This article is more than 1 year old

Facebook security chap finds 10 Superfish sub-species

Cert-jacking 'Komodia' library looks to be widespread

Facebook security researcher Matt Richard says The Social NetworkTM has found at least ten more outfits using the library that gave the Superfish bloat/ad/malware its nasty certificate-evading powers.

Richard, a “threats researcher” on Facebook's security team, writes that in 2012 Facebook “... started a project with researchers from Carnegie Mellon University to measure how prevalent SSL MITM.”

That effort, he says, found “certain deep packet inspection (DPI) devices were using the same private key across devices, which can be exploited by an attacker with the capacity to extract the key from any single device.”

“Superfish is similar in that it uses the same private key across all clients, but it's more dangerous because its root certificate is installed on significantly more clients than those behind the vulnerable DPI devices.”

The post goes on to say that the fake certificates Superfish issued for Facebook “used weak 1024-bit RSA keys and were directly signed by the universal root certificate with no intermediate certificates in the chain.”

The researcher also says the Facebook's probe into Superfish has revealed another ten outfits using the same Kommodia library that gives the Lenovo-spawn its cert-jacking powers. The operators listed in the post are:

  • CartCrunch Israel LTD
  • WiredTools LTD
  • Say Media Group LTD
  • Over the Rainbow Tech
  • System Alerts
  • ArcadeGiant
  • Objectify Media Inc
  • Catalytix Web Services
  • OptimizerMonitor

“We can’t say for certain what the intentions of these applications are, but none appear to explain why they intercept SSL traffic or what they do with data,” Richard writes, also suggesting that “the Komodia library is easy to detect” for the following reasons:

“In our research, we found that the software that installs the root CA contains a number of easily searchable attributes that enabled us to match up the certificates we see in the wild with the actual software. These functions, which are Windows PE exports, include 'CertInstallAll', 'GetCertPEMDLL', 'InstallFirefoxDirectory', 'SetCertDLL', and 'SetLogFunctionDLL.' Most of these libraries are designed to work on Windows 8 and will not install on older operating systems.”


More about

More about

More about


Send us news

Other stories you might like