'SuperFish' advertising software recently found pre-installed on Lenovo laptops is more widespread than what we all thought. Facebook has discovered at least 12 more titles using the same HTTPS-breaking technology that gave the Superfish malware capability to evade rogue certificate.
The Superfish vulnerability affected dozens of consumer-grade Lenovo laptops shipped before January 2015, exposing users to a hijacking technique by sneakily intercepting and decrypting HTTPS connections, tampering with pages and injecting advertisements.
Now, it's also thought to affect parental control tools and other adware programmes. Lenovo just released an automated Superfish removal tool to ensure complete removal of Superfish and Certificates for all major browsers. But, what about others?
SSL HIJACKING
Superfish uses a technique known as "SSL hijacking", appears to be a framework bought in from a third company, Komodia, according to a blog post written by Matt Richard, a threats researcher on the Facebook security team. The technique has ability to bypass Secure Sockets Layer (SSL) protections by modifying the network stack of computers that run its underlying code.
Komodia installs a self-signed root CA certificate that allows the library to intercept and decrypt encrypted connections from any HTTPS-protected website on the Internet. The company’s SSL Decoder like Superfish and other programs are present in numerous other products as well.
DOZENS OF APPS USE KOMODIA LIBRARY
The researcher also says that Facebook discovered more than a dozen software applications other than Superfish that use the same Komodia library that gives the Lenovo-spawn its certificate-hijacking powers. The operators listed in the post are as follows:
CartCrunch Israel LTD
WiredTools LTD
Say Media Group LTD
Over the Rainbow
Tech System Alerts
ArcadeGiant
Objectify Media Inc
Catalytix Web Services
OptimizerMonitor
"What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove," Richard says.
"Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic."
KOMODIA LIBRARY EASY TO DETECT
In 2012, the Social Network giant started a project with researchers from Carnegie Mellon University in order to measure how prevalent SSL man-in-the-middle (MitM) attack are.
The team found that various deep packet inspection (DPI) devices were making use of the same private key across devices, which an attacker can easily exploit to extract the key from any single device.
The researchers said that the Komodia library can be easily detected as the software that installs the root CA contains a number of easily searchable attributes that enable the team to match up the certificates they see in the wild with the actual software.
SHA1 HASHES TO IDENTIFY MORE MALICIOUS SOFTWARE
Richard also published the SHA1 cryptographic hashes that were used in the research to identify software that contained the Komodia code libraries. The list of SHA1 hashes are:
0cf1ed0e88761ddb001495cd2316e7388a5e396e
473d991245716230f7c45aec8ce8583eab89900b
fe2824a41dc206078754cc3f8b51904b27e7f725
70a56ae19cc61dd0a9f8951490db37f68c71ad66
ede269e495845b824738b21e97e34ed8552b838e
b8b6fc2b942190422c10c0255218e017f039a166
42f98890f3d5171401004f2fd85267f6694200db
1ffebcb1b245c9a65402c382001413d373e657ad
0a9f994a54eaae64aba4dd391cb0efe4abcac227
e89c586019e259a4796c26ff672e3fe5d56870da
The researcher went on to invite fellow researchers to use these hashes in order to identify more potentially dangerous software circulating over the Internet.
"We're publishing this analysis to raise awareness about the scope of local SSL MITM software so that the community can also help protect people and their computers," Richard wrote. "We think that shining the light on these practices will help the ecosystem better analyze and respond to similar situations as they occur."