Pinterest Stumbleupon Whatsapp
Ads by Google

Chinese computer manufacturer Lenovo has admitted that laptops shipped to stores and consumers in late 2014 had malware preinstalled.

You might want to read that again.

A major manufacturer with $38.70 billion sales in 2014 alone, has been selling computers that are actively invading their user’s privacy, enabling man in the middle attacks What Is A Man-In-The-Middle Attack? Security Jargon Explained What Is A Man-In-The-Middle Attack? Security Jargon Explained Read More and basically undermining trust.

Meet Superfish. Actually, Don’t.

Central to this revelation is a piece of software – until recently considered crapware or bloatware – called Superfish Visual Discovery, a browser extension that ships preinstalled on Lenovo computers ostensibly as a technology to “find and discover products visually”.

Because obviously you can’t discover products with your ears.

The idea is that Superfish, present as a browser extension, analyses images that you view on the web, checks if they’re products, then offers “identical and similar product offers that may have lower prices”.

Ads by Google

How does it work?

“The Superfish Visual Discovery engine analyzes an image 100% algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.”

The problem is, not only is Superfish a browser hijack – anti-malware scanners will routinely remove adware tools that do the same thing – but there’s also the issue of the MITM vulnerability.

Remember Man in the Middle Attacks? Lenovo Does

Superfish doesn’t only hijack your browser to display ads. It also installs a self-signed root HTTPS certificate, an act that essentially renders HTTPS pointless, by intercepting encrypted traffic on every website you visit (HTTPS is the sauce that makes the web secure What Is HTTPS & How To Enable Secure Connections Per Default What Is HTTPS & How To Enable Secure Connections Per Default Security concerns are spreading far and wide and have reached the forefront of most everybody's mind. Terms like antivirus or firewall are no longer strange vocabulary and are not only understood, but also used by... Read More , and enables online banking, secure shopping, etc.). Evidence has been found that HTTPS site certificates are in fact signed by Superfish (rather than, say, your bank) and worse still (if you thought it couldn’t get any worse) the private encryption key is the same on all Lenovo computers!

This means fake sites cannot be detected by the web browser on a Lenovo PC.

To make matters worse, Rob Graham of Errata Security has cracked the encryption key that secured the Superfish certificate enabling anyone to launch MITM attacks upon PCs with that certificate installed.

Lenovo and the Malware

The release of the news came as quite a surprise…

There had been concerns and questions over Superfish for some time, and various questions on the Lenovo support forums.

This week, Lenovo announced that the Superfish Visual Discovery browser extension was being temporarily removed due to issues such as “browser pop up behavior”. Lenovo went on to explain what Superfish does, while taking pains to highlight that:

“It does not profile nor monitor user behavior.  It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted.  Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled.”

The accuracy of this assertion is up for debate.

My New Lenovo Ultrabook

Funnily enough, I’ve recently purchased a Lenovo computer a few weeks ago. By amazing coincidence, I just happened to remove the Superfish malware.

You don’t expect a modern computer manufacturer to load their computers with anything more than a trial of Microsoft Office and an internet security suite. So naturally when I was informed about Superfish, I just ignored it.

However, we at MakeUseOf use the Slack chat system for collaboration Slack Makes Group Communication Faster and Easier Slack Makes Group Communication Faster and Easier Group emails can really kill productivity. It's time to put mail clients to rest and use collaboration services like newly launched Slack. Read More , and after a couple of days use of my new laptop, it seemed likely that the problem I was having posting messages on Slack (I could sign in without a problem) was down to the new computer.

Raising a support ticket with Slack, I was impressed by the quick response, although slightly perturbed by its contents:

  • Do you have Avast (antivirus) installed?
  • How about Net Nanny?
  • Is this a Lenovo PC?

Yes, I too was curious about that last question, and upon replying to the affirmative, I was greeted by this suggestion:muo-security-lenovo-superfish-uninstall

“Can you check and see if you have software installed called ‘Visual Discovery’, by Superfish? We’ve learned that removing this software (which comes pre-installed on some systems) should clear up the problem for you. It can be a bit tricky to find, apparently.

If Visual Discovery isn’t installed, we’ve also heard ‘Browser Guard’ has the same issue.”

Naturally, I quickly removed both.

How Do You Fix The Certificate Issue?

Removing Superfish doesn’t suddenly make the MITM threat vanish. You’re still at risk, and HTTPS is effectively broken on your computer until you can fix the certificate issue.

Begin by checking if your computer is affected. Head to https://filippo.io/Badfish/ and check the results. If it looks like the image below, further action is needed.

muo-security-lenovo-superfish-check

Act quickly. Press WIN+R to open the Run box, and enter certmgr.msc. The Windows certificate manager will open, so look for Trusted Root Certification Authorities, expand it to display Certificates and then in the right-hand pane look for Superfish, Inc.

Delete it.

muo-security-lenovo-superfish-delete-certificate

You can then return to the Badfish page (coded by one of the researchers involved with developing a page to check for the Heartbleed vulnerability in 2014 Heartbleed – What Can You Do To Stay Safe? Heartbleed – What Can You Do To Stay Safe? Read More ) and check the result, where a more satisfactory message should be displayed.

Finish by closing your browser and rebooting Windows.

Or Just Use Windows Defender [UPDATE]

Since we published this post, Microsoft has released an update to Windows Defender that will catch and fry the Superfish, removing all traces of Lenovo’s ill-considered malware and its dodgy certificate.

Launch Windows Defender from the Start screen (type “windows defender”) and ensure the app updates, then wait for it to run its scan, detect and remove the threats.

If you’re not using Windows Defender, check your internet security suite for updates and run a scan. This may have been updated, and as such should remove Superfish automatically. If not, use the steps above for the manual removal.

What Will Lenovo Do Next?

For a computer giant, Lenovo’s response to this has been inept. This company has sold millions of laptops that shipped to stores and customers between October and December 2014, and for it to play down the malicious bloatware as a benefit for users to find bargains online is deplorable.

Since news broke, Lenovo has confirmed that:

  • Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
  • Lenovo stopped preloading the software in January.
  • We will not preload this software in the future.

Lenovo also says that “The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.” Altruistic, or naïve?

They have also produced a list of affected devices.

Have you been affected by Superfish? How do you feel about Lenovo now? Share your reaction in the comments below.

  1. Bob
    March 9, 2016 at 8:44 pm

    Bought a Lenovo, got infected something the moment the pre installed antivirus ran out. Disk space is always at 100, and processor speed spikes up and down. Duplicate programs running. I did find supefish on this Y50-70. Weird thing is a few months after getting hacked or w/e, someone from China withdrew money out of my bank account, not much though. Someone tried getting into my email account as well, also from China. I called Lenovo for help but you have to pay them.

    • Christian Cawley
      March 10, 2016 at 12:11 am

      Thanks for sharing that Bob, pretty rum that you have to pay for support after spending money on the computer.

  2. amber
    December 17, 2015 at 8:53 pm

    China made lenovo are rubbish. I have 2 lenovo tabs, one of them is china made. Ads pop up allllllllllll the time and i cant even do anything to make it go away. Sometimes (like 5 times a day) it even installed apps on its own.. I think i need the Winchester brothers to help me hahaha.. Well, im laughing at my own STUPIDITY to even trust china made product and brought it. Im going back to the store tom since now i know whats really happening. Arigato :)

  3. Ron Gatewood
    September 25, 2015 at 4:40 am

    I bought two new Lenovo laptops that were loaded with so much malware that they would not work and adds popped up continually I allowed their techs to take over my computer 3x to fix it, they could not, I really wanted them, one was still unopened. They returned a partial amount $900 and something but they wanted to charge a restocking fee, for what? I contacted my Chase credit card co. who investigated and returned the $268 dollars. Now Lenovo has turned me over to collection agency, I pay my bills. Lenovo not only loads your comp, they keep your money but if you win they try to get even. DO NOT BUY FROM THEM!

  4. Wired Ware
    August 17, 2015 at 8:34 am

    Let's not forget that we're buying products from a Chinese company who have political agendas because these companies are under a party rule (communism). Don't be surprised what secrets they're going to get from the US government next time.

    Now that you've mentioned it. Who knows what's being put in those machines? I would even think that they put some sort of spying program hard-coded. They would try to buy Dell next so they can have a monopoly (especially of business machines) and hence nobody can keep secrets from them.

    • Christian Cawley
      August 17, 2015 at 8:38 am

      The point you're making can apply to manufacturers from any country, not just China.

  5. Mike
    February 23, 2015 at 12:05 am

    My Panda Free Antivirus removed Superfish when I did a system scan today.

  6. Mark
    February 22, 2015 at 7:28 am

    Great article. This really is simply extraordinary behaviour for a company of Lenovo's size, and you have to see their explanation with a healthy dose of cyniscm. It would be nice to think it would make others think twice, but history suggests it won't.

  7. Mynon Deru
    February 22, 2015 at 12:39 am

    Thanks so much for the heads up on this issue. After checking my computer which I bought in Nov. 2014 I discovered it was infected with the SuperFish program. I followed your steps for removal and it is now gone. My question now is "Has my identitycredit card information been compromised?" I personally will never own another Lenovo product. I feel their integrity is no longer valid.

  8. Matthew Hughes
    February 22, 2015 at 12:07 am

    Brilliant, as always, Christian.

    Lenovo are going to have to do an immense amount of damage control over the next few weeks. That much is certain. Whether they remove SuperFish? That's less certain. They've not disavowed them yet.

    Do you think they will?

  9. A41202813GMAIL
    February 21, 2015 at 11:50 pm

    I Do Not Get It.

    With The Constant And Ever So Present Reverse Engineering, Nothing Like This Can Be Hidden For Long.

    Are Companies Getting Stupid Or Just Suicidal ?

    Sigh...

    • dragonmouth
      February 22, 2015 at 3:02 pm

      "Are Companies Getting Stupid Or Just Suicidal ?"
      No, they just hope the users are.

  10. DalSan M
    February 21, 2015 at 5:48 pm

    Many companies have provided similar invasion of privacy, complete lack of proper security, or even lack of common sense, but that quickly blows by and consumers return to business as usual. Other times, the paranoid wishes to believe that they are super-secure by not using certain products or services, only to find out later (or ignore the fact) that other typical actions we perform daily are risk factors, are monitored in some way, and we receive targeted advertising due to these actions. Anything from watching YouTube, cable/satellite TV, and even opening an account at a bank is both monitored and used for targeted advertising.

    I'd rather live a life as an informed consumer than a panic-stricken and paranoid consumer because I want to enjoy life, but be afraid of everything. We, as individuals, need to learn how to remain safe in all of our actions and habits so that we can reduce the chances of security issues as well as other problems. It isn't easy, and will only get harder with government agencies snooping in where they don't belong and hackers breaking into retailers and other businesses, but it is the world we live in.

  11. DoktorThomas™
    February 21, 2015 at 5:07 pm

    Lenovo is a brand not even in my extensive vocabulary. Now that they are violators too, they are not even in my thoughts. ©2015

  12. KT
    February 21, 2015 at 4:05 pm

    Would this malware prevent you from wiping the HD and installing Linux? If not, Lenovo won't be on my list to consider.

    • DalSan M
      February 21, 2015 at 5:22 pm

      Superfish would not affect your ability to alter the operating system nor the ability to wipe the HDD and install another operating system. The fix is rather simple, even with manual removal, compared to fixing viruses or scareware.

    • dragonmouth
      February 22, 2015 at 3:09 pm

      @KT:
      "Would this malware prevent you from wiping the HD and installing Linux? "
      In a word, NO. However, if the malware persists, you can always remove the HD and replace it with another one. I don't think Superfish can jump from one HD to another, no matter how super it is. :-)

  13. Bill
    February 21, 2015 at 2:25 pm

    Does this affect all browsers, or just specific ones?

    • DalSan M
      February 21, 2015 at 5:13 pm

      Any web browsing with any browser would be affected by the Superfish root certificates. This is because the root certificates would be used by various browsers and applications that connect to the Internet, so making changes to the browsers would do absolutely nothing to protect against the security issues. The Superfish software and the root certificates that it creates need to be removed in order to fix the problem.

      Lenovo, Microsoft, and several security software companies have released tools or updates that would remove Superfish, the affected root certificates, and anything related to Superfish in the past couple of days, with more tools and updates being worked on for release by other security software suites. One thing to note is that if one chooses to use a tool or security software to remove Superfish, double check to make sure the software and certificates associated with Superfish are completely removed.

    • Christian Cawley
      February 21, 2015 at 8:00 pm

      As DalSan M says, HOWEVER some sites were reporting that Firefox wasn't affected but I wouldn't rely on this.

  14. Chris Farrant
    February 21, 2015 at 1:57 pm

    I recently installed some "all in one" desktops from Lenovo.

    These computers were bought directly from Lenovo. Before installing any other software I loaded AVG Anti Virus and all of them reported the same list of malware. I had to remove any Lenovo labelled apps etc to be sure nothing else was lurking about.

    This is a shame because Lenovo had gained my confidence in their hardware until this occurred.

    I also use a Lenovo Chromebook which is also a great little laptop. I don't think they can mess up a Chromebook OS can they?

    • Christian Cawley
      February 21, 2015 at 7:59 pm

      Was it the same malware you found, Chris, or something different?

    • Chris Farrant
      February 28, 2015 at 11:59 am

      Christian - No this was different. I don't have access to these desktops at the moment to get at the history. Next time I'm there I will make a list of what was detected.

    • Christian Cawley
      March 2, 2015 at 8:19 am

      i look forward to it, thanks!

  15. therese
    February 21, 2015 at 11:47 am

    Does this Superfish malware only affects Lenovo laptops? How about other Lenovo devices like Lenovo mobile phones? Are they affected too?

    • Christian Cawley
      February 21, 2015 at 7:58 pm

      So Lenovo say it is only laptops. No outlets have said anything about desktops, and my local store doesnt have any Lenovo desktops so I couldn't take a quick look ;)

    • Dave C.
      March 6, 2015 at 6:37 am

      I have a fairly new Lenovo A916 (my wife's cell phone). It was popping up ads once or twice a day. Qihoo 360 security software said it was clean. But then I found malwarebytes had a mobile version. Malwarebytes found "Trojan.Agent.mq" (CallerID.apk), "PUP.AdDisplay.Commplat.a" (MoboMarket2.1.8.apk) and "Trojan.Fadeb.a" (Twitter_qd_3025.apk), all in /system/app/ folder. None of these apps were downloaded. None of these apps could be uninstalled without: 1) 1st, I had to root the phone 2) 2nd, I had to apply the sdfix for kitkat, to access the internal storage (Oddly, Lenovo treats the internal storage on A916 as if it is external storage) I can't say for sure that they were on the phone when we bought it, as I didn't think to check then. But if they weren't downloaded, where did they come from? Can anybody else use malwarebytes to scan their (recently purchased) Lenovo phone and verify that this was factory installed malware?

    • Christian Cawley
      March 8, 2015 at 1:47 pm

      Thanks for this Dave, definitely worth further investigation.

    • Dave C.
      April 9, 2015 at 5:18 am

      OK, to kinda answer my own question....
      My wife was bragging to her many sisters about how nice her Lenovo A916 was. Her older sister decided she had to have one, too. Asked me to order it for her. So I did, from a different vendor than I had ordered my wife's cell phone from.
      *2nd* brand new Lenovo A916. This time, I already suspected it might have malware on it (from the factory). So...I connected it to wifi (to access play store), then input a gmail account (to access play store) and then downloaded malwarebytes from the play store. Malwarebytes automatically updated itself after install. Then I ran a full scan. Full scan found "Android/PUP.Riskware.SmsPay.j" /system/priv-app/LenovoThemeCenter.apk, "Android/Trojan.Agent.mq" /system/app/CallerID.apk, AND "Android/Backdoor.GinMaster" /system/app/Weatherservice_k517_u002_20140910.apk
      It also found "Android/PUP.Adware.ShinyMob.a, though I have not figured out where that file is stored yet.

      ONE of those three malware detections matches the malware found on my wife's phone. It was not downloaded, just like my wife's phone. All the malware is in system folders, just like my wife's phone. Adware was installed, just like my wife's phone. I'm pretty sure I'm going to have to "root" this phone to get rid of the malware, just like my wife's phone.

      Based on the fact that I just unwrapped this new cell phone and literally the first thing I did was run malwarebytes...well, I think you can draw your own conclusion.

  16. Christian Cawley
    February 21, 2015 at 10:08 am

    Windows Defender has been updated in the past day to deal with Superfish, and we'll be updating the post shortly to reflect this.

  17. DalSan M
    February 20, 2015 at 11:31 pm

    Another, easier method as many readers already use it, update and run Windows Defender to remove Superfish along with the offending certificates. http://www.zdnet.com/article/microsoft-updates-windows-defender-to-remove-superfish-infection/. Surprised that Microsoft created a fix within 24 hours of weird getting out about this malware. They actually are doing something right!

Leave a Reply

Your email address will not be published. Required fields are marked *