AV product wrongly flags malware based on existence of directory.
A number of security bloggers raised concern yesterday about the apparent presence of a keylogger on
Samsung
laptops – only to realise it was, in fact, a false positive.
A
Network World
reporter discovered the ‘keylogger’ on two different makes of
Samsung
laptops. Reminded of a similar case in 2005, when
Sony
CDs installed rootkits on users’ PCs, he suspected that the Korean company intended to spy on its customers.
The apparent malware was detected by by
GFI
‘s
VIPRE
anti-malware solution based on the existence of a
C:WindowsSL
directory on the computer. This directory, however, is also created by the
Microsoft Live!
application suite, which is installed on
Samsung
laptops. After seeing the
VIPRE
alert the reporter failed to double-check the detection with other anti-virus products.
While detecting malware based purely on the existence of a single directory is probably a bad idea, this story also contains a lesson for reporters and researchers: an alert generated by a piece of security software does not automatically prove the existence of a malicious file.
More at
F-Secure
‘s blog
here
and at
Sophos
‘s
Naked Security
blog
here
, while interested readers may want to read Mark Russinovich’s article on his discovery of the
Sony
rootkit in
Virus Bulletin
of December 2005
here
(free registration required).
Posted on 31 March 2011 by
Virus Bulletin
Leave a Reply