HP computer owners: Check for the MicTray Conexant keylogger

The Conexant audio driver logs all keystrokes on certain HP machines and publishes them to a file in the Public folder

On HP computers, check for the Conexant keylogger called MicTray
Thinkstock

Today, while Microsoft extols the virtues of Windows 10 S and HoloLens at the Build keynote, many who have an HP machine will be dealing with a new, unexpected tech problem.

Swiss security firm modzero AG released a white paper (PDF) that contains details about a keylogger in certain HP audio drivers. The keylogger stores records of all of your keystrokes in a file located in the public folder C:\Users\Public\MicTray.log.

Fortunately, there’s an easy way to check to see if the MicTray keylogger is on your machine and, if so, to get rid of it.

According to modzero, the keylogger is part of the driver set for Conexant audio chips. In its Security Advisory, modzero says:

Software packages known to be affected:

  • Recent and previous (Q2/2017) HP Audiodriver Packages / Conexant High-Definition (HD) Audio Driver Version 10.0.931.89 REV: Q PASS: 5  (ftp://whp-aus1.cold.extweb.hp.com/pub/softpaq/sp79001-79500/sp79420.html)
  • Probably other hardware vendors, shipping Conexant hardware and drivers

The Security Advisory goes on to list almost 30 HP machines known to use the bad drivers, including EliteBook, ProBook, ZBook, and Elite x2 models running both Windows 10 and Win7. It's an impressive lineup, including many current models.

Modzero says it found evidence of the problematic behavior going all the way back to December 2015. It’s still there today with driver Version 1.0.0.46.

The infection method seems simple enough:

Conexant's MicTray64.exe is installed with the Conexant audio driver package and registered as a Microsoft Scheduled Task to run after each user login. The program monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys. Monitoring of keystrokes is added by implementing a low-level keyboard input hook function that is installed by calling SetwindowsHookEx().

In addition to the handling of hotkey/function key strokes, all key-scancode information is written into a logfile in a world-readable path (C:\Users\Public\MicTray.log). If the logfile does not exist or the setting is not yet available in Windows registry, all keystrokes are passed to the OutputDebugString API, which enables any process in the current user-context to capture keystrokes without exposing malicious behavior. Any framework and process with access to the MapViewOfFile API should be able to silently capture sensitive data by capturing the user's keystrokes.

I have no idea how the driver passed Microsoft certification, but apparently it has.

Here is the disinfection method proposed by modzero:

All users of HP computers should check whether the program C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed. We recommend that you delete or rename the executable files so that no keystrokes are recorded anymore. However, the special function keys on the keyboards might no longer work as expected. If a C:\Users\Public\MicTray.log file exists on the hard drive, it should also be deleted immediately, as it can contain a lot of sensitive information such as login-information and passwords.

I’d go one step further. If you have a Conexant audio chip—Speccy will tell you—go through those steps, make sure that MicTray64.exe gets renamed, and delete current and backed-up copies of MicTray.log.

Modzero isn’t happy with the runaround it’s getting from HP. The group says it discovered the keylogger in MicTray 1.0.0.31 back on April 28. Modzero contacted Conexant the same day, and when the keylogger was found in the latest audio drivers, it contacted HP Enterprise on May 1. Then on May 5, modzero got a response from HP Enterprise, which “tried to reach for security folks at HP Inc. to gain attention.” Looks like HP Enterprise and HP Inc. aren’t talking to each other—I bet they start talking now.

Discussion continues on the AskWoody Lounge.

Copyright © 2017 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon