GFI apologizes for false alarm on Samsung keyloggers

'It's just mud on our face,' says security firm exec

When Alex Eckelberry first read news reports on Wednesday that some of Samsung's R Series laptops contained keylogging software, he was as astounded as everybody else.

"I was really interested in the story. I thought if someone had found a keylogger, that's pretty hardcore," said Eckelberry, who is general manager of GFI Security, a maker of e-mail and Web security products.

The only other known instance of a vendor secretly installing similar software was Sony BMG, which got into all sorts of trouble for the infamous rootkit brouhaha in 2005.

Eckelberry's surprise at Samsung quickly turned to acute embarrassment when he began getting reports from colleagues that the evidence for the supposed keyloggers was based on a false positive from VIPRE, a malware-detection product sold by GFI.

The problem wasn't that Samsung was secretly installing keyloggers on its systems, but that GFI's software was mistakenly reporting that the laptops contained the malware.

"We just fell on our sword on this," Eckelberry said in an interview today. "It's just mud on our face."

VIPRE is technology that was developed by Sunbelt Software, a company GFI purchased last year.

In a statement today, Samsung denied that its computers contain keylogging software.

The company was responding to a report by Computerworld's sister publication, Network World on Wednesday. In the report, Mohammed Hassan, an IT security consultant in Toronto claimed that he had found a keylogger called Starlogger in a couple of brand new Samsung laptops they had purchased in Canada.

The researcher's claims prompted speculation that Samsung could be in legal trouble if it were installing keylogging software on products sold to the general public. The story was later picked up by the IDG News Service, which is owned by IDG, Computerworld's parent company.

After investigating the claims, Samung said that the allegations were false.

"Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft's Live Application for a key logging software, during a virus scan," the company said. "The confusion arose because VIPRE mistook Microsoft's Live Application multi-language support folder, "SL" folder, as StarLogger," Samsung said.

The directory that caused the confusion was C:\WINDOWS\SL, Eckelberry said. While that is the Slovenian language directory for Windows Live, it is also the directory path used by the Starlogger keylogger, he said.

So when VIPRE encountered the SL directory on the Samsung laptops, it automatically flagged it as Starlogger, he said.

In a blog post this morning, Eckelberry said such detection based on folder paths as a heuristic was rarely used by VIPRE.

"I want to emphasize 'rarely,' as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process," Eckelberry wrote, while apologizing to Samsung and the researcher who reported the problem.

Though folder path detections are fairly commonly used by many anti-malware products, the practice is generally frowned upon because of the potential it holds for generating false positives -- as happened this time, he said.

"It's such a rarely used detection method," Eckelberry said. "To have this type of heuristic create the issue for us is a big embarrassment for us."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies