A folder on two Samsung laptops examined by a Network World guest columnist that were thought to contain a key logger called StarLogger turned out to be a legitimate folder associated with Microsoft (NASDAQ: MSFT) Live Applications.
The episode started in February when security consultant Mohamed Hassan bought a Samsung laptop and ran VIPRE scanning software on it in preparation for use. It flagged the folder C:\WINDOWS\SL as being StarLogger.
Hassan deleted it and used the computer until it had hardware problems, so he returned it and bought a second, more powerful Samsung laptop to replace it. When prepping it for use, VIPRE again flagged C:WINDOWS\SL as StarLogger. He opened the folder and found a single file inside. He deleted the file and the folder.
Then he looked up online what StarLogger could do and wondered why it was installed on the laptops in the first place. He called Samsung’s service desk to ask, and he says he eventually spoke to a supervisor who told him Samsung installed it to see how the machines are used.
Hassan says he assumed that VIPRE’s identification of C:\WINDOWS\SL as StarLogger was accurate because he’s been using VIPRE for years and it’s never turned in a false positive before. “That is the downside of when you get attached to a tool,” he says. In hindsight, he says it would have been better to use a second tool to confirm the finding.
Hassan says he also believed the Samsung service supervisor’s confirmation that the company did indeed put a key logger on the machines. Had he not heard that, he says he would have restored the drive and further examined the folder.
Hassan is a former student of Mich Kabay who writes the Security Strategies Alert newsletter for Network World, and he told Kabay about his discovery. Kabay said he was interested in publishing what Hassan had found, and they wrote it up.
Kabay says he e-mailed a draft of the blog to three different public relations people representing Samsung, telling them he planned to publish it in a week. None of them got back to him. He says Samsung officials told him one of the e-mails was caught in a spam filter – Kabay says he sent them from a Gmail account – and it’s not clear what happened to the others, but the messages didn’t result in a response.
The columns were posted online Wednesday, and researchers who read them delved in to investigate the allegation. What they discovered was that VIPRE returns a false positive on C:WINDOWS\SL because it uses an aggressive detection method called folder path detection. It is actually a Microsoft Live Applications support folder for the Slovenian language.
GFI Labs, the maker of VIPRE, acknowledged responsibility for the false positive and says it has corrected the problem.Since publication, Kabay has been in close contact with Samsung, which has supplied him with two virgin laptops like the ones Hassan bought. He and Peter Stephenson, the director of the Center for Advanced Computing and Digital Forensics at Norwich University in Vermont, plan to do a thorough forensic analysis of the drives on the laptops using Wetstone Technology’s Gargoyle Investigator malware discovery tool.
They say they plan to publish their findings Monday. Kabay says Samsung’s main concern since the columns were posted has been to determine conclusively that the laptops have not been compromised in the factory.