Does your Computer Have VD?
If you bought a Lenovo laptop any time since September, 2014, it may have come with a piece of adware called Superfish that puts all of your Web browsing sessions at risk of hacking. The same flawed technology has been found in three different parental control programs, and may be incorporated in any number of other legitimate programs. Here's what you need to know, and do... |
What is Superfish?
The adware, named Visual Discovery by Superfish, was installed by Lenovo on certain laptop models shipped between October and December, 2014. At first, Lenovo said the Superfish software was not a security concern, and that it merely helped consumers "discover interesting products while shopping." Even Lenovo's Chief Technical Officer called the criticism "theoretical concerns," but those statements have turned out to be either huge lies, or stunning incompetence. Or both...
NOTE: This article is a bit more techy than most here. So if your eyes start to glaze over, skip to the "What You Need to Do" section and follow those instructions.
Superfish is a company that develops iOS and Android apps that are based on the company’s “visual search” technology. Given an image, Superfish searches “billions” of online images for similar ones. The company has apps for interior decorating (match that nightstand to a dresser), flowers, and even pets. These apps get their “query” images from smartphone cameras. They’re harmless.
Visual Discovery, however, gets its query images from the Web pages you visit. Then it queries a database of ads for similar images and displays “matching” ads in pop-up windows on the Web page you’re viewing.
It’s almost as if Superfish and Lenovo said to each other, “Let’s see how much we can get people to hate us!” Well, hate they did, so loudly that in early January Lenovo “suspended” shipments of Visual Discovery and got Superfish to remotely disable Visual Discovery on all the laptops infected with it. That should have been the last anyone ever heard of this utterly daft scheme. But then it was discovered that Visual Discovery does much worse than annoy users with popup ads.
Visual Discovery eavesdrops on all of your Web traffic, including traffic encrypted using the Secure HTTP (HTTPS) protocol. It does so using a “man in the middle” subterfuge commonly found in malware. It generates fake digital certificates that fool Web browsers into thinking they are connected to trusted sites when, in fact, they are connected to Visual Discovery. It also impersonates your Web browser to the trusted site you are trying to reach.
E-Series: E10-30
Flex-Series: Flex2 14, Flex2 15, Flex2 14D, Flex2 15D, Flex2 14 (BTM), Flex2 15 (BTM), Flex 10
G-Series: G410, G510, G40-70, G40-30, G40-45, G50-70, G50-30, G50-45
M-Series: Miix2 - 8, Miix2 - 10, Miix2 - 11
S-Series: S310, S410, S415; S415 Touch, S20-30, S20-30 Touch, S40-70
U-Series: U330P, U430P, U330Touch, U430Touch, U540Touch
Y-Series: Y430P, Y40-70, Y50-70
Yoga-Series: Yoga2-11BTM, Yoga2-11HSW, Yoga2-13, Yoga2Pro-13
Z-Series: Z40-70, Z40-75, Z50-70, Z50-75
The bottom line is that Visual Discovery can read all encrypted traffic that passes between a browser and a trusted site, enabling VD to conduct its image searches and ad serving. It doesn’t steal your passwords or record your bank account data, according to Superfish and Lenovo. But... it enables others to do so.
In order to generate fake certificates on the fly, Visual Discovery registers “Superfish, Inc.” in Windows as a trusted “certificate authority (CA),” an entity that Windows recognizes as an authorized issuer of digital certificates. Real CAs include Verisign, Truste, Microsoft, and other well-known third parties. A program should never be able to vouch for its own legitimacy, obviously; but that’s what VD does. And then it does something even worse.
Leaving the Key in the Lock
A certificate authority (CA) must “sign” every certificate it issues with an encrypted key. Real CAs guard their keys very closely. But Visual Discovery stores a copy of its key on every PC it infects. The VD key is protected by a password, but the password is available in plain text in the RAM of an infected machine as long as VD is running.
It’s like leaving a key in a lock! Actually, it's worse. Imagine if Ford made all of its cars with the same exact lock, and put a spare key under the front bumper.
Robert Graham, president of Errata Security, found the password in barely three hours. Any hacker who has access to one of the VD-infected Lenovo laptops could do the same, and then he would be able to compromise all other VD-infected Lenovo machines. “I can intercept the encrypted communications of Superfish’s victims while hanging out near them at a cafe wifi hotspot,” Graham wrote in a blog post detailing how he did this.
That’s bad enough, but it gets even worse. Visual Discovery is not the only software that breaks HTTPS (secure web connections) in this way. The password to VD’s key is “komodia,” Graham reports. Ironically, Komodia is the name of an ancient Greek goddess of happiness and amusement. It’s also the name of the company that provided the HTTPS-breaking components of Visual Discovery to Superfish, which is not Komodia’s only customer.
Three parental control software packages that use the same dangerous hijacking technique have been identified. The “Keep My Family Secure” program is marketed by Komodia itself. Another is “Quostodio,” and the third is Kurupira Webfilter. All three use the password “komodia.” All PCs that have any of these parental control programs installed are as vulnerable as the Lenovo laptops infected with VD. Similarly vulnerable Komodia code has been found in Lavasoft Ad-Aware, Hide-My-IP, and a growing number of other software packages.
What You Need to Do
Finally, here is some good news: Lenovo has provided a tool that removes Visual Discovery and Superfish’s bogus “trusted certificate authority” status from infected PCs. If you purchased one of the Lenovo laptops listed above recently, download and run this program, and you’ll be OK.
You may have read that Microsoft's Windows Defender, McAfee and possibly other anti-malware tools were updated to remove the Superfish components. That's true, but I've read that these tools do not remove the bogus security certificates from Firefox, Thunderbird, and other software potentially compromised by Komodia. The Lenovo tool covers those bases as well as the Windows operating system.
The list of software that may be compromised by Komodia is growing. See this advisory from the U.S. CERT (Computer Emergency Response Team). Italian security consultant Filippo Valsorda has provided an online test for Superfish and other Komodia vulnerabilities. If it finds any vulnerabilities on your computer, run the Lenovo removal tool, then run the online test again. If vulnerabilities are still detected, you’ll need to correct them manually.
The question that remains for me is why would Lenovo do something so stupid? The China-based firm claims that their "relationship with Superfish is not financially significant; our goal was to enhance the experience for users." Does anyone believe that? And can Lenovo be trusted going forward? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 23 Feb 2015
| For Fun: Buy Bob a Snickers. |
 |
Prev Article: Are Autoruns Slowing Your PC? |
The Top Twenty |
Next Article: Geekly Update - 25 February 2015 |
 |
There's more reader feedback... See all 21 comments for this article.
Post your Comments, Questions or Suggestions
|
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Does your Computer Have VD? (Posted: 23 Feb 2015)
Source: https://askbobrankin.com/does_your_computer_have_vd.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Does your Computer Have VD?"
(See all 21 comments for this article.)Posted by:
BaliRob
23 Feb 2015
Bob - you invite comments about Lenovo's intentions and you can have them - BLATANT LIES.
To think I have been trying to purchase one of their pc.s for months - glad Lenovo Singapore and USA stupidly refuse to export to Indonesia - would not touch one with a barge pole now.
Posted by:
GuitarRebel
23 Feb 2015
I predict a huge drop in Lenovo stock.
Posted by:
JJ
23 Feb 2015
So I take your advise seriously. I'm not computer smart but I can follow instructions.
The link to fillipo gives me a message "you're safe". Followed shortly by a message from Kaspersky that the site certificate is invalid, but I can accept it, which I do. That's repeated for a site "badfish". Accepted.
The message on fillipo changes to "you're infected"
So I follow the instructions, Lenovo removal tool finds nothing, there's nothing I can find in any certificate registry, Firefox, Thunderbird, IE.
Reboot system, begin again, same result.
It's been an interesting exploration but I'm puzzled.
EDITOR'S NOTE: I recommend disabling your anti-malware temporarily, and try the test again.
Posted by:
PhilipRoss
23 Feb 2015
The real question is: Did Lenovo contact ALL of the purchasers to inform them of the need to download the program?
Posted by:
Charlie
23 Feb 2015
Any company doing business in or with China should not be trusted. For your own good . . stay away from them.
Posted by:
wilson
23 Feb 2015
I for one would not buy a Lenovo Computer after knowing about this.I know all brands pack a lot of excess baggage into their new computers but it is fairly easy to get rid of if I don't want it on my computer. When it comes down to actually tampering with your security features, that is taking it too far.
I guess we only get what we pay for when it comes to products made in China. Too bad we don't see the hidden cost
I really appreciate your articles and all the helpful information they provide.
Posted by:
Jim
23 Feb 2015
This came at a very interesting time for me. I WAS considering changing vendors of our company laptops. I have been using Dell but 6 of the last 6 laptops I have purchased have had issues, 2 that required complete replacements (at Dell's cost)so I was looking at Lenovos, a little bit pricier but was seriously thinking of going in that direction. Although I know this supposedly did not affect enterprise systems, none the less, I can't really trust a company that makes this kind of decision and then claims it's not a security thereat. So it's back to researching for a reliable manufacture at a decent price.IBM never should have sold out to a Chinese holding company.
Posted by:
Jay R
23 Feb 2015
Bali Rob- I hope that you will forgive my curiosity, but just how long is a barge pole?
Posted by:
Roy
23 Feb 2015
Anyone who buys any of their products and is surprised when it is loaded with malware just isn't looking at reality. This is a government owned company in China. This malware is just the first that was detected. I wouldn't own anything from Lenovo even if they gave it to me. This is the enemy folks; they don't want anything good for this country.
Posted by:
Wayne
23 Feb 2015
I ran the online test and received the following message.
"YES, you have a big problem - even if it's not Komodia. Apparently no certificates checks are happening. That's BAD. Anyone can intercept the connections you make."
I don't know why there is nothing making the checks and I can't find anything on the web to tell me how to fix it (although I probably don't know enough to even search for the answer). Any help or explanation would be greatly appreciated.
Posted by:
Robert Burger
23 Feb 2015
I just bought a Lenovo desktop PC in October because of the reliability rating and I am very happy with it. So glad that it doesn't have VD. things keep getting worse all the time.
Posted by:
Ralph
23 Feb 2015
Thanks for the heads up. I've read much about Lenovos "oopsie" but your site is the first to tell us how to go about checking to see if our systems are infected. Thanks Bob
Posted by:
Charles
23 Feb 2015
Thanks again Bob. Don't own any Lenovo products, never will now! This does raise my level of distrust of all things ran by computers. I often wonder when downloading, and those are ones you recommend, can I really trust this program. Will one day soneone, like on Person of Interest, flip a switch and take over all the personal computers, cars, machines, etc? I think it was Jesse James who said you'd bette keep a non-computer car around. I also noticed that James is now making guns. Will bullets become the new currency? Just because I'm paranoid doesn't mean that their not watching.
Thanks again for a good read.
Posted by:
Guy
24 Feb 2015
What is the matter with these stupid people? Did they think they wouldn't get caught? Thank heavens for the honest people in this world. They are the ones that protect us from the slime. I don't have a Lenovo and I checked my desk top unit and it came back clean. I don't think I'll ever buy a Lenovo after this mess.
Posted by:
Willie
24 Feb 2015
THANK YOU!!! I was planning to buy a Lenovo later today!!! Those plans are permanently out the widow.
THANKS AGAIN!!
Posted by:
Maurice Lenihan
24 Feb 2015
This from the Technology page in the New Zealand Herald 25/2/2015
to test if Superfish and Komodia are installed on your machine:- tinyurl.com/nzhsuperfishtest
Posted by:
intelligencia
25 Feb 2015
Hello Everyone!
Now I'm afraid to purchase the MOTO X smartphone. I understand that Lenovo bought said device that was originally manufactured by Motorola (then Google). Now I worry that any product made by Lenovo could be compromised (security-wise) by a type of implanted malware like Superfish. I hope I am wrong in my summation 'cause I really want to purchase the MOTO X (or one of its siblings)!
Posted by:
Therrito
25 Feb 2015
I will NEVER use another Lenovo product again.
Posted by:
BaliRob
25 Feb 2015
@ Jay R
Silly me especially when, as a boy, I used to help the lock keeper open the lock gates on that part of the Grand Union Canal that ran through Hertfordshire.
All of the standard 6 feet deep barge manufacturers provided each barge for the bargees front and rear to STEER their craft (NOT to propel) two TEN FOOT POLES (standard length). In my day the barges had three methods of propulsion 1) Horse-drawn 2) Manual 3) Petrol- engined. The poles were used for steering the barges around corners or to prevent collisions with other craft or the canal banks. All other poles of greater length were used for very shallow water not owned by the Grand Union Company.
Posted by:
Paula
31 Mar 2015
So for years I have been reading your articles and learn from them. Now I just bought a new laptop yesterday - a Lenovo Edge 15 from Best Buy and guess what. It has Superfish installed. Today is March 31 2015. Weeks away from your article informing us of this malware installation yet the laptops are still being sold without any prior warning. Do I return it or do I just quietly remove it and go on with my life.....
EDITOR'S NOTE: Probably this was already manufactured and in the pipeline. If you're happy with the laptop and the price paid, I would just remove Superfish and go with it.