Got a Samsung? You Got Owned

[Final Update... I think -  THERE WAS NO KEYSTROKE LOGGER please see http://blog.eset.com/2011/03/31/samsung-and-i-got-bit-by-a-vipre to find out what happened.]

[Update - There will be a new blog about this incident. I relied upon the information at http://www.networkworld.com/newsletters/sec/2011/040411sec1.html that Samsung had confirmed the presence of the keystroke logger in asserting that the laprops were infected. Since then Samsung has asserted that the laptops were not infected and that appears to be the case. -Randy]

[Update: it looks likely that this story arises from a misunderstanding on the part of the orignal researcher, due to a spectacular false positive on the part of a scanner he was using. Not ESET's, we hasten to add! ]

If you have a Samsung computer check it out. If there is a directory called c:windowsSL. This is a directory used to house a commercial keystroke logger that it appears Samsung is using to steal your passwords, screen shots, and other data.

An article at http://www.networkworld.com/newsletters/sec/2011/032811sec2.html details how Norwich University graduate Mohamed Hassan found the keystroke loggers on 2 brand new Samsung laptops.

If you own a Samsung computer and find the keystroke logger on your computer, you will need to uninstall it, and then change all of your passwords. Also keep your eyes open for a class action lawsuit, you probably will be entitled to compensation.

Hopefully the management at Samsung will not be as ignorant as Sony BMG’s president of global digital business when he tried to defend Sony’s rootkit blunder by explaining "Most people don't even know what a rootkit is, so why should they care about it?" There was good reason to worry and even more reason to worry about Samsung collecting your passwords.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

 

Author ESET Research, ESET

  • ShiRaz

    i reckon the best thing is to format the who computer and reinstall

    that way it will be a clean computer

  • Dave

     
    Great to see people checking their facts before reporting – this story is totally false.

    Statement from Samsung
     
    The statements that Samsung installs keylogger on R525 and R540
    laptop computers are false.

    After investigating into this matter, it was found that the software installed
    was in fact Vipre, not the commerical keylogger called StarLogger.
    The confusion arose because Microsoft's Live Application multi-language
    support folder, "SL" folder, was mistaken for StarLogger

    (Live Application is Microsoft's application which provides messenger, email,
     video, photo gallery functions. Depending on the language, under
    C:windows folders "SL" for Slovak, "KO" for Korean, "EN" for English are created.)

    Samsung will continue to respect customer needs by providing the highest
    quality products and services.

    • Randy Abrams

      Well, prior to denying it, a Samsung employee claimed they did install a logger on the laptops.

  • Paul Durden

    The original article doe not mention if these computers were connected to the Internet before they were scanned. As brand new computers are generally already missing dozens of security patches, the possibility remains that both computers were infected by a worm instead?

  • Matt

    i've heard its all a VIPRE AV false positive: samsungtomorrow.com/1071

  • wizdude

    @ShiRaz that assumes the vendor/manufacturer actually provides you with installation media. many new machines, especially notebooks come with nothing but a recovery partition on the hard drive – which of course comes with the bad stuff included :-)

  • BaconZombie

    "The whole saga was caused by a false alarm of the VIPRE Antivirus product. Apparently VIPRE detects the StarLogger keylogger by searching for the existance of a directory called "SL" in the root of the Windows directory. This is a bad idea."

  • Niall Kearney

    Samsung deny's knowledge of the keylogger, etc. Although it could be a case of a bad rules in an anti-virus…

  • Brandon

    Reports are now surfacing that state this was a false positive:

    Quote from the Sophos link above: “The whole thing arose because of a false positive from a competitor scanner. More specifically, as revealed by Samsung themselves, the fact that a directory named used in a Slovene flavour of Windows happens to match that of a commercial keylogger (StarLogger).”

  • karrade

    @shiRaz, formatting would be a great idea if laptops actually came with the operating systems on a CD instead of having some sort of bespoke version in a restore folder on the laptop… which would of course have the keylogger built into it so you would just reinstall it with the OS. We sgould be campaigning for computer manufacturers to actually supply the OS disks intead of having to suffer their pre-loaded rubbish full of trial software and the above keyloggers.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
30 Mar 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.