Samsung's laptop keylogger a 'false alarm'

Korean electronics giant Samsung today confirmed that it did not install keyloggers on two of its laptops as claimed by an IT consultant yesterday. 

"The statements that Samsung installs keylogger on R525 and R540 laptop computers are false," it said in a statement on Thursday afternoon. 

Yesterday US IT magazine Network World published a claim by Canadian IT consultant Mohamed Hassan that a Samsung support officer confirmed keylogging software called StarLogger was there “to find out how the computer is being used.”

The claim was reminiscent of the 2005 Sony security fiasco in which the record label planted a rootkit on its music CDs to protect its copyright. 

But Samsung had done nothing of the sort. It and a host of security vendors have pointed to the GFI-owned Sunbelt security software, VIPRE, for delivering a false reading or "false positive".

“Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft’s Live Application for a key logging software, during a virus scan,” said Samsung.

VIPRE had mistakenly associated a folder named "SL" in Microsoft’s Live Application multi-language support folder as StarLogger -- a known and recorded piece of malware.

The "SL" was not the keylogger, but a folder denoting the Slovene language.  

“Depending on the language, under C:\windows folders "SL" for Slovene, "KO" for Korean, "EN" for English are created,” Samsung explained. 

Searching for “SL” in the root of the Windows directory was a “very bad idea”, according to Mikko Hypponen, chief research officer at Finnish antivirus firm F-Secure.

Hypponen yesterday said he found “all this is a bit hard to believe,” noting that it and many other AV vendors detect StarLogger as "Trojan.Generic.5223315".

"We have not seen any kind of peak of StarLogger reports," he said.

“Unfortunately Mohamed Hassan (CISSP) who did the original analysis did not double check his findings and blamed Samsung instead. Apparently he did not look at the contents of the "SL" folder at all,” Hypponen wrote today. 

Alex Eckelberry, general manager of GFI security has posted an admission that its software was at fault. 

"The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic," he said, referring to behavioural-based techniques used to detect malware. 

"These types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process." 

But Eckelberry points out that many AV products use this technique.

"It’s not common knowledge, but folder path detections are actually used by a good number of antimalware products, but are generally frowned upon as a folder that looks clearly like one for malware has the potential of generating just this kind of result — a false positive."