Man the HARPOONS: YOU can EASILY SLAY ad-scumware Superfish

Cleanse your Lenovo box of root cert badness


+Updates The US government's Computer Emergency Readiness Team (US-CERT) has said the Superfish ad-injecting malware installed by Lenovo on its new laptops is a "critical" threat to security.

Chinese PC peddler Lenovo bundled the software nasty to make a fast buck from its cheap, low-margin hardware: the application hijacks web browsers to inject ads into pages, even HTTPS encrypted websites, using an egregious root CA certificate.

"Lenovo consumer personal computers employing the pre-installed Superfish Visual Discovery software contain a critical vulnerability through a compromised root CA certificate," US-CERT said on Friday, urging people to remove the adware.

"Exploitation of this vulnerability could allow a remote attacker to read all encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system."

In a detailed rundown – including instructions on how to remove the badware – the Homeland Security team said select Lenovo Windows laptops built since September 2014* harbor Superfish VisualDiscovery. Lenope stopped bundling the software in January 2015.

The malware installs its own root CA certificate so it can silently intercept and decrypt HTTPS connections, allowing it to tamper with pages – namely, injecting ads to stuff to buy online.

For example, if you visit bankofamerica.com on an affected laptop, your web browser is hijacked to connect through Superfish's software, but the user is none the wiser. The Superfish root CA certificate convinces the browser that everything is OK.

The private key for this certificate is hardcoded into VisualDiscovery's executable, and easily extractable. This means anyone can use it to create spoof websites that will be trusted by vulnerable laptops, allowing miscreants to pull off man-in-the-middle attacks and steal login passwords.

In other words, your connection to, say, gmail.com on a Lenovo laptop may look legit with a little padlock in the top corner of the window, but in reality the website could be malicious and masquerading as the real site so it can learn your login details.

The CERT advisory says Superfish uses Komodia's Redirector with SSL Digestor to intercept web connections. It points out that the same code is also used in free parental control software dubbed KeepMyFamilySecure (the irony), and it is not exclusive to Lenovo products. Other apps and products are bundling the adware.

Superfish, founded in 2006, is a small company based in Palo Alto, California, and has reportedly received about $20m in funding since 2009. Journalist Thomas Fox-Brewster has more on the background of Superfish and Komodia, here.

Microsoft agrees that this whole mess is bad news for users. On Friday the Redmond giant told El Reg its antivirus software Windows Defender now "detects and removes the Superfish software from Lenovo devices."

And sources familiar with the matter told us Microsoft's tool not only removes the Superfish software, but also the rather cheeky root certificate.

'Despite the false and misleading statements...'

Superfish insists computer users have nothing to worry about, and contradicts the US government's assertion that this is a major problem.

"Despite the false and misleading statements made by some media commentators and bloggers, the Superfish code does not present a security risk," its CEO Adi Pinhas told El Reg in a statement, adding that the company doesn't store or share personal data.

"Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn't identified before some laptops shipped," he explained.

"Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. We learned about the potential threat yesterday and since then we have been working with Lenovo and Microsoft to create an industry patch to resolve the threat."

There's no word from Lenovo on the US government's Superfish alert. On Thursday the PC maker's CTO Peter Hortensius said his firm isn't "trying to get into an argument with the security guys," and insisted the code was safe to use. ®

Updated at 1407 Pacific Time (2207 UTC)

It's claimed the Komodia proxy server used by the Superfish adware is worse than previously thought: any man-in-the-middle attacker can create a spoof HTTPS website that is trusted by laptops with the Superfish root CA certificate installed, without having to use the extracted private key. Self-signed SSL certificates are converted into valid ones, we're told.

"All the users out there with Komodia-powered Parental Control software or adware [can] have their banking connections easily intercepted. Well, good job," says CloudFlare security bod Filippo Valsorda.

"It's catastrophic. It's the only way all this mess could have been even worse."

Updated at 1515 Pacific Time (2315 UTC)

* US-CERT initially said Lenovo was bundling Superfish's software since 2010, although has since corrected that to September 2014 after Lenovo complained. In a statement to El Reg, the computer giant said:

The 2010 date is not accurate. Lenovo has stated it preloaded this particular piece of software from Superfish starting in September 2014. Superfish has been around for years and its products have been available for download from sources other than Lenovo.

Broader topics


Other stories you might like

  • Will this be one of the world's first RISC-V laptops?
    A sneak peek at a notebook that could be revealed this year

    Pic As Apple and Qualcomm push for more Arm adoption in the notebook space, we have come across a photo of what could become one of the world's first laptops to use the open-source RISC-V instruction set architecture.

    In an interview with The Register, Calista Redmond, CEO of RISC-V International, signaled we will see a RISC-V laptop revealed sometime this year as the ISA's governing body works to garner more financial and development support from large companies.

    It turns out Philipp Tomsich, chair of RISC-V International's software committee, dangled a photo of what could likely be the laptop in question earlier this month in front of RISC-V Week attendees in Paris.

    Continue reading
  • Did ID.me hoodwink Americans with IRS facial-recognition tech, senators ask
    Biz tells us: Won't someone please think of the ... fraud we've stopped

    Democrat senators want the FTC to investigate "evidence of deceptive statements" made by ID.me regarding the facial-recognition technology it controversially built for Uncle Sam.

    ID.me made headlines this year when the IRS said US taxpayers would have to enroll in the startup's facial-recognition system to access their tax records in the future. After a public backlash, the IRS reconsidered its plans, and said taxpayers could choose non-biometric methods to verify their identity with the agency online.

    Just before the IRS controversy, ID.me said it uses one-to-one face comparisons. "Our one-to-one face match is comparable to taking a selfie to unlock a smartphone. ID.me does not use one-to-many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users," it said in January.

    Continue reading
  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading

Biting the hand that feeds IT © 1998–2022