Lenovo, with the support of Microsoft and McAfee, has developed a removal tool to clean its laptop and delete the Superfish malware.

Last week, the news of the presence of Superfish adware in the laptops sold by the Chinese Lenovo has captured the attention of the media. The presence of the Superfish malware exposes Lenovo users to hacking attacks, as explained by the cyber security expert Robert Graham in a blog post the malware hijacks and throws open encrypted connections, a circumstance that could be exploited by attackers to eavesdrop the users’ traffic.

Lenovo has intentionally pre-installed a malware on laptops, but once discovered has tried to remedy the problem by releasing a tool to remove the ,malicious “SuperFish” adware that the company had pre-installed onto many of its consumer-grade Lenovo laptops sold before January 2015.

Lenovo admitted that it was caught preloading a piece of adware that installed its own self-signing Man-in-the-Middle (MitM) proxy service that hijacked HTTPS connections, the company also informed its customers that  it had “stopped Superfish software at beginning in January” 2015.

“We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience.  However, we did not know about this potential security vulnerability until yesterday.  Now we are focused on fixing it.”  states an official statement released by Lenovo. “We recognize that this was our miss, and we will do better in the future. Now we are focused on fixing it.”

Graham reverse engineered the malicious software in a debugger (or IDApro), the process allowed him to extract the certificate from the SuperFish adware and cracked the password (“komodia”) that encrypted it. By using the password an attacker can potentially inject malware or spy on a vulnerable Lenovo user sharing the same Wi-Fi network.

l1

The US-CERT  recently issued the Alert (TA15-051A) to warn Lenovo users about that fact that Superfish Adware is vulnerable to HTTPS Spoofing.

“Superfish adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.” states the alert. “Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed.  This means websites, such as banking and email, can be spoofed without a warning from the browser.” 

Lenovo, with the support of Microsoft and McAfee, has developed a removal tool to clean its laptop and delete the Superfish malware.

“We apologize for causing these concerns among our users – we are learning from this experience and will use it to improve what we do and how we do it in the future,” states Lenovo. “In addition to the manual removal instructions currently available online, we have released an automated tool to help users remove the software and certificate.  That tool is here: http://support.lenovo.com/us/en/product_security/superfish_uninstall

Once again, let me suggest verification of the presence of the Superfish Adware by using the test created by the researcher Filippo Valsorda.

Pierluigi Paganini