Son of Superfish, Lenovo bloatware variants start to surface

There are as many as a dozen variants of the Superfish bloatware found last week on Lenovo laptops, it has been discovered.

Son of Superfish, Lenovo bloatware variants start to surface
Son of Superfish, Lenovo bloatware variants start to surface

SCMagazineUK.com has already reported on the revelations associated with Lenovo and its pre-installed ‘Superfish' software reportedly capable of facilitating Man-in-The-Middle attacks. Classified by many as adware or even spyware, this code is capable of bypassing security-protected HTTPS websites to inject advertising into web pages using a fake, self-signed Certification Authority (CA) digital certificate.

The potential for malicious attacks, unwarranted user browser monitoring and onward cyber-security risks has provoked widespread industry disapproval.

Superfish protein

With the story still developing, it now appears that Lenovo's choice of bloatware was a popular one. Researchers have subsequently found a dozen or more other applications sporting traffic-interception mechanisms powered by Superfish protein.

The next twist in this fishy tail is that Superfish itself gets its HTTPS interception capabilities from a Software Development Kit (SDK) made by Komodia, an Israeli company that openly bills itself as a firm, “Offering an SSL interception module to decode and modify SSL traffic on Windows OS.”

Komodia's site is currently offline due to DDoS apparently caused by “recent media attention” as it puts it. That being said, a GitHub page has been created to list the applications featuring Komodia's SDK; interested users will note that the password for Komodia is “komodia”, no less.

Applications currently running Superfish with Komodia include several parental control programs and one that is listed as Virtual Private Network (VPN) software. It already appears that Symantec has classified "Trojan.Nurjax" as emanating from applications with this technology.

Facebook's own security team has blogged to list software applications using the Komodia library. The social network's bloggers note that initial open source research of these applications reveals ‘a lot of adware forum posts and complaints' from people.

“What does this mean?” asks Marc Rogers, principal security researcher at CloudFlare. “Well, this means that those dodgy [CA] certificates aren't limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of parental control software installed on their computer should probably check to see if they are affected.”

Dog bite worse than fish slap

Following in the wake of Superfish, SCMagazineUK.com learns that vulnerability scanning company Comodo is shipping adware known as Privdog, which is said to be “worse than Superfish”, according to some. Amichai Shulman, CTO Imperva explains how it works and what the implications are in comparison to Superfish: “As long as people use this practice of ‘breaking the chain of trust' there are bound to be some who implement it utterly wrong. Superfish's mistake was using the same root certificate across all deployments. Privdog's mistake is not validating certificates at all. This practice is going to face practical implementation challenges going forward because of certificate pinning.”

Mark James, security specialist at ESET, says that the stand-alone version of Privdog (when installed) recreates a key/cert on each installation, it will intercept every certificate it finds and then replace it with one signed by its root key, this enables it to replace adverts in web pages with its own ads from trusted sources.

“The implications are massive. One of the biggest problems here is the fact that it will replace certificates with a valid certificate even if the original cert was not valid for any reason. This means it essentially makes your browser accept every HTTPS certificate regardless if it's been signed by a certificate authority or not. By comparison, the Superfish man-in-the-middle process at least requires the name of the targeted website to be inserted into the certificates alternate name field. Although Superfish allows the possibility of massive exploitation with this flaw it is still marginally better than what Privdog is doing,” said ESET's James.

Microsoft says it has updated its Windows Defender anti-spyware program to root out the code libraries associated with Superfish and protect users. This story was written on a Lenovo laptop after running Windows Update procedures, which specifically updated Windows Defender without prompting.