Superfish: Lenovo Adware case is just the Tip of the Iceberg

Share Article

G DATA Securitylabs analyzes questionable security certificate and offers check of its presence.

Fishbone

Superfish is questionable adware. However, because of the poorly secured SSL Digestor, it is actually dangerous for users

Security experts at G DATA SecurityLabs have been analyzing Superfish adware. In the process, the analysts have encountered a technology component within the software called SSL Digestor. It uses a root certificate that is poorly secured and has extensive rights on the computer. SSL Digestor intercepts secure HTTPS connections and can 'listen in' to them. In this way, connections that are actually secure could be infiltrated and attacked. This means that cyber criminals could use a man-in-the-middle attack to spy on or manipulate the data stream between two communication partners, for example a bank and its customer, by using a fake banking site. According to G DATA experts, this part of the program is also contained in other software products. G DATA security solutions recognise the software as Gen:Variant.Adware.Superfish.1 (Engine A) and Win32.Riskware.Fishbone.A (Engine B). To remove the dangerous certificate, users have to take action themselves.

"Superfish is questionable adware. However, because of the poorly secured SSL Digestor, it is actually dangerous for users," explains Ralf Benzmüller, Head of G DATA SecurityLabs. "Affected users should remove the certificate immediately."

What is Superfish?
The Superfish Visual Discovery software is supplied pre-installed on many Lenovo notebooks. Adware has been an unwelcome guest on the PCs of most users for a long time. Often it is not necessarily malicious. Superfish, however, is an unusual example, as it contains a technology component called SSL Digestor, distributed by Komodia. This component contains an element that triggers the actual security problem - a very powerful yet poorly secured root certificate.

Superfish even used on Android devices
G DATA Security experts have discovered two search apps for Android devices that rely on Superfish Visual Discovery. Similar to the PC component, users are presented with advertisements for certain search queries. However, the apps do not rely on SSL Digestor and don’t compromise HTTPS security.

Technology undermines HTTPS security
SSL Digestor installs a certificate that enables the program to analyse and manipulate the data flow in HTTPS connections. This component is also found in adware that users install unintentionally and in software categorised by IT security providers as Trojans. Even apparently legitimate programs rely on the component.

A quick check whether the root certificate is present on the computer can be done here:
https://www.gdatasoftware.com/securitylabs/quickcheck/fishbone

There is detailed information plus instructions on how the Superfish certificate can be removed in the G DATA SecurityBlog:
https://blog.gdatasoftware.com/blog/article/the-power-of-trust-superfish-case-turns-into-a-worst-case-scenario.html

About G DATA
IT security was invented in Germany: G DATA Software AG is the antivirus pioneer. It was more than 29 years ago that the company, founded in Bochum, developed the first program to combat computer viruses. These days, G DATA is one of the world's leading providers of IT security solutions. G DATA, Inc. is the U.S. Subsidiary located in Atlanta, GA.

For more information about the company and G DATA security solutions, see http://www.gdatasoftware.com

For sales inquiries in North America please contact Contronex, Inc.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Thorsten Urbanski
@g_data_software
Follow >
Follow us on
Visit website