Keylogger on Samsung laptops proves to be false alarm

Posted by   Virus Bulletin on   Mar 31, 2011

AV product wrongly flags malware based on existence of directory.

A number of security bloggers raised concern yesterday about the apparent presence of a keylogger on Samsung laptops - only to realise it was, in fact, a false positive.

A Network World reporter discovered the 'keylogger' on two different makes of Samsung laptops. Reminded of a similar case in 2005, when Sony CDs installed rootkits on users' PCs, he suspected that the Korean company intended to spy on its customers.

The apparent malware was detected by by GFI's VIPRE anti-malware solution based on the existence of a C:\Windows\SL directory on the computer. This directory, however, is also created by the Microsoft Live! application suite, which is installed on Samsung laptops. After seeing the VIPRE alert the reporter failed to double-check the detection with other anti-virus products.

While detecting malware based purely on the existence of a single directory is probably a bad idea, this story also contains a lesson for reporters and researchers: an alert generated by a piece of security software does not automatically prove the existence of a malicious file.

More at F-Secure's blog here and at Sophos's Naked Security blog here, while interested readers may want to read Mark Russinovich's article on his discovery of the Sony rootkit in Virus Bulletin of December 2005 here (free registration required).

Posted on 31 March 2011 by Virus Bulletin



Latest posts:

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.