Lenovo sold laptop with pre-installed Superfish malware

The Lenovo computer company knowingly shipped laptops with pre-installed Superfish malware. And ‘controversy on the web, users are outraged.

Lenovo is in the storm one again, security experts discovered that the company is shipping laptops with Superfish malware , a malware that allows to steal web traffic using man-in-the-middle attacks. SuperFish is considered by many antivirus companies as a potentially unwanted program, adware, or a trojan.

The “Superfish” malware was installed on laptops sold until late last month, it was able to steal web traffic using fake, self-signed, root certificates to inject advertisements into sessions.  Lenovo has removed Superfish the malicious software after numerous users reported the embarrassing discovery on its forums by claiming to be victims of attacks.

“A blatant man-in-the-middle attack malware breaking privacy laws. I have requested return of the laptop and refund as I find it unbelievable that … Lenovo would facilitate such applications pre bundled with new laptops,” the user wrote on the Lenovo forums.

“I just bought a Lenovo G50 Notebook. And as you might guess it’s also “infected” with PUP (a SuperFish Software (that’s the one which displays ads on webpages)). So, now i try to clean up a brand new device. Sounds a bit absurd. What do you think?” said another user.

In the following image posted by one of the Lenovo users is visible a certificate masquerading as being issued by Bank of America.

Another victim posted a purported screenshot of the program showing it as a trusted root certificate and claiming a web connection to their bank was intercepted.

“One screenshot taken by an unhappy user shows a certificate masquerading as being issued by Bank of America. Another user posted a purported screenshot of the program showing it as a trusted root certificate and claiming a web connection to their bank was intercepted.” states The Register.

 

The Forum administrator Mark Hopkins explained that the new laptops will no longer be sold with Superfish. Lenovo has also asked the company behind the program to provide a software update to address these issues.

“Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues,” Hopkins said.

“As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.” “The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.”

I don’t want to play with Hopkins’s statements, but it is evident that Lenovo has “temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues”. What does it mean?

Why not eliminate the malware definitively?

Facebook engineering director Mike Shaver raised the alarm about the ad/bloatware on Twitter, and found SuperFish certificates posted by different users had shared the same RSA key.


Unfortunately Factory pre-installed malware is not a new issue, it is already happened in the past, in some cases due to the poisoning of the supply chain, but in this case it seems to be that Lenovo was aware of the absurd practice. Have you bought a Lenovo computer recently? Check your system asap.

UPDATE FROM CSOONLINE

A Lenovo spokesperson responded to questions earlier this morning. The company says that Superfish hasn’t been installed on laptops since January, and that all server side interactions have been disabled since then as well. The full statement is below.

Superfish was previously included on some consumer notebook products shipped in a short window between October and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:

1) Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.

2) Lenovo stopped pre-loading the software in January.

3) We will not pre-load this software in the future.

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first…

The statement goes on to repeat what was said originally on the support forums, adding that the relationship with Superfish Inc. is not financially significant Lenovo; “our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively,” the statement concluded.

Pierluigi Paganini

(Security Affairs –  Lenovo, Factory pre-installed malware)

Update September 28th, 2015

Statement on Lenovo Statistical Data Collection

Statistical data collection by Lenovo has been the subject of press reports and social media discussion. Similar to other companies in the PC, smartphone and tablet industries and as disclosed in the End User License Agreement, Lenovo products collect non-personally identifiable statistical usage data that is not tracked to any single customer or device. This data helps Lenovo improve both existing and future products.

In preparation for Windows 10, all programs preloaded on Lenovo PCs were reviewed by Lenovo and independent 3rd parties from privacy and technical perspectives and are listed in the “programs directory” in Windows, under “settings”. Customers who do not want to participate, can remove the program by going into the “Control Panel”, opening “Add / Remove Programs”, clicking on the program and selecting “uninstall”.”

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

5 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

17 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

21 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.