Monday, March 1, 2010

When System Issues Look Like Malware...But Aren't

"My computer is typing to itself" - that's one of those lines that gets the attention of any IT person, and particularly gets a security analyst to sit up and pay attention.

Thus, when I heard those words, I headed down the hall to check out the system in question. It was definitely typing to itself. The sytem - a laptop, would fill in text wherever the cursor sat, and would open a search bar if no application was active. Left to its own devices, rather oracular sounding text like the following was appearing:

"The you know you are using the zone to the net and what it is a young man in a long line of you didn't know as soon the room will send you wish you sell and move the mean no longer be a U.N. own movie and more than one and one was injured when an E. and in an And move is not invite you to UNITA has not been a move that was a year in and was thrown in the sense that certainly room move on and down and was down there that are the men and women in the news and then an And you you and you end up in a bit of the moon and when you move in the middle of the yen is wrong in what"
It looked a bit like every chat session on the network was being dropped in fragmentary fashion into the applications that were open. What it didn't look like was malware. That meant that we could satisfy curiosity rather than pull out the event response process.

The usual tricks - disconnecting the network, disabling network devices, ensuring that no Bluetooth or IR activity was possible, and of course, removing the wireless USB keyboard and mouse had no effect. This was obviously coming from the local system.

The interesting thing is that the text reminded me of a text to speech program, but the user didn't use one - they did note that they had used one years ago, but not since, and that Office had been upgraded in the interim.

Keeping the room silent and saying easily distinguishable words did not result in matching - or even similar text. The result continued to look like this:

Rebooting the system made it stop...for a while. Dogbert may have had a point.

It has been a while since I was a full time desktop support person, so I enlisted the aid of a couple of senior user support folks in case there was something common that I hadn't dealt with before. The answers that came back could be paraphrased as "That's really weird" and "That does look like some sort of text to speech".

Further digging showed that yes, the system's built in microphone was on, and that it used an integrated sound driver. The microphone's gain was so high that it was generating significant amounts of data even in a completely silent room - and our source of oracular typing was found.

We disabled the microphone, and since then, the system has kept its literary attempts to itself. As for your friendly local security guy? Well, I had a good laugh - and I know where to find a good source of random when I need one.

No comments: