February 19, 2015

Lenovo Pre-Loading Superfish Adware on Machines

UPDATE: A class-action lawsuit was filed against Lenovo in February of 2015. 

In the last couple of days, some interesting news on Lenovo, Superfish, and Komodia has surfaced.

In the Lenovo Community Forums[1], a user pointed out that upon their first use of their new Lenovo machine, adware ads were already being populated into Google results. While bloatware (pre-installed, generally unwanted software) is commonly added to machines at the factory, this is particularly damning – why is Lenovo pre-installing adware on its machines, and how did Superfish get that deal?

As an affiliate management agency managing compliance for 70+ affiliate programs, we are always on the lookout for suspicious activity in the space. We’ve had issues with Superfish as an affiliate in the past when they popped onto the scene. We discovered multiple cases of Superfish bundling into malware (we found them in Chrome extensions [2][3]) and have since removed them from most of our clients’ affiliate programs.

This case goes a little deeper though, thanks to some investigation by TheNextWeb. A Lenovo administrator claims this software is opt-out, and temporarily paused. But why should consumers have to opt-out of adware that is capable of man-in-the-middle attacks? This software comes with its own certificate that “allows the software to decrypt secure requests.[4]” Worse yet, just uninstalling the app does not remove this certificate – that has to be a manual deletion. While Firefox fortunately is not vulnerable here (due to their tighter grip on certificates), other browsers are vulnerable (unless they’ve pushed updates already). That means that until these updates are released, HTTPS is completely compromised for users that have not removed all the software and certificates. I’m not going to outline it all here, but ArsTechnica did a great job collecting specific examples of the certificate tampering with the HTTPS connection to a banking website.

Deeper yet, it would appear that the malware technology used is from a company called Komodia[5], that specifically markets their products as ad injection[6]. Furthermore, they advertise that their product “has anti virus capabilities and each compiled version generates a totally new version,” meaning that they are well aware it will be targeted by anti-virus software. [EDIT: looks like these guys got hit with a DDOS.]

From our management perspective, we will continue to ensure that Superfish traffic stays away from our clients’ affiliate programs. We recommend all affiliate managers take a hard look at the traffic they are receiving from Superfish. If you do not have the transparency required to fully vet their traffic, either reach out to them for additional information, or play it on the safe side and remove Superfish from your programs. If you are running your program in CPA networks, you should reach out to the CPA network to see if Superfish is driving traffic through their platform as well.

For everyone reading that is on a Lenovo machine (and everyone else, really), here’s a fantastic little sanity checker to see if this is on your machine, complete with next steps.
If you’re interested in learning more about Schaaf-PartnerCentric’s affiliate fraud prevention techniques, please request a consultation.


Request a Consultation

 

 

[1] https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/td-p/1726839
[2] http://images.schaafpc.com/superfish1.png
[3] http://images.schaafpc.com/superfish2.png
[4] http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/
[5] http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
[6] http://www.komodia.com/ad-injection-sdk/

Latest posts by Tom Rathbone (see all)