back to article Man the HARPOONS: YOU can EASILY SLAY ad-scumware Superfish

The US government's Computer Emergency Readiness Team (US-CERT) has said the Superfish ad-injecting malware installed by Lenovo on its new laptops is a "critical" threat to security. Chinese PC peddler Lenovo bundled the software nasty to make a fast buck from its cheap, low-margin hardware: the application hijacks web …

  1. Munin
    Unhappy

    Ain't that a kick in the head

    So you're saying that, since 2010, a significant portion of the consumer market has been essentially wiretapped by a foreign-owned company? That's a little bit on the distressing side.

    1. Katie Saucey
      Black Helicopters

      Re: Ain't that a kick in the head

      "...consumer market has been essentially wiretapped by a foreign-owned company? That's a little bit on the distressing side."

      Any worst than by the NSA or any other foreign gov agency?

      1. Uffish

        Re: Any worst than by the NSA or any other ... agency

        In terms of 'get off my lawn' probably not. But that is not the main problem.

        This technique is another example of businesses deciding unilaterally to 'enhance the user experience' in ways that are calculated to be profitable to the busines and exploitative of the user.

        1. Anonymous Coward
          Anonymous Coward

          Re: Any worst than by the NSA or any other ... agency

          Also, the very naïve and incompetent implementation put users at great risk, opening what should have 'secure' encrypted communications to world+dogs.

          At least the NSA sniffs data for itself only....

          1. Katie Saucey

            Re: Any worst than by the NSA or any other ... agency

            Of course! No economic espionage here!...I know because the gov said

      2. Mark 85
        Coat

        Re: Ain't that a kick in the head

        Well... NSA won't serve you ads. IGMC....

        1. Christian Berger

          Re: Ain't that a kick in the head

          "Well... NSA won't serve you ads. IGMC...."

          I wouldn't be surprised if the NSA hasn't tried to set up its own ad broker in order to spy on you while serving you ads. Setting up companies is an old trick in the book of secret services.

          So it is actually likely that Superfish is in fact owned/controlled by the Mossad.

      3. Destroy All Monsters Silver badge
        Coat

        Re: Ain't that a kick in the head

        Any worst than by the NSA or any other foreign gov agency?

        Actually I do think the ones wearing chutzpahs are indeed worse.

        1. lotus49

          Re: Ain't that a kick in the head

          Chutzpah is a Yiddish word that means barefaced cheek (a classic example is the man who murdered his parents and then threw himself at the mercy of the court because he was an orphan). You cannot wear a chutzpah.

          I suspect you may have mean the skull cap known as the kippah in Hebrew or yarmulke in Yiddish.

  2. asdf

    jail for superfraud

    Lenovo will take all the heat (most of it rightfully) especially being a Chinese company but honestly those Superfish folks are the ones that belong in jail. I believe they are an American company so we can go after them. They are like the American version of Phorm (but far worse) and will try and get their malware installed (java update perhaps?) some other way now if left unchecked.

    1. asdf

      Re: jail for superfraud

      Wow too late. Can't make this stuff up.

      "But Superfish, founded and led by former Intel employee and ex-surveillance boffin Adi Pinhas, has been criticised by users the world over since its inception in 2006. In one Apple Mac forum started in 2012 and continuing into the following year was full of complaints about a technology called Window Shopper, built by Superfish. It appears to have found its way onto people’s machines by being bundled with other software, in one case alongside an Oracle Java download, in another via an “Awesome Screenshot” extension. "

      http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/

      These Superfish guys many of which are from Israel are exactly the type of amoral people supposedly the British intelligence services were supposed to be more like. Based on the news the last few days its safe to say they are.

      http://www.theregister.co.uk/2015/01/26/idf_unit_820_gchq_tech_incubator_analysis/

    2. Daniel B.
      Boffin

      Re: jail for superfraud

      They are like the American version of Phorm (but far worse)

      Yes, this is basically what Superfish is, only on steroids as Phorm would've been unable to tap into SSL connections. I was actually reminded of Phorm when this news broke out...

  3. djstardust

    Lucky me

    Only found it on one of my Lenovo laptops. 2 minute job to remove.

    Maybe this will make the PC market think twice about installing bloatware .... even from AV companies!

    1. asdf

      Re: Lucky me

      Maybe this will make the PC market think twice about being nothing but low margin glorified Microsoft resellers praying Microsoft doesn't start building more hardware.

      FIFY.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lucky me

        Thanks that if you got cheap PCs to install Linux on...

    2. Anonymous Coward
      Anonymous Coward

      Re: Lucky me

      Buy a laptop without OS if you can and install a few windows install.

  4. Primus Secundus Tertius

    Other Lenovo machines

    I wonder whether this exploit was the money raiser that paid for the real sneaky software on Lenovo professional market computers.

  5. Bronek Kozicki
    Coat

    Optional

    Wow, this guy is truly clueless. Or malicious liar. Or both.

  6. Destroy All Monsters Silver badge
    Holmes

    CEO Addy Piranhas regrets ...

    CEO Adi Pinhas told El Reg ... "Fortunately, our partnership with Lenovo was limited in scale..."

    That's the first time I have heard "fortunately" combined with "limited in scale" from a provider of "PUPware".

    1. Dan 55 Silver badge
      Happy

      Re: CEO Addy Piranhas regrets ...

      And he continued with "we have been working with Lenovo and Microsoft to create an industry patch to resolve the threat."

      Well at least he didn't lie there, Microsoft updated Security Essentials to remove it.

  7. Henry Wertz 1 Gold badge

    Why do they keep arguing?

    So, the CTO of Lenovo doesn't want to argue with the security guys, merely to contradict everything they are saying about the safety of the software Lenovo forced on their customers. You know, if they had said (to paraphrase) "It seemed like a good idea at the time, we realize it really wasn't now, sorry about that", it may have minimized the repercussions. All this "Well, it's not that bad is it?" type waffling is making damn sure I never buy a Lenovo.

    (Note, I take it as a bad sign when a company starts referring to customers as "consumers". "Consumer" is a macroeconomic term to differentiate between the general public that buys and "consumes" resources, goods and services, from those who provide and produce resources, goods and services. For example the term "consumer price index". I have no idea why companies, starting 10 or 15 years ago, thought it was remotely a good idea to start referring to their customers as "consumers". But I think it shows a general contempt for their customers, and indicates the company no longer views their customers as customers but as an aggregate lump that is bound by the laws of economics to buy ("consume") their products. They then act all surprised when it turns out the customers can turn away and buy someone else's products.)

    1. Anonymous Coward
      Anonymous Coward

      Re: Why do they keep arguing?

      It's the soylent consumer!

  8. gollux

    A really exasperating point is that it will downgrade connections to SSL V2 and SSL V3 connections on request to your MITM bogus server in addition to converting its cert to a trusted certificate. What have we been wasting our time for over the last 10 years by trying to improve security. It's the Sony rootkit all over again, easily appropriated and usable by anyone out there with bad intent.

    And that twin headed hydra Konovo/Lomodia gives us the same assurances Sony did back in the day that nothing's wrong. We've heard it all before, denial, spin, eventual capitulation. Time for some class action lawsuits by some fortune 500 companies who will soon get hit by a quick spearfish attack enabled by using Komodia's severely broken software.

    1. Anonymous Coward
      Anonymous Coward

      As someone a bit dumb but interested, would this be possible if HTTP2 was being used?

      1. Amos

        "As someone a bit dumb but interested, would this be possible if HTTP2 was being used?"

        Yes it would still be possible. HTTP/2 only changes the wire format of the HTTP layer messages and makes TLSv1.2 the minimal version. The SSL/TLS encryption protocol is where the attack is happening. They can use all the trusted CA trickery to intercept connections of any type (email, ssh, even VPN, ... whatever uses SSL/TLS). The downgrade to SSLv2/v3 on the server connection would not be possible in HTTP/2, but that is not a necessary part of the hijack anyway.

      2. Anonymous Coward
        Anonymous Coward

        @AC - Same story

        HTTP2 comes with its own man-in-the-middle, rubber-stamped by IETF and for the exact same purpose. The only difference is it will ask you politely to trust it.

  9. Anonymous Coward
    Anonymous Coward

    2001

    I'm sure the webcam at the top of my laptop screen has started glowing red a la HAL 9000. Ah, it's just all the crapware this thing came with vying with each other to spy on me, insert ads etc.

    Well it would do if I hadn't nuked the disc with dd and extreme prejudice, and peeled off and binned the Windows sticker at receipt time.

    Now I just need to replace the BIOS, hard disc firmware and audit a few 100GB of source code and I can downgrade my tin foil suit to just a hat.

    "You can't do that Jon errr Dave"

    1. Anonymous Coward
      Anonymous Coward

      Re: 2001

      For good measure you should also kill any form of internal speakers and microphone and for Pete's sake, do something about the EM radiation your keyboard and screen emits all around.

      And, erm, that's about all you can do before black helicopters will come after you when law enforcement will notice you have something you're trying to hide.

      Anyway one of your upvotes is from me.

    2. Anonymous Coward
      Anonymous Coward

      Re: 2001

      Only to connect to a network monitored entirely by the spooks

  10. Anonymous Coward
    Anonymous Coward

    As if I needed another reason to nuke the entire preinstallation of any and all computers I buy

    1. Christian Berger

      Well don't worry

      as secure boot is there to make sure you won't be able to run a different install image than the one mandated by your hardware vendor. After all when secure boot will turn out not to help against bootsector malware (as it'll simply add its key to the firmware before infection) Microsoft will mandate stricter control on the keys.

      Or malware will just hide in the huge mess we call EFI.

    2. P. Lee

      >As if I needed another reason to nuke the entire preinstallation of any and all computers I buy

      I think the point is that these system have OEM Windows with no installation media, specifically to allow this bundling mess to exist. Isn't MS great? It is so good of them to help clean it up.

      So yes, if you want to buy another Windows license to replace the one you've just paid for which came with the PC, you can. Or put anything-but-Windows on it.

      1. Anonymous Coward
        Anonymous Coward

        You can get a refund of the OEM version sometimes.

  11. cantankerous swineherd

    SSL has been broken for years. there will never be any such thing as security on the internet.

  12. Michael Thibault

    Anything for a buck!

    A hangin' offense. Justice should be swift and visible.

  13. Anomalous Cowshed

    Adi Pinchas?

    Sounds like "baddie Pinch Ass" but with some letters left out...as in:

    The perpetrator of the sexual assault on the underground, who was caught pinching women's asses (whereupon the animals involved started braying loudly and got distressed), was arrested and ordered to change his name to one which would reflect the offence he had committed.

    Being unmasked, he decided to change his career and become a fishing expert. He was arrested for covertly bundling malware on people's computers, which is not an offence per se, while failing to publicise the full name that had been forced upon him by the court (a serious offence for which he was ordered to change his name again to reflect his new offence. Any suggestions are welcome).

  14. Anonymous Coward
    Anonymous Coward

    Superfish is also the name of a jquery menu system:

    http://users.tpg.com.au/j_birch/plugins/superfish/examples/

  15. Roland6 Silver badge

    Komodia-powered Parental Control software

    So we now know how some parental control software works, but what about the rest, for example the parental controls in Norton Family, to name one of several?

  16. Mark 85

    Clueless users?

    Nice that government's Computer Emergency Readiness Team (US-CERT) had jumped in and is giving consumer's a heads up including instructions. So how many users actually have heard about this? Or even know about US-CERT? Things are quiet in the mainstream press, though if they pick it up, I'm sure I'll get few friends calling who are "worried".

  17. Anonymous Coward
    FAIL

    Sigh. Just as my finances come good and I was looking forward to maybe in the not too distant future buying a lenovo lappy. I most certainly won' t now.

  18. partofthepuzzle

    This is indeed disturbing. Of course, the folks at Superfish will likely just get a wrist slap for this while individual white hat hackers often get jail time...

    1. Nigel 11

      Superfish, founded in 2006, is a small company based in Palo Alto, California

      Of course, the folks at Superfish will likely just get a wrist slap for this while individual white hat hackers often get jail time

      On the other hand, they still have the death penalty for corporations, even for quite small infringements. One can reasonably hope that pretty soon, once the class actions get started, the first quote above will have to be modified to read

      ... was a small company based in Palo Alto, California

      The other intrusive thought I keep having, is did any part of the Cthuluesque entity that is the US government have anything to do with this, and if so, why?

  19. x 7

    Naive question.......

    OK..is there any way to bypass this by forcing a browser to authenticate certificates against a KNOWN specific single trusted authority?

  20. lotus49

    I bought my son a Lenovo laptop about 9 months ago. It took me at least two hours to clean up all the adware/spyware/malware it came with. I blamed Curry's (amazingly it was the cheapest place) for it. It now appears that it was all Lenovo's fault.

    Fortunately, I am paranoid so I inspected all the software and certs I could find to see what it was and removed everything I wasn't familiar with (which was pretty much all the 3rd party software)but some of it was very difficult to remove and would probably have been beyond the ability of the average user.

    I am not impressed.

  21. x 7

    Apologies, this is a crosspost from one of the other threads but it seemed worth it

    The ironic thing in all this is that the same Komodia software is being used both as scamware / hijack software, and as website protection software. Hows that for amazing marketing???

    We now know that the following scamware uses it

    CartCrunch Israel LTD

    WiredTools LTD

    Say Media Group LTD

    Over the Rainbow Tech

    System Alerts

    ArcadeGiant

    Objectify Media Inc

    Catalytix Web Services

    OptimizerMonitor

    While the following supposed security filters use it

    Atom Security, Inc

    Infoweise

    KeepMyFamilySecure

    Komodia

    Kurupira

    Lavasoft

    Lenovo

    Qustodio

    Superfish

    Websecure Ltd

    I've also picked up hints from elsewhere that a number of toolbar programs also use it

    Until we have a definitive list of just who else licenced the Komodia software we have to assume that ANY web-filtering security software is suspect unless otherwise proven

  22. Richard Conto
    FAIL

    Forbes listed SuperFish as in it's up-and-coming companies

    Forbes might want to answer to how SuperFish made it to #64 on their most promising companies (http://www.forbes.com/companies/superfish/).

    It's as if they'd rated a company called "SuperHigh" whose business model involved salesmen on corners near high schools without determining that the little packets those salesmen were weren't exactly suitable for minors.

  23. jason 7

    Just had a Advent desktop handed to me from a customer.

    He said it wasn't working as nicely as his Macbook and so hadn't used it much since he bought it.

    Well no sh*t! Machine was struggling to do anything in less than 3-4 minutes.

    Just uninstalled twenty four pieces of bloatware off of it and ran a full adware scan etc. etc.

    Now it's running nice and smoothly...as it should have done in the first place.

    Thanks Advent! Well done!

    It's just so idiotic. Imagine Ford selling you a new Mondeo and then just as you leave the forecourt they weld a 500KG anchor to the rear axle.

  24. Stevie

    Bah!

    Correct me if I'm wrong (like wild horses could stop you) but if I'm reading this right the Superfish management are claiming that their man-in-the-middle hijack is absolutely safe. Against man-in-the-middle hijacks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like