Does your Computer Have VD?
If you bought a Lenovo laptop any time since September, 2014, it may have come with a piece of adware called Superfish that puts all of your Web browsing sessions at risk of hacking. The same flawed technology has been found in three different parental control programs, and may be incorporated in any number of other legitimate programs. Here's what you need to know, and do...
What is Superfish?
The adware, named Visual Discovery by Superfish, was installed by Lenovo on certain laptop models shipped between October and December, 2014. At first, Lenovo said the Superfish software was not a security concern, and that it merely helped consumers "discover interesting products while shopping." Even Lenovo's Chief Technical Officer called the criticism "theoretical concerns," but those statements have turned out to be either huge lies, or stunning incompetence. Or both...
NOTE: This article is a bit more techy than most here. So if your eyes start to glaze over, skip to the "What You Need to Do" section and follow those instructions.
Superfish is a company that develops iOS and Android apps that are based on the company’s “visual search” technology. Given an image, Superfish searches “billions” of online images for similar ones. The company has apps for interior decorating (match that nightstand to a dresser), flowers, and even pets. These apps get their “query” images from smartphone cameras. They’re harmless.
Visual Discovery, however, gets its query images from the Web pages you visit. Then it queries a database of ads for similar images and displays “matching” ads in pop-up windows on the Web page you’re viewing.
It’s almost as if Superfish and Lenovo said to each other, “Let’s see how much we can get people to hate us!” Well, hate they did, so loudly that in early January Lenovo “suspended” shipments of Visual Discovery and got Superfish to remotely disable Visual Discovery on all the laptops infected with it. That should have been the last anyone ever heard of this utterly daft scheme. But then it was discovered that Visual Discovery does much worse than annoy users with popup ads.
Visual Discovery eavesdrops on all of your Web traffic, including traffic encrypted using the Secure HTTP (HTTPS) protocol. It does so using a “man in the middle” subterfuge commonly found in malware. It generates fake digital certificates that fool Web browsers into thinking they are connected to trusted sites when, in fact, they are connected to Visual Discovery. It also impersonates your Web browser to the trusted site you are trying to reach.
Flex-Series: Flex2 14, Flex2 15, Flex2 14D, Flex2 15D, Flex2 14 (BTM), Flex2 15 (BTM), Flex 10
G-Series: G410, G510, G40-70, G40-30, G40-45, G50-70, G50-30, G50-45
M-Series: Miix2 - 8, Miix2 - 10, Miix2 - 11
S-Series: S310, S410, S415; S415 Touch, S20-30, S20-30 Touch, S40-70
U-Series: U330P, U430P, U330Touch, U430Touch, U540Touch
Y-Series: Y430P, Y40-70, Y50-70
Yoga-Series: Yoga2-11BTM, Yoga2-11HSW, Yoga2-13, Yoga2Pro-13
Z-Series: Z40-70, Z40-75, Z50-70, Z50-75
The bottom line is that Visual Discovery can read all encrypted traffic that passes between a browser and a trusted site, enabling VD to conduct its image searches and ad serving. It doesn’t steal your passwords or record your bank account data, according to Superfish and Lenovo. But... it enables others to do so.
In order to generate fake certificates on the fly, Visual Discovery registers “Superfish, Inc.” in Windows as a trusted “certificate authority (CA),” an entity that Windows recognizes as an authorized issuer of digital certificates. Real CAs include Verisign, Truste, Microsoft, and other well-known third parties. A program should never be able to vouch for its own legitimacy, obviously; but that’s what VD does. And then it does something even worse.
Leaving the Key in the Lock
A certificate authority (CA) must “sign” every certificate it issues with an encrypted key. Real CAs guard their keys very closely. But Visual Discovery stores a copy of its key on every PC it infects. The VD key is protected by a password, but the password is available in plain text in the RAM of an infected machine as long as VD is running.
It’s like leaving a key in a lock! Actually, it's worse. Imagine if Ford made all of its cars with the same exact lock, and put a spare key under the front bumper.
Robert Graham, president of Errata Security, found the password in barely three hours. Any hacker who has access to one of the VD-infected Lenovo laptops could do the same, and then he would be able to compromise all other VD-infected Lenovo machines. “I can intercept the encrypted communications of Superfish’s victims while hanging out near them at a cafe wifi hotspot,” Graham wrote in a blog post detailing how he did this.
That’s bad enough, but it gets even worse. Visual Discovery is not the only software that breaks HTTPS (secure web connections) in this way. The password to VD’s key is “komodia,” Graham reports. Ironically, Komodia is the name of an ancient Greek goddess of happiness and amusement. It’s also the name of the company that provided the HTTPS-breaking components of Visual Discovery to Superfish, which is not Komodia’s only customer.
Three parental control software packages that use the same dangerous hijacking technique have been identified. The “Keep My Family Secure” program is marketed by Komodia itself. Another is “Quostodio,” and the third is Kurupira Webfilter. All three use the password “komodia.” All PCs that have any of these parental control programs installed are as vulnerable as the Lenovo laptops infected with VD. Similarly vulnerable Komodia code has been found in Lavasoft Ad-Aware, Hide-My-IP, and a growing number of other software packages.
What You Need to Do
Finally, here is some good news: Lenovo has provided a tool that removes Visual Discovery and Superfish’s bogus “trusted certificate authority” status from infected PCs. If you purchased one of the Lenovo laptops listed above recently, download and run this program, and you’ll be OK.
You may have read that Microsoft's Windows Defender, McAfee and possibly other anti-malware tools were updated to remove the Superfish components. That's true, but I've read that these tools do not remove the bogus security certificates from Firefox, Thunderbird, and other software potentially compromised by Komodia. The Lenovo tool covers those bases as well as the Windows operating system.
The list of software that may be compromised by Komodia is growing. See this advisory from the U.S. CERT (Computer Emergency Response Team). Italian security consultant Filippo Valsorda has provided an online test for Superfish and other Komodia vulnerabilities. If it finds any vulnerabilities on your computer, run the Lenovo removal tool, then run the online test again. If vulnerabilities are still detected, you’ll need to correct them manually.
The question that remains for me is why would Lenovo do something so stupid? The China-based firm claims that their "relationship with Superfish is not financially significant; our goal was to enhance the experience for users." Does anyone believe that? And can Lenovo be trusted going forward? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 23 Feb 2015
|For Fun: Buy Bob a Snickers.|
Are Autoruns Slowing Your PC?
The Top Twenty
Geekly Update - 25 February 2015
There's more reader feedback... See all 21 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Does your Computer Have VD? (Posted: 23 Feb 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved