An audio driver preinstalled on some HP laptops includes a feature which records all the user’s keystrokes and saves the information in a world-readable plain text file.
Security researchers from the Swiss-based cyber security firm Modzero have discovered a built-in keylogger in an HP audio driver.
A keylogger records when a key is pressed, when it is released, and whether any shift or special keys have been pressed. It is also recorded if, for example, a password is entered even if it is not displayed on the screen.
According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version 220.127.116.11 and earlier. Conexant is a manufacturer of integrated circuits, who also develops drivers for its audio chips. Dubbed Conexant High-Definition (HD) Audio Driver, the driver helps the software to communicate with the hardware.
Conexant’s MicTray64.exe is installed with the Conexant audio driver package and registered as a Microsoft Scheduled Task to run after each user login. The program monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys.
All key-scancode information is written into a logfile in a world-readable path (C:\Users\Public\MicTray.log). If the logfile does not exist or the setting is not yet available in Windows registry, all keystrokes are passed to the OutputDebugString API, which enables any process in the current user-context to capture keystrokes without exposing malicious behavior. Any framework and process with access to the MapViewOfFile API should be able to silently capture sensitive data by capturing the user’s keystrokes.
This issue leads to a high risk of leaking sensitive user input to any person or process that is able to read files in C:\Users\Public\MicTray.log or call MapViewOfFile(). Investigators with access to the unencrypted file-system might be able to recover sensitive data of historic key-logs as well. Users are not aware that every keystroke made while entering sensitive information – such as passphrases, passwords on local or remote systems – are captured by Conexant and exposed to any process and framework with access to the file-system or MapViewOfFile API.
Any process that is running in the current user-session and therefore able to monitor debug messages, can capture keystrokes made by the user. Processes are thus able to record sensitive data such as passwords, without performing suspicious activities that may trigger AV vendor heuristics.
Furthermore, any process running on the system by any user is able to access all keystrokes made by the user via file-system access. It is not known, if log-data is submitted to Conexant at any time or why all key presses are logged anyway.
Delete MicTray executables and logfiles. Deleting the Scheduled Task is not sufficient, as Conexant’s Windows Service CxMonSvc will launch MicTray otherwise. The executable is located at c:\Windows\System32\MicTray64.exe, the MicTray logfile is located at C:\Users\Public\MicTray.log