Or not: http://www.f-secure.com/weblog/archives/00002133.html
A mea culpa from GFI has been issued. It was a false positive. From the article, "The detection was based off of a rarely-used and aggressive VIPRE detection method, using folder paths as a heuristic"
"... Remind anyone of the Sony "rootkit" from a couple years ago?"
Sorta-kinda, but in that case I recall they "asked Symantec" to "overlook" their Sony 'stuff' and Symantec complied. 'Not sure the same is true here, but of course, that remains to be seen.
.
I've been using this story as a sort of "litmus test" for good security reporting. I'm sad to see Sans fail. This is a story that's so obviously dubious from the start that any reasonable publication should have asked some very specific questions before publishing anything about it. For instance: Is this Hassan guy for real? He claims his tool is false-positive proof because it hasn't had a false-positive in 6 years. That's baloney. If he hasn't had a false positive in 6 years, it should make him less trusting of the tool, not MORE trusting. Every tool gives false positives. If it doesn't, you should question whether that tool is detecting real infections or not.
Furthermore, no one seems to have bothered to check on this BEFORE publishing. It seems easy enough to check.
Finally, the existence of a Windows/SL folder is not proof of infection. I could go create a Windows/SL folder and that wouldn't mean I'm infected.
Give us some hashes, or at least some filenames. Let's not get people freaking out just because they have a folder called "SL"...
I think what we SHOULD be doing is questioning the amount of trust we're giving to OEMs. For instance, none of them ever ship a OS disk from Microsoft anymore. They all ship with "restore partitions." That means that the OEM (or potentially third-party attackers) could install software to the restore partition that would not be removed if the customer restores their computer (as it would be if they installed with an OS CD from Microsoft).
While this claim should have been scrutinized much better, I do think it raises questions about OEM trust that security professionals should consider.
An interesting case where false positives -- how one AV error can lead to rumors and panic, apparently not just within an organization, when false positives crop at some machine on your network, provoking a full incident response and possibly lots of interrogation from management -- but on the internet as well.
False positive based on flawwed heuristics.
Ok, fine, maybe the false positive is acceptable... but how does that become so widely posted an article? No thorough investigation by the finder before the finding was entertained, or by the person publishing the finder's result?
I wonder
Why would a Samsung employee be jumping out of their shell to admit: 'it's installed to "monitor the performance of the machine and to find out how it is being used."'
Rather than investigating the claim, and weighing their options before admitting?
I would call that an "oops" as well.
So.. to recap the possible screwups involved:
(1) Overly aggressive low-quality heuristic; comes up with a false positive. (multiple screwups by AV vendor)
(2) A person who found the 'malware' botched things up, in relying on that heuristic result without verifying there was actually a threat, and reported that to someone a blogger perhaps..., excusable -- finder may have been a naive user, blindly relying on their AV (all they can do).
(2) The journalists/bloggers really messed up, or whoever "analyzed" the finder's report messed up by originally reposting insufficiently validated findings... took the finder's word, without sufficient fact checking or at least having an expert or analyst check it out?
Possibly excusable, in that Samsung allegedly validated it.
(3) Possibly someone at Samsung really messed up, by implicitly admitting it really was installed? When instead, they should have collected evidence, admitted nothing and investigated the matter before coming to a conclusion.
Lesson: Just because you distributed something, and someone said it contained "X malware".
Doesn't mean you make up reasons to try to explain it. Sometimes the answer should really be "We don't think so, but we will investigate"
If it's true what they Samsung said, and if it was official in any way.... I wonder what _other_ (non-Virus) software might be lurking about on their OS preinstalled laptops?
The original article was just terrible. I love how the author kept referring to Mark Russinovich's research. The author of this article merely claimed to have done extensive verifying. Mr. Russinovich gave incredibly detailed information on how he discovered the problem and how he verified it.
My favorite part is this:
"Again, after the initial set up of the laptop, I found the same StarLogger software in the c:\windows\SL folder of the new laptop. The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years. The fact that on both models the same files were found in the same location supported the suspicion that the hardware manufacturer, Samsung, must know about this software on its brand-new laptops. "
What AV tool is false-positive proof? Was this the extent of the verification? I would really love to see the research done on this... even just the contents of the folder.
It's just disappointing that he made a claim with such damaging implications without presenting ample evidence.
The original MSNBC article is no longer available at the linked URL. See http://www.msnbc.msn.com/id/42347877 for an updated article.
Thanks everyone for putting in their two cents. It's quite sad that MSNBC put it out as is.
I think Pete says the point best in the above:
"I think what we SHOULD be doing is questioning the amount of trust we're giving to OEMs. For instance, none of them ever ship a OS disk from Microsoft anymore. They all ship with "restore partitions." That means that the OEM (or potentially third-party attackers) could install software to the restore partition that would not be removed if the customer restores their computer (as it would be if they installed with an OS CD from Microsoft)."
I think this is a great point. I'm glad that we have a community as large as the Internet Storm Center where people can write in and debunk the article, but also where people can look into their own computers and question things like this.
Comments
WD
Mar 31st 2011
1 decade ago
http://sunbeltblog.blogspot.com/2011/03/samsung-laptops-do-not-have-keylogger.html
kmweb
Mar 31st 2011
1 decade ago
Ken
Mar 31st 2011
1 decade ago
Sorta-kinda, but in that case I recall they "asked Symantec" to "overlook" their Sony 'stuff' and Symantec complied. 'Not sure the same is true here, but of course, that remains to be seen.
.
PC.Tech
Mar 31st 2011
1 decade ago
Furthermore, no one seems to have bothered to check on this BEFORE publishing. It seems easy enough to check.
Finally, the existence of a Windows/SL folder is not proof of infection. I could go create a Windows/SL folder and that wouldn't mean I'm infected.
Give us some hashes, or at least some filenames. Let's not get people freaking out just because they have a folder called "SL"...
I think what we SHOULD be doing is questioning the amount of trust we're giving to OEMs. For instance, none of them ever ship a OS disk from Microsoft anymore. They all ship with "restore partitions." That means that the OEM (or potentially third-party attackers) could install software to the restore partition that would not be removed if the customer restores their computer (as it would be if they installed with an OS CD from Microsoft).
While this claim should have been scrutinized much better, I do think it raises questions about OEM trust that security professionals should consider.
Pete
Mar 31st 2011
1 decade ago
False positive based on flawwed heuristics.
Ok, fine, maybe the false positive is acceptable... but how does that become so widely posted an article? No thorough investigation by the finder before the finding was entertained, or by the person publishing the finder's result?
I wonder
Why would a Samsung employee be jumping out of their shell to admit: 'it's installed to "monitor the performance of the machine and to find out how it is being used."'
Rather than investigating the claim, and weighing their options before admitting?
I would call that an "oops" as well.
So.. to recap the possible screwups involved:
(1) Overly aggressive low-quality heuristic; comes up with a false positive. (multiple screwups by AV vendor)
(2) A person who found the 'malware' botched things up, in relying on that heuristic result without verifying there was actually a threat, and reported that to someone a blogger perhaps..., excusable -- finder may have been a naive user, blindly relying on their AV (all they can do).
(2) The journalists/bloggers really messed up, or whoever "analyzed" the finder's report messed up by originally reposting insufficiently validated findings... took the finder's word, without sufficient fact checking or at least having an expert or analyst check it out?
Possibly excusable, in that Samsung allegedly validated it.
(3) Possibly someone at Samsung really messed up, by implicitly admitting it really was installed? When instead, they should have collected evidence, admitted nothing and investigated the matter before coming to a conclusion.
Lesson: Just because you distributed something, and someone said it contained "X malware".
Doesn't mean you make up reasons to try to explain it. Sometimes the answer should really be "We don't think so, but we will investigate"
If it's true what they Samsung said, and if it was official in any way.... I wonder what _other_ (non-Virus) software might be lurking about on their OS preinstalled laptops?
Mysid
Mar 31st 2011
1 decade ago
My favorite part is this:
"Again, after the initial set up of the laptop, I found the same StarLogger software in the c:\windows\SL folder of the new laptop. The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years. The fact that on both models the same files were found in the same location supported the suspicion that the hardware manufacturer, Samsung, must know about this software on its brand-new laptops. "
What AV tool is false-positive proof? Was this the extent of the verification? I would really love to see the research done on this... even just the contents of the folder.
It's just disappointing that he made a claim with such damaging implications without presenting ample evidence.
sb
Mar 31st 2011
1 decade ago
Pj
Mar 31st 2011
1 decade ago
I think Pete says the point best in the above:
"I think what we SHOULD be doing is questioning the amount of trust we're giving to OEMs. For instance, none of them ever ship a OS disk from Microsoft anymore. They all ship with "restore partitions." That means that the OEM (or potentially third-party attackers) could install software to the restore partition that would not be removed if the customer restores their computer (as it would be if they installed with an OS CD from Microsoft)."
I think this is a great point. I'm glad that we have a community as large as the Internet Storm Center where people can write in and debunk the article, but also where people can look into their own computers and question things like this.
Joel
Mar 31st 2011
1 decade ago