Categories: Malware

Lenovo released an automatic removal tool for the Superfish adware

Lenovo, with the support of Microsoft and McAfee, has developed a removal tool to clean its laptop and delete the Superfish malware.

Last week, the news of the presence of Superfish adware in the laptops sold by the Chinese Lenovo has captured the attention of the media. The presence of the Superfish malware exposes Lenovo users to hacking attacks, as explained by the cyber security expert Robert Graham in a blog post the malware hijacks and throws open encrypted connections, a circumstance that could be exploited by attackers to eavesdrop the users’ traffic.

Lenovo has intentionally pre-installed a malware on laptops, but once discovered has tried to remedy the problem by releasing a tool to remove the ,malicious “SuperFish” adware that the company had pre-installed onto many of its consumer-grade Lenovo laptops sold before January 2015.

Lenovo admitted that it was caught preloading a piece of adware that installed its own self-signing Man-in-the-Middle (MitM) proxy service that hijacked HTTPS connections, the company also informed its customers that it had “stopped Superfish software at beginning in January” 2015.

“We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday. Now we are focused on fixing it.” states an official statement released by Lenovo. “We recognize that this was our miss, and we will do better in the future. Now we are focused on fixing it.”

Graham reverse engineered the malicious software in a debugger (or IDApro), the process allowed him to extract the certificate from the SuperFish adware and cracked the password (“komodia”) that encrypted it. By using the password an attacker can potentially inject malware or spy on a vulnerable Lenovo user sharing the same Wi-Fi network.

The US-CERT recently issued the Alert (TA15-051A) to warn Lenovo users about that fact that Superfish Adware is vulnerable to HTTPS Spoofing.

“Superfish adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.” states the alert. “Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed. This means websites, such as banking and email, can be spoofed without a warning from the browser.”

Lenovo, with the support of Microsoft and McAfee, has developed a removal tool to clean its laptop and delete the Superfish malware.

“We apologize for causing these concerns among our users – we are learning from this experience and will use it to improve what we do and how we do it in the future,” states Lenovo. “In addition to the manual removal instructions currently available online, we have released an automated tool to help users remove the software and certificate. That tool is here: http://support.lenovo.com/us/en/product_security/superfish_uninstall“

Once again, let me suggest verification of the presence of the Superfish Adware by using the test created by the researcher Filippo Valsorda.

Pierluigi Paganini

(Security Affairs – Lenovo, Factory pre-installed malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.