Posted on May 12, 2017 at 4:52 PM
It’s strongly suggested that everyone who owns and uses HP computer should check if they have C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe installed.
If you do find one of these executables, then you have an active keylogger that’s able to record every key press, and you need to rename it immediately. Most of the time, when someone discovers a new keylogger and reports it publicly, it turns out to be a malicious spyware. Everyone affected then respond to the threat, and it’s usually dealt with. This time, however, a keylogger was found on HP computers, and it turned out not to be malicious. The result is that the company isn’t doing anything to deal with it, at least for now.
The party responsible for discovering this keylogger is the security company modzero AG, and they found it in an audio driver that was installed on an HP system. They immediately contacted HP and told the company about the keylogger’s existence. However, HP Enterprise decided that they won’t take responsibility as long as HP Inc. and Conexant Systems Inc. are ignoring the issue. This is what brought modzero’s decision to go public with this information.
Selling systems that have an active keylogger installed on them can only happen for malicious reasons. However, it’s more likely that the developers’ negligence is the reason for this situation.
The infected software is a part of HP’s driver package, and its audio chips were created by the company called Conexant Systems.
This company’s circuits have appeared on many sound cards, for which they also provide drivers. In this particular case, some of the special key presses are supposed to turn on and off several functions, like the microphone, or recording LED.
However, the problem occurred when modzero discovered that the software that was supposed to only recognize these special key presses actually records and stores every one of them. All of the recorded key presses are stored in a plain text file found at:
C:\Users\Public\MicTray.log. Anyone with access to the computer itself was access to this file.
Even though this log gets overwritten every time the user logs back into the computer, it still logs everything that’s pressed during one use, including all of the entered passwords.
Many have agreed that logging all of the key presses just for the purpose of detecting the special ones is ridiculous and that there must be a better way to deal with this. As we mentioned at the beginning of this text, you can stop this logging by renaming the mentioned executable files. However, if you do it, the special key functionality will stop working completely as well. It’s suggested that Conexant and HP should deal with this problem as soon as possible.