A little-known software called Superfish was catapulted into the spotlight last week when it became clear that the adware was responsible for a dangerous security hole in some Lenovo computers.
Superfish is able to exploit SSL certificates to break into HTTPS connections to scan images for advertising purposes. That is bad on its own, sure, but the part that creates a security problem is how Superfish does this.
The adware installs its own root certificates on computers, which are then able to sneak into “secure” connections. It is called a “man-in-the-middle” attack. Superfish does this so poorly by encrypting possibly all of its certificates with the same password. But Superfish is by no means the only software that does this.
Lenovo has been at the center of a scandal stemming from Superfish. The company has repeatedly apologized for preloading Superfish adware on some of its consumer laptops between September and January and now advises users to remove the software (and its certificate) from their computers. The U.S. government issued an alert to Lenovo users to remove the software, which the Department of Homeland Security classifies as spyware. It is that bad.
But there is a third player here.
It is common for OEMs to preload software, like adware or bloatware, onto devices before they are sold. Unfortunately, those programs aren’t always the most well-intentioned.
According to researchers at Facebook, Superfish uses a framework from a company called Komodia to perform its man-in-the-middle attacks.
In fact, security researcher Robert Graham, with Errata Security, wrote about how he cracked the password protecting one of Superfish’s certificates. The password was “komodia.”
What is Komodia?
Researchers with Facebook pointed to a Trojan virus discovered by Symantec that is called Nurjax to show that some software using Komodia’s libraries is very malicious. Nurjax uses the same Komodia-designed SSL-breaking technology used by Superfish.
“We’ve observed more than a dozen other software applications using the Komodia library, and many of these applications appear to be suspicious,” wrote Matt Richard, a threats researcher at Facebook, wrote in blog post.
Here is a list of the other software applications exposed by Facebook:
•CartCrunch Israel LTD
•Say Media Group LTD
•Over the Rainbow Tech
•Objectify Media Inc
•Catalytix Web Services
All of them can be found on VirusTotal, an online virus database, according to Facebook, and “none appear to explain why they intercept SSL traffic or what they do with data.”
A Komodia spokesman declined to comment to Mashable about Facebook’s findings. Right now, Komodia’s website is inactive, and the software maker claims denial-of-service attacks and “media attention” are responsible.
Security research Marc Rogers, too, wrote on his blog about even more software that use HTTPS-breaking man-in-the-middle attacks.
The types of software that behave similar to Superfish are typically parental-control apps, Internet firewalls and a few adware programs, Rogers told Mashable. Some are even security-minded apps that break open HTTPS to perform some security function. So it isn’t necessarily adware. Malicious programs spread far beyond that.
The software he likens to Superfish includes:
•Komodia’s “Keep My Family Secure” parental control software.
•Qustodio’s parental control software
•Staffcop (version 5.6 and 5.8)
•Easy hide IP Classic
•Lavasoft Ad-aware Web Companion
What can I do about it?
There is an online tool that checks for Superfish and Komodia vulnerabilities.
If you are a Lenovo user, the company has published step-by-step instructions for removing Superfish and its root certificate. Better yet: There is now an automated tool for more convenient removal.
Microsoft and McAffee have updated their antivirus software to automatically work against Superfish, too. Facebook found in its research that Superfish was limited to Windows, with about 70% of infected users running Chrome.
Superfish isn’t the cyberapocalypse. It is part of a larger problem. As far as preloaded software goes, though, Superfish might be as bad as it gets, said Jeremy Gillula, a staff technologist with the Electronic Frontier Foundation, a digital privacy advocacy group.
The best course of action, when getting a new computer, is to reboot the computer and install a new OS. It is the only way to be completely sure of what is on your laptop.
“We can’t trust the manufacturers anymore,” Gillula told Mashable. “We see they don’t do a very good job of auditing the security.”
Have something to add to this story? Share it in the comments.