Mohamed Hassan, who initially supposedly found the keylogger, ran a security program on his brand new Samsung laptop, and that program came to the conclusion that the keylogger StarLogger was installed in the
%SystemRoot%\sl. However, Samsung immediately investigated the matter, and came to a rather humbling conclusion. Well, humbling for Hassan, that is.
It's a simple test you can even repeat at home, and several people have confirmed that it indeed works. Basically, what we're seeing here, is a security program giving a false positive. Steps to reproduce Hassan's results are as follows:
- Create the directory
- Download and install VIPRE
- It will identify the folder created in step 1 as StarLogger
Now, to Hassan's credit, I'm not entirely sure where Samsung got the idea from that Hassan used VIPRE; I can find no reference to the tool in Hassan's articles. However, it might be that Samsung has more information than we do, since Hassan contacted Samsung about this, and probably mentioned to Samsung which tool he used. We have to believe Samsung on their blue eyes here, I guess (Dutch saying, no idea if it works in English).
You might be wondering - why would there be an
sl directory in my Windows system folder? Well, it's not there by default for sure, but it's created by the Live application suite for multi-language support. I would love to test this out myself, but obviously, I'm not going to infect my computer with antivirus software that i've never heard of. Or even those that I have heard of. Especially not the ones I have heard of.
However, comments on the web indicate that Samsung's three-step process indeed reliably produces the same outcome. It's pretty sad that a story so light on details can spread so fast. We also posted the story, so we contributed to that, so apologies from us, too. We did have a question mark though, so, yeah.