Samsung and keyloggers

Search This thread

gigadigit

Senior Member
Jun 11, 2010
97
0
I read on the Tech blogs that Samsung put keyloggers on their notebook computers.

I am wondering, do they do that on their tablets too?
 

fragdagain

Member
Dec 29, 2010
5
0
Richmond
So some "independent" security consultant runs his software to see about spyware or whatever, gets a false positive, news runs rampant and then Samsung gets an independent body to buy product from a retailer and test. The independent body confirms it is a false positive but I don't see any "breaking news" with apologies.

That pisses me off.
 

foxmeister

Senior Member
Mar 10, 2008
4,041
383
Ealing
So some "independent" security consultant

This "so called" consultant ran an off the shelf virus checker, known to produce a false positive, and published his "results" without even a modicum of research into the cause.

He looks incredibly retarded and incompetant now, and I can't see why anyone would ever again utilize his services.

Regards,

Dave
 

DarkPal

Senior Member
Mar 10, 2011
1,115
342
Victoria
well samsung might not be putting keyloggers. But they sure install rootkits for drm purposes (i have known that since i first got my samsung mp3 and installed media studio as a syncing program).

Dont believe me? Open your kies folder or program files folder on your hard drive. You will find it. Its called content safer.

As our great spacemoose dev said why does samsung have to do everything in backwards ass possible.
 

foxmeister

Senior Member
Mar 10, 2008
4,041
383
Ealing
Dont believe me? Open your kies folder or program files folder on your hard drive. You will find it. Its called content safer.

I don't have such a folder, but the existence of a folder doesn't imply the existence of a rootkit. I've tried googling "samsung kies rootkit" and found nothing.

Regards,

Dave
 

foxmeister

Senior Member
Mar 10, 2008
4,041
383
Ealing
Its there. Contentsafer folder search it and google. A nosy intrusive piece of software. Search program x86 folder. Came with kies.

www.bleepingcomputer.com/forums/topic77076.html

OK, I have it under "C:\Program Files (x86)\MarkAny\ContentSafer".

However, I wouldn't exactly call it a rootkit - it's just installed as part of the Kies installation, doesn't try to hide itself and when you remove Kies it is uninstalled.

To me, that doesn't meet the definition of a rootkit.

Regards,

Dave
 

verdy_p

New member
Feb 17, 2013
4
2
I hate this malware bundled in Samsung softwares

OK, I have it under "C:\Program Files (x86)\MarkAny\ContentSafer".

However, I wouldn't exactly call it a rootkit - it's just installed as part of the Kies installation, doesn't try to hide itself and when you remove Kies it is uninstalled.

To me, that doesn't meet the definition of a rootkit.

Regards,

Dave

I can now confirm that this is effectively acting as a rootkit. I noted that this malware was actually monitoring ALL your media files that are in some known formats (MPEG, OGG... and even JPEG images), in order to MODIFY them on the fly, storing a personnally identifiable tracking ID in them, within some obscure extension subtags permitted in these formats.

MarkAny describes this process as "watermarking". This behaves like a rootkit because once the malware is running, it then attempts to HIDE this watermark to the normal OS I/O operations, in order for these files to appears as if they were still clean of any alternation.

BUT....

This watermarking process not only has a very intrusive effect (no this is not a keylogger process, but a process that will report to some internet server in Korea all media files that contain any other watermark inserted by "MarkAny ContentSAFER" from another PC/user. The watermark is personnally identifiable because MarkAny ContentSafer is installed SILENTLY as a REQUIRED bundle with other softwares requiring an online registration (for example when installing Samsung Kies, you need to register an account at Samsung, and this registration includes this personal data which is sent SILENTLY to MarkAny to associate your generated UUID which will be stored in YOUR media files, with YOUR identity).

Later, if ever you use a media shared LEGALLY on your local network (suppose you have several PCs including for backups, or several virtual OS installations) and you play the shared media file, as it will not match your current personal UUID in the currently running instance of "MarkAny Content SAFER", the two UUIDs will be sent and compared online (as soon as you get an internet connection), to track how you use that media file. In addition, the existing remote watermark will be replaced by the new one (or added) in your media file.

And here comes the effect of the ROOTKIT ! This silent modification of your mediafiles is completely stupid. It effectively alter these files even if they are in fact NOT true media files.

One bad effect: you legally download a new ISO for installing Windows, and want to copy the content of tyhe mounted ISO to an USB key in order to install a PC. The installer will FAIL (missing or corrupted files), just because it runs WITHOUT the MarkAny rootkit being active to restore the expected content that the OS should see.

I had a lot of troubles just trying to figure out why all my attempts to create a bootable USB key for installing Windows on another PC constantly failed (the USB key refused to boot), until I cleaned my PC from this spyware BEFORE attempting to create the USB key (no my ISO download was NOT corrupted, but all files copied from the ISO to the USB key were immediately corrupted on the fly by this malware during the copy, if I was not connected to the Internet when creating the USB key as the watermarks supposed to be there temporarily were not in fact removed before they were checked online with the spying Korean server).

Such silent modification of media files is stupid, it breaks applications and it adds supplementary trafic to the internet each time a media file is checked (and reported to companies trying to track illegal copies, even if YOUR copies are perfectly legit).

Blame Samsung from installing this component silently (now it is no longer installed in a separate program, but directly within the installation of Kies, and it is extremely difficult to remove from there, and if it's not running, Kies will not even recognize correctly your Samsung Smartphone (and you won't be able to perform a legal firmware update to the current version for your Samsung smartphone or tablet).

I cannot understand why antimalwares do not classify this "MarkAny ContenSAFER" software as a real rootkit, it is really one because it silently modify your files, corrupts them, and logs to Korea any new media files you would have even created yourself, sending some extracts of them on request from the Korean server, so that they can check what it is. MarkAny is effectively monitoring ALL your media files (and this is also a severe privacy breach).

We should campaign immediately against Samsung for delivering MarkAny contentSafer and installing it WITHOUT your permission and for spying on every media files you use (MarkAny contentSAFER is effectively running as a DLL linked to ALL applications that start, and it will activate itself if it detects this is a known media player, including the basic Media player built in Windows with the Sound applet when you logon and a sound is played, or when your PC just wants to play a "beep" sound with the associated sound file (visibly, MarkANY ContentSAFER is silently modifying a LOT of media formats, including MP3, WMA, WMV, RA, Flash video, MPEG4, and even the most basic WAV files, if ever its file size or play diuration is above some threshold; it also alters your own JPEG photos or videoa taken with your OWN cameran, and ALL photos and videos taken with YOUR Smasung smartphone or tablet, as soon as you synchronize them to your PC, and sometimes this causes the modified media file to be corrupted and unplayable or showing some extra "garbage" pixels along the image borders) !

You can easily detect that the media files are corrupted if you start Windows in safe mode, and attempt to compute their checksum with a strong secure hash algorithm (at least MD5 or SHA1) : they no longer match the data signatures you find when running Windows in normal mode, even if their filesize is apparently unchanged.

We cannot tolerate silent watermarking of media files (notably when their security is asserted, for example for default sound files that are part of the standard Windows distribution and which are digitally signed by Microsoft, but that Markany sometimes will alter as well, when it should NEVER modify any media file which is already digitically signed : it's not the job of Samsung to verify the authentificty of Windows components, only Microsoft has a right to do that to check "genuine" Windows installations).

Let's ban MarkAny, it is a malware, causing system corruptions, and a spyware, and a software which also has its own bugs (causing other programs to hang, and even some system drivers to fail and Windows stopping with BSOD, for example when performing system backups, because it also corrupts some SCSI commands needed to control I/O access to your drives within filesystem drivers like NTFS).

I hate those illegal spiers.
 
  • Like
Reactions: acuxda

acuxda

New member
Dec 29, 2013
1
0
Thanks!

I can now confirm that this is effectively acting as a rootkit. I noted that this malware was actually monitoring ALL your media files that are in some known formats (MPEG, OGG... and even JPEG images), in order to MODIFY them on the fly, storing a personnally identifiable tracking ID in them, within some obscure extension subtags permitted in these formats.........

Thanks for the full explanation, verdy_p. Much appreciated:good:

---------- Post added at 07:19 PM ---------- Previous post was at 07:13 PM ----------

Found a suggestion on how to remove this. I'm going to try this method - but if anyone can suggest a better way, please describe?

Boot into Safe Mode, Make sure if the program has icon in the System Tray by the clock that is disabled. Use the CCleaner/Tools/Uninstall option to uninstall the program. Once it is completed, boot into Safe Mode again and in CCleaner Search for ContentSafer. Delete any instances of the file. Then do another search for MarkAny. Delete any instances of the file
 
Thanks for the full explanation, verdy_p. Much appreciated:good:

---------- Post added at 07:19 PM ---------- Previous post was at 07:13 PM ----------

Found a suggestion on how to remove this. I'm going to try this method - but if anyone can suggest a better way, please describe?

wow thank you for that explanation. that is pure evil time to boot into safe mode and eradicate this plague.
 
How to remove mobile spy without losing the data?

I have since redone my system and flat out refused to install Kies. you can install the usb drivers separately and not get this spyware installed on your systems. as to removing it once you installed it it's just a matter of booting your desktop/laptop into safemode finding it renaming it and running a reg cleaner like ccleaner. you will however lose the ability to use Kies to install signed firmware updates etc but it's a small price to pay for peace of mind. after all your could always use Odin for flashing. the data is not actually encrypted etc just watermarked so you will not lose access to any files it touched but if you did a bit for bit comparison on them you might see the changes the watermarking did to them in a hex editor. what worry's me most about this spywear is it digitally watermarks every single media file on your computer and talls some random server in god knows what country the checksum in short nasty nasty nasty form a privacy perspective.
 

mega0wn3r

New member
Mar 4, 2012
2
0
I can now confirm that this is effectively acting as a rootkit. I noted that this malware was actually monitoring ALL your media files that are in some known formats (MPEG, OGG... and even JPEG images), in order to MODIFY them on the fly, storing a personnally identifiable tracking ID in them, within some obscure extension subtags permitted in these formats.

MarkAny describes this process as "watermarking". This behaves like a rootkit because once the malware is running, it then attempts to HIDE this watermark to the normal OS I/O operations, in order for these files to appears as if they were still clean of any alternation.

BUT....

This watermarking process not only has a very intrusive effect (no this is not a keylogger process, but a process that will report to some internet server in Korea all media files that contain any other watermark inserted by "MarkAny ContentSAFER" from another PC/user. The watermark is personnally identifiable because MarkAny ContentSafer is installed SILENTLY as a REQUIRED bundle with other softwares requiring an online registration (for example when installing Samsung Kies, you need to register an account at Samsung, and this registration includes this personal data which is sent SILENTLY to MarkAny to associate your generated UUID which will be stored in YOUR media files, with YOUR identity).

Later, if ever you use a media shared LEGALLY on your local network (suppose you have several PCs including for backups, or several virtual OS installations) and you play the shared media file, as it will not match your current personal UUID in the currently running instance of "MarkAny Content SAFER", the two UUIDs will be sent and compared online (as soon as you get an internet connection), to track how you use that media file. In addition, the existing remote watermark will be replaced by the new one (or added) in your media file.

And here comes the effect of the ROOTKIT ! This silent modification of your mediafiles is completely stupid. It effectively alter these files even if they are in fact NOT true media files.

One bad effect: you legally download a new ISO for installing Windows, and want to copy the content of tyhe mounted ISO to an USB key in order to install a PC. The installer will FAIL (missing or corrupted files), just because it runs WITHOUT the MarkAny rootkit being active to restore the expected content that the OS should see.

I had a lot of troubles just trying to figure out why all my attempts to create a bootable USB key for installing Windows on another PC constantly failed (the USB key refused to boot), until I cleaned my PC from this spyware BEFORE attempting to create the USB key (no my ISO download was NOT corrupted, but all files copied from the ISO to the USB key were immediately corrupted on the fly by this malware during the copy, if I was not connected to the Internet when creating the USB key as the watermarks supposed to be there temporarily were not in fact removed before they were checked online with the spying Korean server).

.......

Thanks for the information, but can you provide some proof, please? I'm interested in seeing the connection to the server in particular. Do you by chance have a wireshark capture of this?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    I hate this malware bundled in Samsung softwares

    OK, I have it under "C:\Program Files (x86)\MarkAny\ContentSafer".

    However, I wouldn't exactly call it a rootkit - it's just installed as part of the Kies installation, doesn't try to hide itself and when you remove Kies it is uninstalled.

    To me, that doesn't meet the definition of a rootkit.

    Regards,

    Dave

    I can now confirm that this is effectively acting as a rootkit. I noted that this malware was actually monitoring ALL your media files that are in some known formats (MPEG, OGG... and even JPEG images), in order to MODIFY them on the fly, storing a personnally identifiable tracking ID in them, within some obscure extension subtags permitted in these formats.

    MarkAny describes this process as "watermarking". This behaves like a rootkit because once the malware is running, it then attempts to HIDE this watermark to the normal OS I/O operations, in order for these files to appears as if they were still clean of any alternation.

    BUT....

    This watermarking process not only has a very intrusive effect (no this is not a keylogger process, but a process that will report to some internet server in Korea all media files that contain any other watermark inserted by "MarkAny ContentSAFER" from another PC/user. The watermark is personnally identifiable because MarkAny ContentSafer is installed SILENTLY as a REQUIRED bundle with other softwares requiring an online registration (for example when installing Samsung Kies, you need to register an account at Samsung, and this registration includes this personal data which is sent SILENTLY to MarkAny to associate your generated UUID which will be stored in YOUR media files, with YOUR identity).

    Later, if ever you use a media shared LEGALLY on your local network (suppose you have several PCs including for backups, or several virtual OS installations) and you play the shared media file, as it will not match your current personal UUID in the currently running instance of "MarkAny Content SAFER", the two UUIDs will be sent and compared online (as soon as you get an internet connection), to track how you use that media file. In addition, the existing remote watermark will be replaced by the new one (or added) in your media file.

    And here comes the effect of the ROOTKIT ! This silent modification of your mediafiles is completely stupid. It effectively alter these files even if they are in fact NOT true media files.

    One bad effect: you legally download a new ISO for installing Windows, and want to copy the content of tyhe mounted ISO to an USB key in order to install a PC. The installer will FAIL (missing or corrupted files), just because it runs WITHOUT the MarkAny rootkit being active to restore the expected content that the OS should see.

    I had a lot of troubles just trying to figure out why all my attempts to create a bootable USB key for installing Windows on another PC constantly failed (the USB key refused to boot), until I cleaned my PC from this spyware BEFORE attempting to create the USB key (no my ISO download was NOT corrupted, but all files copied from the ISO to the USB key were immediately corrupted on the fly by this malware during the copy, if I was not connected to the Internet when creating the USB key as the watermarks supposed to be there temporarily were not in fact removed before they were checked online with the spying Korean server).

    Such silent modification of media files is stupid, it breaks applications and it adds supplementary trafic to the internet each time a media file is checked (and reported to companies trying to track illegal copies, even if YOUR copies are perfectly legit).

    Blame Samsung from installing this component silently (now it is no longer installed in a separate program, but directly within the installation of Kies, and it is extremely difficult to remove from there, and if it's not running, Kies will not even recognize correctly your Samsung Smartphone (and you won't be able to perform a legal firmware update to the current version for your Samsung smartphone or tablet).

    I cannot understand why antimalwares do not classify this "MarkAny ContenSAFER" software as a real rootkit, it is really one because it silently modify your files, corrupts them, and logs to Korea any new media files you would have even created yourself, sending some extracts of them on request from the Korean server, so that they can check what it is. MarkAny is effectively monitoring ALL your media files (and this is also a severe privacy breach).

    We should campaign immediately against Samsung for delivering MarkAny contentSafer and installing it WITHOUT your permission and for spying on every media files you use (MarkAny contentSAFER is effectively running as a DLL linked to ALL applications that start, and it will activate itself if it detects this is a known media player, including the basic Media player built in Windows with the Sound applet when you logon and a sound is played, or when your PC just wants to play a "beep" sound with the associated sound file (visibly, MarkANY ContentSAFER is silently modifying a LOT of media formats, including MP3, WMA, WMV, RA, Flash video, MPEG4, and even the most basic WAV files, if ever its file size or play diuration is above some threshold; it also alters your own JPEG photos or videoa taken with your OWN cameran, and ALL photos and videos taken with YOUR Smasung smartphone or tablet, as soon as you synchronize them to your PC, and sometimes this causes the modified media file to be corrupted and unplayable or showing some extra "garbage" pixels along the image borders) !

    You can easily detect that the media files are corrupted if you start Windows in safe mode, and attempt to compute their checksum with a strong secure hash algorithm (at least MD5 or SHA1) : they no longer match the data signatures you find when running Windows in normal mode, even if their filesize is apparently unchanged.

    We cannot tolerate silent watermarking of media files (notably when their security is asserted, for example for default sound files that are part of the standard Windows distribution and which are digitally signed by Microsoft, but that Markany sometimes will alter as well, when it should NEVER modify any media file which is already digitically signed : it's not the job of Samsung to verify the authentificty of Windows components, only Microsoft has a right to do that to check "genuine" Windows installations).

    Let's ban MarkAny, it is a malware, causing system corruptions, and a spyware, and a software which also has its own bugs (causing other programs to hang, and even some system drivers to fail and Windows stopping with BSOD, for example when performing system backups, because it also corrupts some SCSI commands needed to control I/O access to your drives within filesystem drivers like NTFS).

    I hate those illegal spiers.