Wednesday, March 30, 2011

Samsung installs keylogger on its laptop computers Part 1 | Network World

From Network World:

This story appeared on Network World at
http://www.networkworld.com/newsletters/sec/2011/032811sec2.html

Samsung installs keylogger on its laptop computers

Part 1 – The Discovery

Security Strategies Alert By M. E. Kabay and Mohamed Hassan Mohamed Hassan, Network World
March 30, 2011 12:07 AM ET

Mohamed Hassan, MSIA, CISSP, CISA graduated from the Master of Science in Information Assurance (MSIA) program from Norwich University in 2009. As usual, it is a pleasure to collaborate with an alumnus on interesting articles – and in this case, his research is startling. Everything that follows is Mr Hassan's own work with minor edits.

* * *

In the fall of 2005, the security and computer world was abuzz with what was at the time dubbed as the "Sony BMG rootkit Fiasco." Sony BMG used a rootkit, computer program that performs a specific function and hides its files from the regular user, to monitor computer user behavior and limit how music CDs were copied and played on one's computer.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Mohamed Hassan, MSIA, CISSP, CISA graduated from the Master of Science in Information Assurance (MSIA) program from Norwich University in 2009. As usual, it is a pleasure to collaborate with an alumnus on interesting articles – and in this case, his research is startling. Everything that follows is Mr Hassan's own work with minor edits.

* * *

In the fall of 2005, the security and computer world was abuzz with what was at the time dubbed as the "Sony BMG rootkit Fiasco." Sony BMG used a rootkit, computer program that performs a specific function and hides its files from the regular user, to monitor computer user behavior and limit how music CDs were copied and played on one's computer.

The issue was not about the extent Sony BMG had gone to protect its music CD, but more about the manner in which it accomplished its business objective. Following the wide publication of this security incident, there was torrent of bad press for Sony BMG; its earlier denial of the presence of the rootkit on its music CDs did not help. There were class-action lawsuits as well as state and federal investigations, one of which was spearheaded by the United States Federal Trade commission (FTC). 

Read Samsung's response, or lack thereof

Sony BMG settled the federal lawsuit with the FTC without admitting guilt. However, given the number of CDs it was ordered to replace and the agreed upon compensation of up to $150 per computer owner it had to pay to consumers whose computers may have been damaged as a result of attempts to remove the rootkit, the $575 million payout for the incident was far more expensive than any return on investment Sony BMG may have received by preventing the potential consumer from copying, illegal distribution or sharing of the music CDs.

Some in the computer security industry had hoped that the criminality of the act that Sony BMG had engaged in together with the huge business costs associated with the settling of the case with consumers and federal authorities would act as a deterrent to any company which might want to monitor computer usage. Others, including Mark Russinovich, the developer and blogger who first discovered the rootkit, were not so sure. In fact Mr. Russinovich warned that "Consumers don't have any kind of assurance that other companies are not going to do the same kind of thing (as Sony)" (Borland, 2005).

How right has Mr. Russinovich been!

While setting up a new Samsung computer laptop with model number R525 in early February 2011, I came across an issue that mirrored what Sony BMG did six years ago.  After the initial set up of the laptop, I installed licensed commercial security software and then ran a full system scan before installing any other software. The scan found two instances of a commercial keylogger called StarLogger installed on the brand new laptop. Files associated with the keylogger were found in a c:\windows\SL directory.

According to a Starlogger description, StarLogger records every keystroke made on your computer on every window, even on password protected boxes.

This key logger is completely undetectable and starts up whenever your computer starts up. See everything being typed: emails, messages, documents, web pages, usernames, passwords, and more. StarLogger can email its results at specified intervals to any email address undetected so you don't even have to be at the computer your[sic] are monitoring to get the information. The screen capture images can also be attached automatically to the emails as well as automatically deleted.

After an in-depth analysis of the laptop, my conclusion was that this software was installed by the manufacturer, Samsung. I removed the keylogger software, cleaned up the laptop, and continued using the computer. However, after experiencing problems with the video display driver, I returned that laptop to the store where I bought it and bought a higher Samsung model (R540) from another store.

Again, after the initial set up of the laptop, I found the same StarLogger software in the c:\windows\SL folder of the new laptop. The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years. The fact that on both models the same files were found in the same location supported the suspicion that the hardware manufacturer, Samsung, must know about this software on its brand-new laptops.

[Mich Kabay adds:]

Research online brought up a discussion of "Samsung rootkit" from May 2010 in which contributors reported a freeze on rootkit scans of Samsung laptop computers. However, no one seems to have reported a StarLogger installation as far as we have been able to determine using Web search engines.

In the next article, Mr Hassan discusses how Samsung responded to his discovery.

No comments:

Post a Comment