'SuperFish' advertising software recently found pre-installed on Lenovo laptops is more widespread than what we all thought. Facebook has discovered at least 12 more titles using the same HTTPS-breaking technology that gave the Superfish malware capability to evade rogue certificate.
The Superfish vulnerability affected dozens of consumer-grade Lenovo laptops shipped before January 2015, exposing users to a hijacking technique by sneakily intercepting and decrypting HTTPS connections, tampering with pages and injecting advertisements.
Now, it's also thought to affect parental control tools and other adware programmes. Lenovo just released an automated Superfish removal tool to ensure complete removal of Superfish and Certificates for all major browsers. But, what about others?
Superfish uses a technique known as "SSL hijacking", appears to be a framework bought in from a third company, Komodia, according to a blog post written by Matt Richard, a threats researcher on the Facebook security team. The technique has ability to bypass Secure Sockets Layer (SSL) protections by modifying the network stack of computers that run its underlying code.
Komodia installs a self-signed root CA certificate that allows the library to intercept and decrypt encrypted connections from any HTTPS-protected website on the Internet. The company’s SSL Decoder like Superfish and other programs are present in numerous other products as well.
DOZENS OF APPS USE KOMODIA LIBRARY
The researcher also says that Facebook discovered more than a dozen software applications other than Superfish that use the same Komodia library that gives the Lenovo-spawn its certificate-hijacking powers. The operators listed in the post are as follows:
- CartCrunch Israel LTD
- WiredTools LTD
- Say Media Group LTD
- Over the Rainbow
- Tech System Alerts
- Objectify Media Inc
- Catalytix Web Services
"What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove," Richard says.
"Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic."
KOMODIA LIBRARY EASY TO DETECT
In 2012, the Social Network giant started a project with researchers from Carnegie Mellon University in order to measure how prevalent SSL man-in-the-middle (MitM) attack are.
The team found that various deep packet inspection (DPI) devices were making use of the same private key across devices, which an attacker can easily exploit to extract the key from any single device.
The researchers said that the Komodia library can be easily detected as the software that installs the root CA contains a number of easily searchable attributes that enable the team to match up the certificates they see in the wild with the actual software.
SHA1 HASHES TO IDENTIFY MORE MALICIOUS SOFTWARE
Richard also published the SHA1 cryptographic hashes that were used in the research to identify software that contained the Komodia code libraries. The list of SHA1 hashes are:
The researcher went on to invite fellow researchers to use these hashes in order to identify more potentially dangerous software circulating over the Internet.
"We're publishing this analysis to raise awareness about the scope of local SSL MITM software so that the community can also help protect people and their computers," Richard wrote. "We think that shining the light on these practices will help the ecosystem better analyze and respond to similar situations as they occur."