MSRT March: Superfish cleanup


​This month we added two new families to the Microsoft Malicious Software Removal Tool: Win32/CompromisedCert and Win32/Alinaos.

The Alinaos trojan family targets point-of-sale terminals to steal credit card information. This blog will discuss the security risk presented by Superfish, an ad-injecting application that we detect as CompromisedCert.

Some new Lenovo consumer notebooks sold between September 2014 and February 2015 had Superfish pre-installed. In February, it was discovered that this application exposes a machine to man-in-the-middle (MiTM) attacks because of a security vulnerability involving a self-signed root certificate used by Superfish. Lenovo customers concerned about pre-installed versions of Superfish should refer to Lenovo’s security advisory.

Microsoft worked with Lenovo and Superfish to add detection with a root trust repair solution for Superfish to our real time protection products on February 19. At the same time, we shared detection guidance through our MAPP and VIA partner programs to drive an industry cleanup. Our cleanup targets Lenovo machines as this is the only place the vulnerable version of Superfish is encountered. The graph below shows the number of Superfish encounters since detection was added.

Superfish telemetry

Figure 1 – Daily number of unique machines detecting CompromisedCert, our detection for Superfish pre-installed on Lenovo machines

Superfish

Superfish is an ad-injection program that inserts ads into webpages as you browse the web. Figure 2 shows an example of Superfish-injected ads displayed while shopping for cameras.  In this example the advertisements are attributed to WindowShopper.

Superfish ads

Figure 2: CompromisedCert advertisements attributed to WindowShopper

In January 2015, Lenovo responded by disabling Superfish advertising and ordering a stop to the Superfish preloading. On February 19, it became evident that the framework Superfish relied upon for its ad-injection was compromising the fundamental trust model of affected systems, rendering users vulnerable to MiTM attacks.

The security problem

Superfish uses a framework called Komodia to install a network driver that acts as a MiTM to decrypt and modify network data to include extra ads. Komodia was found to leave users vulnerable to attack and has since released a patch to vendors addressing the issue, however the delivery of the updates to end users relies upon the specific vendors who use the framework.
Usually, HTTPS browser sessions are protected against man-in-the-middle attacks, however Superfish is able to intercept and modify secure browser sessions by:

  • Installing an unconstrained self-signed root certificate on the local machine.
  • Embedding a private key in Superfish to re-sign HTTPS content with their added root certificate after modification.

From a user’s perspective, the secure HTTPS connections appear to be valid. However, the modified web content is signed by Superfish instead of a legitimate certificate authority. The images below show what the user could see with a Superfish certificate installed when examining the connection to a secure server in Internet Explorer.

Secure connection

Figure 3: Secure connection without Superfish man-in-the-middle program

Connection with a man-in-the-middle modification

Figure 4: The same website accessed after man-in-the-middle modification and re-signing by Superfish

Through Komodia, Superfish installs the same public root certificate for each install and embeds a private key to re-sign content on-the-fly. This also means the corresponding private key that is used to sign the content is publicly known for all affected users. This has several important security implications and is being tracked under the vulnerability identifier CVE-2015-2077.

This issue extends beyond Superfish, and also applies to other applications that use the Komodia framework to intercept SSL/TLS traffic. Additionally, applications using similar SSL/TLS interception methods have also been found to be vulnerable to this and similar trust-related vulnerabilities.

Security implications

Superfish-affected users could have their HTTPS traffic decrypted, modified, or sessions hijacked through man-in-the-middle attacks. Even if the server connection appears secure and verified, personal data and passwords could be decrypted and stolen from a number of otherwise secure web services, such as banking, social media, and email websites.

For this type of attack to succeed, a malicious hacker must first gain a man-in-the-middle position on the network. For example, they would need to own the wi-fi hotspot, poison the DNS server cache, run the ISP, or register a similar domain to the intended target and convince the user to visit it. This reduces the risk of successful attacks.

Figure 5 illustrates the normal operation of a HTTPS session, compared to a failed attack against a user not affected by Superfish, and a successful attack against a user affected by Superfish.

HTTPS connection

Figure 5: HTTPS session with and without certificates modified by Superfish

The added root certificate can also be used to digitally sign executable files. This could allow a malicious hacker to sign binaries that will be recognized by Superfish-affected machines as having been verified under any name the malicious hacker chooses. For example, this could be used to forge files to appear as if they were signed and verified as Microsoft software. Figure 5 shows the difference in user account control warnings when running a file signed by Superfish.

Superfish signed binary

Figure 6: Superfish-signed binary when run by on a machine that does not have Superfish installed

Superfish signed binary

Figure 7: Superfish-signed binary imitating a Windows component when run on a vulnerable machine

To help stay protected from this and other threats we recommend you run an up-to-date real time security product. If you’re using Windows 8 or later versions, Windows Defender is built-in and can help protect you from this, and other threats. If you’re running an older operating system, you can install Microsoft Security Essentials. If you’re running a third party security solution, you are recommended to run Microsoft Safety Scanner to perform a one-time scan to remediate the issue.

Since Mozilla manages its own root store trust, our update does not address the issue in Mozilla Firefox or Thunderbird. Users running Mozilla Firefox or Thunderbird are recommended to follow Lenovo’s recommendations to repair the Mozilla trust cache once Superfish has been removed from your machine. Mozilla Firefox also released a hotfix, so users are recommended to update Firefox.

There is more information about Superfish and its removal on the Lenovo support website.

Geoff McDonald
MMPC


Comments (5)

  1. Matthew Ghali says:

    Your article suggests that exploiting Superfish requires an active MITM in traffic path. THIS IS NOT TRUE. Mass exploitation is possible using a self signed cert with the target domain name as a SAN. Your characterization of the threat is dangerous and
    leads people to believe the bar for exploitation is much higher than it actually is!

  2. Bob Thekelpie says:

    ^^ What that guy said.. i mean he sounds geeky so it must be true!

  3. jorf says:

    Re Matthew, from the article:
    "or register a similar domain to the intended target and convince the user to visit it"

  4. Anne says:

    Can you explain why a lot of people got offered KB890830 BOTH out of band (last weekend, 7 March) AND as an optional update?

  5. Michael Cherry says:

    Clean up is nice, but as with all Malware, isn't prevention just as important. Doesn't Microsoft play a role in the installation of such software by OEMs, by not enabling and enforcing programs and policies similar to those used by the Microsoft Store's
    signature program to ensure customers get an OS image installed on the computer that only has tested and certified applications that the customer needs? Then such clean-ups might not be necessary.