The keylogging code was embedded in the SynTP.sys file, which is a module of the Synaptics Touchpad driver that ships with HP notebook models.
“The logging was disabled by default but could be permitted by setting a registry value,” said a security researcher going by the Title of ZwClose, who identified the flaw earlier this year.
That registry key is:
HKLM\Software\Synaptics\%ProductName% HKLM\Software\Synaptics\%ProductName%\Default
Malware devs can use this registry key to enable the keylogging function and spy on users using native kernel-signed tools, undetectable by security products. All they have to do is to avoid a UAC prompt when changing the registry key. There are tons of methods of bypassing UAC prompts currently available.
“The keylogger saved scan keys to a WPP trace,” said ZwClose. WPP software copy is a technique used by app developers and is meant for debugging code during development.
After reporting the issue, the researcher said HP devs honestly admitted the keylogging code was a leftover from debugging settings and “released an update that removes the trace.”
This is not the first time HP engineers have forgotten debugging code inside a driver. The same thing appeared in May when they left related keylogging code inside an audio driver.
HP published a list of affected notebooks. The list is 475 models-long and adds 303 consumer notebooks and 172 business notebooks, mobile thin clients, and mobile workstations. Affected model lines include HP’s 25*, mt**, 15*, OMEN, ENVY, Pavilion, Stream, ZBook, EliteBook, and ProBook series, along with several Compaq models.
Add Comment