Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

GFI apologizes for false alarm on Samsung keyloggers

'It's just mud on our face,' says security firm exec

When Alex Eckelberry first read news reports on Wednesday that some of Samsung's R Series laptops contained keylogging software, he was as astounded as everybody else.

"I was really interested in the story. I thought if someone had found a keylogger, that's pretty hardcore," said Eckelberry, who is general manager of GFI Security, a maker of e-mail and Web security products.

The only other known instance of a vendor secretly installing similar software was Sony BMG, which got into all sorts of trouble for the infamous rootkit brouhaha in 2005 .

Eckelberry's surprise at Samsung quickly turned to acute embarrassment when he began getting reports from colleagues that the evidence for the supposed keyloggers was based on a false positive from VIPRE, a malware-detection product sold by GFI.

The problem wasn't that Samsung was secretly installing keyloggers on its systems, but that GFI's software was mistakenly reporting that the laptops contained the malware.

"We just fell on our sword on this," Eckelberry said in an interview today. "It's just mud on our face."

VIPRE is technology that was developed by Sunbelt Software, a company GFI purchased last year.

In a statement today , Samsung denied that its computers contain keylogging software.

The company was responding to a report by Computerworld's sister publication, Network World on Wednesday. In the report , Mohammed Hassan, an IT security consultant in Toronto claimed that he had found a keylogger called Starlogger in a couple of brand new Samsung laptops they had purchased in Canada.

The researcher's claims prompted speculation that Samsung could be in legal trouble if it were installing keylogging software on products sold to the general public. The story was later picked up by the IDG News Service , which is owned by IDG, Computerworld's parent company.

After investigating the claims , Samung said that the allegations were false.

"Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft's Live Application for a key logging software, during a virus scan," the company said. "The confusion arose because VIPRE mistook Microsoft's Live Application multi-language support folder, "SL" folder, as StarLogger," Samsung said.

The directory that caused the confusion was C:\WINDOWS\SL, Eckelberry said. While that is the Slovenian language directory for Windows Live, it is also the directory path used by the Starlogger keylogger, he said.

So when VIPRE encountered the SL directory on the Samsung laptops, it automatically flagged it as Starlogger, he said.

In a blog post this morning, Eckelberry said such detection based on folder paths as a heuristic was rarely used by VIPRE.

"I want to emphasize 'rarely,' as these types of detections are seldom used, and when they are, they are subject to an extensive peer review and QA process," Eckelberry wrote, while apologizing to Samsung and the researcher who reported the problem.

Though folder path detections are fairly commonly used by many anti-malware products, the practice is generally frowned upon because of the potential it holds for generating false positives -- as happened this time, he said.

"It's such a rarely used detection method," Eckelberry said. "To have this type of heuristic create the issue for us is a big embarrassment for us."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ABS, BMG, etwork, GFI, IDG, Microsoft, Samsung, Sony, Sunbelt, Sunbelt Software, Topic, Windows Live
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: hardware systems, laptops, security, Security Hardware and Software, sony, Sunbelt Software
Latest Blog Posts
Whitepapers
  • A Technical Overview of the Oracle Exadata Database Machine and Exadata Storage Server
    Businesses today increasingly need to leverage a unified database platform to enable the deployment and consolidation of all applications onto one common infrastructure. Whether OLTP, DW or mixed workload a common infrastructure delivers the efficiencies and reusability the datacenter needs – and provides the reality of grid computing in-house. Read on.
    Learn more »
  • Control your Print Environment
    In your ongoing quest to maximize productivity and drive down costs, you might be surprised by the savings and greater competitive advantage you can achieve with a fully optimised and well-managed printing and imaging environment. In fact, studies have shown that managing your fleet holistically can save you upwards of 30% on your printing costs. And the savings increase exponentially when the scope of work includes automating your paper intensive workflows. Read more.
    Learn more »
  • Agile: Transforming small-team thinking into big business results
    Agile is fast becoming the development method of choice for many Australian businesses. This whitepaper discusses key trends and best practices for scaling agile within complex organisations.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments