Superfish Adware: Uh Oh, Lenovo

Superfish Adware Lenovo
Superfish. Superfish. It’s super fishy.

Uh oh, Lenovo. As we learned from Moonpig recently, when something is wrong, you do not want to wait to take care of the problem. In the case of Superfish adware on some Lenovo computers, we have a company that denied the adware was all that bad at first before finally taking action.

We’re going to show why the situation was so bad and why action should be taken as quickly as possible if you have Superfish on your system. By the time you’re done reading, you’re going to know more about Superfish and Adware than you may have wanted, but this is a good thing. Trust us. This post is all about being trustworthy.

What is Superfish?

Basically, Superfish is software that was pre-loaded on some Lenovo computers. The adware compromised legitimate SSL certificates on the computers in order to hijack webpages and forcefully insert advertisements into them. Sound bad? Well, it gets worse as you’ll see below. In order to get this power, they had to use their own SSL certificate on the infected machines. Keep reading to learn what Superfish really did to systems and why so many people are upset.

If you asked someone at Lenovo about Superfish, they would have likely given you a spiel about it being the best thing since sliced fish. (Wait. What? Sliced fish? That doesn’t sound very cool.) While they’ve stopped installing “Superfish” on their consumer PCs, a lot of people are wondering what happens to the people who already have it installed – especially the elderly and those who might not understand what’s happening.

Installed on Lenovo PCs?

As you might imagine, it’s likely that the people behind Superfish paid a pretty penny (or a pretty bitcoin) in order to be installed on the brand new computers. Pre-infecting computers is a devious idea, and one that was likely very fruitful for the company behind the software.

With the money paid by Superfish, the computers could be offered cheaper, which even has a positive marketing spin built-in – i.e. we build cheap computers and help the poor. In reality, Superfish probably led to super revenue for a select group of people.

Hunting the Superfish

Over at Forbes, they have a nice article with parts of the back story, including the fact ex-surveillance boffin Adi Pinhas founded Superfish (the company) back in 2006. From its very inception, he received harsh criticism about their software, including comments like “This is driving me up the wall.” Do you remember Windows Shopper being installed along with Java updates? Yeah, that was them too.

The story gets even stranger and scarier as you go down the rabbit hole. For instance, take this Wired article from 2012 titled “Shady Companies With Ties to Israel Wiretap the U.S. for the NSA.” Remembering that Adi Pinhas is connected to Verint, here’s a snippet from the Wired article:

According to a former Verizon employee briefed on the program, Verint, owned by Comverse Technology, taps the communication lines at Verizon, which I first reported in my book The Shadow Factory in 2008. Verint did not return a call seeking comment, while Verizon said it does not comment on such matters.

At AT&T the wiretapping rooms are powered by software and hardware from Narus, now owned by Boeing, a discovery made by AT&T whistleblower Mark Kleinin 2004. Narus did not return a call seeking comment.

Starting to see why Superfish would pay whatever it takes to get pre-installed on hardware going out to consumers? Beyond the security breach this money making scheme caused on a lot of Lenovo computers, it’s important to remember Lenovo sold these infected machines and enjoyed the revenue from both ends. It’s going to be very interesting to see how this case does at it winds its way through the court systems.

Uh Oh, a Lenovo Lawsuit

According to an article in PC World published on Monday:

A proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with “fraudulent” business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware.

You know what they say about lawsuits, of course, but there’s a chance this could sprout wings and fly if enough people take action.

Should I Be Worried?

If you have a Lenovo consumer PC with Superfish installed, yes – you should be super worried. Seriously, this is a nasty piece of adware and should be removed from your computer as soon as possible.

How Will Superfish Affect Me?

Here’s a quick rundown of why we think Superfish is adware and very unsafe.

  • Replace Valid Certificates – In order to get permissions to insert their ads forcefully onto other people’s pages successfully, the adware replaces legitimate SSL certificates with ones of their own. This is bad, but unfortunately it gets worse.
  • One SSL Certificate to Rule Them All – Remember when we were talking about the internet in North Korea recently? Well, Superfish is using the same SSL certificate with all their installs – not a good idea at all.
  • The SSL Certificate Used Was Old – In addition to all of the above, the SSL certificate they installed far and wide was a deprecated SHA1 certificate – which can be cracked with a “normal” computer and a little bit of tech smarts.
  • Extremely Crackable – To top it all off, they used a 1024-bit RSA protocol, which is very crackable. It’s why Mozilla and many others phased it out in 2014.
  • All About Trust – At the end of the day, Superfish asked for a lot of trust from users, but they didn’t deserve to be trusted – at all. They took advantage of customers on many different levels.

Next, let’s take a look at Lenovo’s initial response and the latest on the Superfish Fiasco.

And Lenovo is Okay With It?

Well, this is what they originally said on a forum post on their website:

Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.

To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.

The Superfish Visual Discovery engine analyzes an image 100% algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.

Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior.  It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted.  Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled.

Sound like a lot of backtracking compared to what they’re saying now? Well, apparently the post above disappeared for a while but was replaced. Here’s an edit from an admin at the official Lenovo forums.

Admin Edit – The original information is retained below.  Lenovo’s understanding of the situation has evolved since time of this orignal posting.   Please review Lenovo’s advisory regarding VisualDiscovery / Superfish on our support site here -> http://support.lenovo.com/us/en/product_security/superfish

Babelfish translation? “Um, crap, that did sound kinda bad, like we were justifying preinstalling adware on lower end consumer computers . We’re really sorry and we know better now. Honest.”

Superfish Adware on LenovoSSL Takeaway: What to Do

As you know, we like to take a look at news stories like this and frame them in a context that includes SSL, including all of our philosophies and feelings about information security.

In this case, there’s no denying that Superfish is adware that comes installed on some Lenovo computers. And this is not a good thing because of the way it’s installed and operates.

How to Safely Remove Superfish

The problem with trying to remove Superfish normally is that even if you remove the software itself from your system, the root certificate is still going to be present, with all the security vulnerabilities that this opens up on your home computer. Take a look at our SSL.com guide for step-by-step instructions on disabling the Superfish certificate.

(Another option, if you don’t have a lot of personal files on the computer or you have them backed up properly, is to wipe the hard drive and install a brand new version of Windows 8 without the fishy aftertaste of Superfish. Yes, this is a lot of work. Thanks, Lenovo. Thanks, Superfish. Really, guys.)

Hopefully, the company is working harder to take this problem seriously and will remove it from new computers they ship out. If you’ve been hit by Superfish and would like to vent, leave us a comment below. We’re interested in hearing from people who have a Lenovo computer with Superfish.