NEWS FROM THE LAB - Thursday, March 31, 2011

Confirmed: Samsung is Not Shipping Keyloggers Posted by Mikko @ 12:25 GMT

We now have confirmation for what we wrote in our previous blog post: Samsung is not shipping keyloggers on their laptops.

The whole saga was caused by a false alarm of the VIPRE Antivirus product. Apparently VIPRE detects the StarLogger keylogger by searching for the existence of a directory called "SL" in the root of the Windows directory. This is a bad idea.

As an example, here's a screenshot showing VIPRE alerting on a completely clean Windows computer after an empty "SL" folder was created:


As some Samsung laptops do indeed have a folder called "C:\WINDOWS\SL" on them by default, VIPRE would alert on them with a similar warning.

Unfortunately Mohamed Hassan (CISSP) who did the original analysis did not double-check his findings and blamed Samsung instead. Apparently he did not look at the contents of the "SL" folder at all.

Samsung is innocent.

Many thanks to fellow Twitterers @the_pc_doc, @SecurityLabsGR and @paulmutton who helped with the investigation!

Updated to add: Alex Eckelberry has published a blog post explaining further why VIPRE had the false alarm.