  Evidently whoever wrote the driver couldn’t think of a better way to do it than borrowing malware techniques.  That said, the next question should be are there any other drivers that are looking for specific keystrokes that were written the same way…

1 user thanked author for this post.

John in Mtl

Reply | Quote

Evidently whoever wrote the driver couldn’t think of a better way to do it than borrowing malware techniques.

I would much better enjoy reading the programmer’s reason for doing this, not your excuse for them.

Reply | Quote

The sp78991 & sp78993 packages from HP (VERSION: 11.30.1680.45 REV: Q PASS: 52 and VERSION: 11.30.1680.45 REV: Q PASS: 5) also have the mictray.exe & mictray64.exe files included . The mictray files seem to be first included in v8.65.114.0 (a Sept. 2015 driver) for HP

Seems like the Conexant audio driver from Dell [aka. Conexant CX20722 Audio Driver v8.65.135.91] (in the Audio_Driver_KY3FK_WN32_8.65.135.91_A04.EXE file) also has the mictray files. Fortunately, the Conexant audio driver I use on my family’s Dell Inspiron 620 computer (v8.50.4.0) did not have the mictray files included.

I’m pretty sure the recent Conexant audio drivers from ASUS & Lenovo (drivers that begin with version 8.66.x) do NOT have the Mictray files.

Reply | Quote

Well many thx for the heads up there @Woody. Certainly an eye opener that one.I am guessing looking at it its an x64(amd64)64 bit so a big “Phew!” here and then probably 32bit isnt affected all my connexant working drivers are circa 2005 backed up and installed for my ole Win7 (Compaq/HP) machine sitting in the corner. The newer (HP)x64 one doesent use Connexant but checked its Drivers in HP Softpaq mercifully clean as was system32 & Public folders.
Got to wonder how did that happen can we trust any proprietry or M$ drivers any more?

Reply | Quote

Oh, that’s nice… HP computers are used in doctor’s offices!

Reply | Quote

Don’t worry. We promise this data is for your protection. – NSA Agent.

Edit to remove HTML

Reply | Quote

Spyware keylogging in Windows 10 is a feature, now spyware in a driver is bad?  Come on… we should embrace our new spyware overlords and accept them.  Shower them with many taraquads of our personal information and miscellaneous other data.  In the new spyware filled PC landscape there is one scourge that will be eliminated forever … passwords.  If your OS, driver, and applications log your keystrokes for use by their respective companies and people within them whats the point of having passwords?

500 million Windows 10 users can’t be wrong.  Can they?

Resistance is futile…

Reply | Quote

A patch issued by Conexant is in Windows Update. I installed it to my HP (Win7 Pro) yesterday.

Reply | Quote

What is the exact name of the driver?

Also note this…. https://twitter.com/__ths__/status/863324677019770880

Reply | Quote

Having read the detailed writeup, and knowing the system calls involved better than most, I would like to correct a few misunderstandings:

1. This was an accidental keylogger, someone at Conexant or HP accidentally shipped multiple builds of the driver with extra code to debug the assignment of the mute/volume per-model hotkeys (e.g. FN+< on one model, FN+F7 on another, etc.).
2. That debugging code would write to a log file every time a key was pressed, if that key was recognized as a volume mute/down/up key, and (unfortunately) what the key was.  Obviously the idea was to only log this for a few hours on HP’s own test computers while editing the config files, but they slipped up.
3. The “LL Keyboard Hook” API is the most reliable of the not-unusual Win32 APIs that can make such hotkeys work, it’s not some special malware-only API.  It is not even an API just for hotkeys, there are situations where this can be needed in almost any kind of non-trivial keyboard input code.
4. MicTray64.exe is a very appropriate name for a program that shows a Microphone icon in the “tray” next to the system clock, and implements hotkeys for muting etc. the Microphone without using the mouse to click the icon.  I would expect the fixed version (without the debug logging, but with the hotkey catching) to still have that name, just a higher version number.
5. It appears that HP and or Conexant may have worked the developer hard, as one of the vulnerable files was timestamped around 4 AM EST on Dec 24.
6. It also appears that ModZero AG may have jumped the gun by releasing the details just days after being told they had contacted the wrong company (HPE who makes servers instead of HP who makes laptops and Conexant who wrote MicTray64.exe).
7. I had nothing to do with the code in question, but I happen to know enough to understand the finer details of the writeup by ModZero AG.

2 users thanked author for this post.

Elly, woody

Reply | Quote

I believe you’re correct on all counts.

Reply | Quote

The MicTray64.exe came with Windows Update has a file version of 1.4.0.1 and a timestamp May 9, 2017. After installing the file, MicTray.log is no longer in the \users\Public folder.

I am not sure it was a patch or because I had deleted the original MicTray64.exe and MicTray.log.

 

 

 

Reply | Quote

@JohnFDoe: Your assumption may be right – but they left a “backdoor” within the system, that may have been used easily to send keystrokes remotely.

 

Anyway, HP released another conexant audio driver with a ‘deactivated’ keylogger …

… then they released days later just another conexant audio driver, finally with a removed keylogger.

But not to mention any change log (as far as I’ve seen – I’m not a native English language speaker – on their Security Advisory site with driver update links – seems not too smart (even not informing the ‘finder’ of the keylogger, Mr. Schröder, about their plans).

BTW: I’ve documented the latest steps within the blog post The HP Conexant audio driver ‘stop key logger’ placebo update.

 

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

1 user thanked author for this post.

woody

Reply | Quote

A plethora of updated Conexant HD Audio drivers have been posted at the Microsoft Update Catalog site recently to deal with the “mictray keylogger” problem.

seems like the 8.65.1xx versions were affected and HP & Microsoft have posted new Conexant audio drivers

Reply | Quote

Microsoft Endpoint Protection started seeing mictray64.exe 8.65.186.50 as a malware threat this week.  HP has just released 8.65.186.51 to fix it.  I haven’t installed it yet to verify.

-Russell

Reply | Quote