Superfish malware installed on new machines exposes HTTPS browsing

No SuperfishIf you have a new Lenovo laptop, do this today: Check for Superfish and eliminate it

Software called Superfish, a “Visual Search enhancer” product pre-installed on new consumer laptops from Lenovo among other brands, has been revealed to have severe privacy breaches. This also affects any software using the underlying Komodia toolkit (see below)

Superfish is software that inserts advertising into web pages you visit, creating a “Visual Search results” area with the notation “powered by VisualDiscovery.” If you see these phrases on your web browser pages and searches, then you have this software installed.

You want to remove this immediately, because it works by installing phony ‘security certificates’ for SSL HTTPS pages that you browse, so that the program can snoop on your secure browsing (like, your banking and financial sites) to throw ads up on the screen. Unfortunately, by subverting SSL security, it also opens up your browsing to a hacker who if they can gain access to your network, can then also view the data of what you thought were private and secure connections.

Fortunately, Microsoft has already updated Microsoft Defender anti virus software and it will eradicate Superfish. Update and run Defender at your first opportunity.  Instructions for manual removal are here:

You can check if your machine is affected by visiting this site

The dodgy technology

The underlying certificate hijacking technology that Superfish is using is from the Israeli firm Komodia, which produces parental control (“net nanny”) software, including Komodia’s KeepMyFamilySecure and is included in similar products from the company Qustodio.

A partial list of programs that have been identified by researchers and reported on ArsTechnica of using this certificate hijacker is

  • Komodia’s KeepMyFamilySecure
  • Qustodio network security software
  • Lavasoft Ad-aware Web Companion
  • CartCrunch Israel LTD
  • WiredTools LTD
  • Say Media Group LTD
  • Over the Rainbow Tech
  • System Alerts
  • ArcadeGiant
  • Objectify Media Inc
  • Catalytix Web Services
  • OptimizerMonitor
  • SecureTeen

Plus there is one piece of malware identified so far which incorporates it

  • Trojan.Nurjax

A different but similar HTTPS vulnerability in the stand alone version of PrivDog (the PrivDog 2 software supplied by Comodo apparently does not have the vulnerability).

All of these programs should also be regarded as hazardous and removed.

The toolkit spoofs security certificates for the sites that you visit, substituting its own certificates that assure your web browser that everything is secure. In fact, it allows the software to see everything that passes between you and the server, whether it is your bank, an e-commerce site, medical or government site.  Then, to top it off, the company was lazy enough to use the same certificate private key for all of the certificates on all users machines… it is the work of a moment for researchers (and hackers) to extract that key, and theoretically have access to the data using a “man in the middle” attack.

Your risk of attack in your home or business is low, because the hacker would have to have access to your network (not impossible, due to vulnerabilities in internet routers or from computers on the network which has previously been infected with a backdoor trojan). But in public areas, the risk is much higher, so removing the software and those certificates is paramount.

Lenovo machines from Mid 2014 to January 2015  which may be affected:

  • G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
  • U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
  • Y Series: Y430P, Y40-70, Y50-70
  • Z Series: Z40-75, Z50-75, Z40-70, Z50-70
  • S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
  • Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
  • MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
  • YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
  • E Series: E10-30

Why is it there in the first place?

The dirty secret in the computer business is – money.

Software vendors pay computer manufacturers to pre-install their wares on new machines. That’s why any new machine you get comes with McAfee or Norton Antivirus “trial” versions, complete with the nag-ware which pops up incessantly and prompts you to purchase or renew a subscription “to stay protected”.   Ditto the “free” games that came with your machine that clamor for you to upgrade or make in-app purchases.

Less scrupulous software vendors install software that modifies your web browser to show advertising, or redirects your search preferences to their own tailored search results. Their motivation is the ad revenue they get from websites and brand owners for preferentially driving your traffic to them.

In a bid to get more revenue (and lower the price of their computers in a fiercely competitive market) Lenovo have succumbed to the lure of thirty pieces of silver, and have betrayed your privacy (and virtually all other brands engage in the practice of pre-installed software as well). In this case, Lenovo did a stunningly poor job of quality control of what they allowed to be installed.

Are we out of the woods if we don’t have these laptops?

Keep in mind that it is not certain that Superfish, or the underlying technology, is limited to Lenovo laptops.  It could as well be embedded in shareware or commercial software, or in plug ins or browser add-ons – in addition to the parental control software already identified. We don’t know yet what the degree of spread is.

As for the preinstalled software in general, there are a couple of programs that are worth running, the wonderfully named PCDeCrapifier which identifies and removes a range of “shovelware” that manufacturers put on new machines

AdwCleaner, a program that does a good job of removing web browser redirect and adware extensions.


This entry was posted in Computer Questions and Answers, General Computer, News, Security, Viruses and malware and tagged , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.