Categories
Security Tutorials

How to remove HP’s (latest) Notebook Keyboard Driver Keylogger

HP has released driver updates for hundreds of notebook models to remove debugging code that an attacker could have abused as a keylogger component. The keylogging code was present in the SynTP.sys file, which is part of the Synaptics Touchpad driver that ships with some HP notebook models.

wovvu1512789378

The keylogging was disabled by default but could be enabled by setting a registry value.

HKLM\Software\Synaptics\%ProductName% HKLM\Software\Synaptics\%ProductName%\Default

// Real examples

  • HKLM\Software\Synaptics\SynTP
  • HKLM\Software\Synaptics\SynTP\Default
  • HKLM\Software\Synaptics\PointerPort
  • HKLM\Software\Synaptics\PointerPort\Default

Malware devs can use this registry key to enable the keylogging behavior and spy on users using native kernel-signed tools, undetectable by security products. All they have to do is to bypass a UAC prompt when tweaking the registry key. There are tens of methods of bypassing UAC prompts currently available.

Which notebooks are affected?

  • HP G4
  • HP G5
  • HP G6
  • EliteBook
  • Elitebook Folio
  • HP mt* thin clients
  • HP ProBook
  • HP zBook mobile workstations
  • Various Compaq notebooks
  • HP 15
  • HP 17
  • HP ENVY
  • HP Pavilion & Omen

How to remove the logger?

Delete the registry keys and install the new driver – there offered by Windows Update or via the official HP page.

Source

  • HPSBHF03564 rev 1 – Synaptics Touchpad Driver Potential, Local Loss of Confidentiality (support.hp.com)

1 reply on “How to remove HP’s (latest) Notebook Keyboard Driver Keylogger”

“There are tens of methods of bypassing UAC prompts currently available.”

Good to hear cos I always disable UAC. Too annoying for me.

Like

Comments are closed.