GFI apologizes for false alarm on Samsung keyloggers
'It's just mud on our face,' says security firm exec
Computerworld - When Alex Eckelberry first read news reports on Wednesday that some of Samsung's R Series laptops contained keylogging software, he was as astounded as everybody else.
"I was really interested in the story. I thought if someone had found a keylogger, that's pretty hardcore," said Eckelberry, who is general manager of GFI Security, a maker of e-mail and Web security products.
The only other known instance of a vendor secretly installing similar software was Sony BMG, which got into all sorts of trouble for the infamous rootkit brouhaha in 2005.
Eckelberry's surprise at Samsung quickly turned to acute embarrassment when he began getting reports from colleagues that the evidence for the supposed keyloggers was based on a false positive from VIPRE, a malware-detection product sold by GFI.
The problem wasn't that Samsung was secretly installing keyloggers on its systems, but that GFI's software was mistakenly reporting that the laptops contained the malware.
"We just fell on our sword on this," Eckelberry said in an interview today. "It's just mud on our face."
VIPRE is technology that was developed by Sunbelt Software, a company GFI purchased last year.
In a statement today, Samsung denied that its computers contain keylogging software.
The company was responding to a report by Computerworld's sister publication, Network World on Wednesday. In the report, Mohammed Hassan, an IT security consultant in Toronto claimed that he had found a keylogger called Starlogger in a couple of brand new Samsung laptops they had purchased in Canada.
The researcher's claims prompted speculation that Samsung could be in legal trouble if it were installing keylogging software on products sold to the general public. The story was later picked up by the IDG News Service, which is owned by IDG, Computerworld's parent company.
After investigating the claims, Samung said that the allegations were false.
"Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft's Live Application for a key logging software, during a virus scan," the company said. "The confusion arose because VIPRE mistook Microsoft's Live Application multi-language support folder, "SL" folder, as StarLogger," Samsung said.
The directory that caused the confusion was C:\WINDOWS\SL, Eckelberry said. While that is the Slovenian language directory for Windows Live, it is also the directory path used by the Starlogger keylogger, he said.
So when VIPRE encountered the SL directory on the Samsung laptops, it automatically flagged it as Starlogger, he said.
In a blog post this morning, Eckelberry said such detection based on folder paths as a heuristic was rarely used by VIPRE.
"I want to emphasize 'rarely,' as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process," Eckelberry wrote, while apologizing to Samsung and the researcher who reported the problem.
Though folder path detections are fairly commonly used by many anti-malware products, the practice is generally frowned upon because of the potential it holds for generating false positives -- as happened this time, he said.
"It's such a rarely used detection method," Eckelberry said. "To have this type of heuristic create the issue for us is a big embarrassment for us."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts