ADVISORY: Install HP patch to remove keylogger

Friday, May 12, 2017

This information is intended for U-M IT staff who are responsible for university HP laptops and tablets, as well as any other computer containing the affected Conexant driver. It may also be of interest to people who manage their own personal HP laptop or tablet. This information was sent through email to U-M IT staff groups on May 12, 2017.

Summary: 

An audio driver installed on some 2015 and 2016 Hewlett-Packard (HP) laptops contains a feature that records every keystroke the user makes and stores this information in an unencrypted log file. HP has released patches to remove the keylogger and delete the log file. The patches, available via Windows Update and from HP.com, should be applied as soon as possible after appropriate testing.

Problem: 

The pre-installed audio driver puts an executable file in the Windows system folder that is scheduled to start every time the user logs in and to capture and log all keystrokes. The file is intended for use in controlling audio hardware when a user presses special keys, and the keylogger appears to have been intended for debugging. The log file, which is overwritten every time the user logs out, is located at C:\Users\Public\MicTray.log. If, however, any kind of incremental backup system is in place, there could be an ongoing record of everything the user types, including passwords.

Affected Systems: 

The driver, developed by audio chip maker Conextant, is loaded on more than two dozen models of HP laptops and tablets, including the HP Elitebook, ProBook, and ZBook models. For a complete list of systems known to be affected, see the ModZero security advisory.

Action Items: 
  • Apply patches to affected laptops when available. As of 10:00 a.m. May 12, patches for 2016 models are available. Patches for 2015 models are expected by the end of the day. Check for patches at:
    • Windows Update
    • HP.com (you may need to enter your model number)
  • If patches are not yet available for an affected device, you can do the following in the meantime:
    • Check to see if C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed.
    • If you find one of the files listed above, delete it to prevent it from logging keystrokes. Be aware that this will stop certain special keys from working.
    • Also delete the C:\Users\Public\MicTray.log file; it may contain sensitive information such as passwords and login credentials.
Threats: 

A person or malicious software with local access to the user's files on an affected computer could obtain passwords, visited web addresses, private messages, and any other sensitive information that the user has typed.

Technical Details: 

According to the ModZero security advisory: "Conexant's MicTray64.exe is installed with the Conexant audio driver package and registered as a Microsoft Scheduled Task to run after each user login. It monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys. Monitoring of keystrokes is added by implementing a low-level keyboard input hook function that is installed by calling SetwindowsHookEx(). In addition to the handling of hotkey/function key strokes, all key-scancode information is written into a logfile in a world-readable path (C:\Users\Public\MicTray.log)."

For more detail, see the ModZero security advisory.

Detection: 

Check to see if C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed.

Information for Users: 

MiWorkspace machines will be updated as soon as possible. If you have an affected device that is not managed by the university, please check for updates via Windows Update or HP.com and apply them.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.