Lenovo sold laptop with pre-installed Superfish malware

0
31
cyberdefensemagazine

The Lenovo computer company knowingly shipped laptops with pre-installed Superfish malware. And ‘controversy on the web, users are outraged.

Lenovo is in the storm one again, security experts discovered that the company is shipping laptops with Superfish malware , a malware that allows to steal web traffic using man-in-the-middle attacks. SuperFish is considered by many antivirus companies as a potentially unwanted program, adware, or a trojan.

The “Superfish” malware was installed on laptops sold until late last month, it was able to steal web traffic using fake, self-signed, root certificates to inject advertisements into sessions.  Lenovo has removed Superfish the malicious software after numerous users reported the embarrassing discovery on its forums by claiming to be victims of attacks.

“A blatant man-in-the-middle attack malware breaking privacy laws. I have requested return of the laptop and refund as I find it unbelievable that … Lenovo would facilitate such applications pre bundled with new laptops,” the user wrote on the Lenovo forums.

“I just bought a Lenovo G50 Notebook. And as you might guess it’s also “infected” with PUP (a SuperFish Software (that’s the one which displays ads on webpages)). So, now i try to clean up a brand new device. Sounds a bit absurd. What do you think?” said another user.

In the following image posted by one of the Lenovo users is visible a certificate masquerading as being issued by Bank of America.

l1

Another victim posted a purported screenshot of the program showing it as a trusted root certificate and claiming a web connection to their bank was intercepted.

“One screenshot taken by an unhappy user shows a certificate masquerading as being issued by Bank of America. Another user posted a purported screenshot of the program showing it as a trusted root certificate and claiming a web connection to their bank was intercepted.” states The Register.

l2

The Forum administrator Mark Hopkins explained that the new laptops will no longer be sold with Superfish. Lenovo has also asked the company behind the program to provide a software update to address these issues.

“Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues,” Hopkins said.

“As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.” “The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.”

I don’t want to play with Hopkins’s statements, but it is evident that Lenovo has “temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues”. What does it mean?

Why not eliminate the malware definitively?

Facebook engineering director Mike Shaver raised the alarm about the ad/bloatware on Twitter, and found SuperFish certificates posted by different users had shared the same RSA key.

Lenovo installs a MITM cert and proxy called Superfish, on new laptops, so it can inject ads? Someone tell me that’s not the world I’m in.

— Mike Shaver (@shaver) 19 Febbraio 2015

Unfortunately Factory pre-installed malware is not a new issue, it is already happened in the past, in some cases due to the poisoning of the supply chain, but in this case it seems to be that Lenovo was aware of the absurd practice.

Have you bought a Lenovo computer recently? Check your system asap.

Pierluigi Paganini