{"id":5464,"date":"2015-02-25T07:09:58","date_gmt":"2015-02-25T12:09:58","guid":{"rendered":"http:\/\/kasperskydaily.com\/uk\/?p=5464"},"modified":"2020-02-26T15:10:55","modified_gmt":"2020-02-26T15:10:55","slug":"lenovo-pc-with-adware-superfish-preinstalled","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/lenovo-pc-with-adware-superfish-preinstalled\/5464\/","title":{"rendered":"Superfish: adware preinstalled on Lenovo laptops"},"content":{"rendered":"<p>On February 19<span style=\"font-size: 13.3333330154419px;line-height: 20px\">th<\/span>\u00a0of 2015, it came out that <a href=\"http:\/\/support.lenovo.com\/en\/product_security\/superfish\" target=\"_blank\" rel=\"noopener nofollow\">Lenovo\u2019s laptops had been shipped with an adware Superfish preinstalled<\/a>. There are two major problems with this issue.<\/p>\n<p>The first one is the fact that the hardware maker had been shipping consumer laptops with an <a href=\"https:\/\/www.kaspersky.com\/blog\/my-big-fat-adware-cleaning\/\" target=\"_blank\" rel=\"noopener nofollow\">adware<\/a> pre-installed for several months \u2014 starting in September 2014 and till February 2015.<\/p>\n<p>Another problem is related to how Superfish behaves. Its ability to produce self-signed certificate possibly allows a malicious third person to intercept SSL\/TLS connections or, to put it simply, web browser sessions to \u201c<a href=\"https:\/\/www.kaspersky.com\/blog\/digital-certificates-httpss\/\" target=\"_blank\" rel=\"noopener nofollow\">https<\/a>\u201d links.<\/p>\n<p>\u00a0<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Learn how digital certificates and 'HTTPS' keep your online life secure through encryption. <a href=\"http:\/\/t.co\/gjOBQrEaYO\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/gjOBQrEaYO<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/331789405234802688?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 7, 2013<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>\u00a0<\/p>\n<p>Now, let\u2019s take a closer look at the latter problem by watching actual behaviour of Superfish.<\/p>\n<p>\u00a0<\/p>\n<p>Below is a screenshot of an online banking website, accessed via Internet Explorer from a clean PC without the adware. Clicking on the lock icon, it shows the information of the SSL certificate:<\/p>\n<div id=\"attachment_5466\" style=\"width: 942px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/02\/05195558\/superfish-scr-2.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-5466\" class=\"wp-image-5466 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/02\/05195558\/superfish-scr-2.png\" alt=\"superfish-scr-2\" width=\"932\" height=\"620\"><\/a><p id=\"caption-attachment-5466\" class=\"wp-caption-text\">Fig 1. Accessing online banking site from a clean laptop]<\/p><\/div>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p>SSL certificate is issued by Certificate Authority (CA) to ensure the ownership of the web site. In this case, VeriSign is the certificate issuer who guarantees the identity of \u201cJapan xxxx BANK Co,Ltd.\u201d The certificate is also used to encrypt a user ID or a password on an encrypted session. Safety of a connection is guaranteed in this way.<\/p>\n<p>Next screenshot is of the same web site. But this time it is accessed via Internet Explorer from a Superfish-infected PC. Its SSL certificate now shows \u201cSuperfish\u201d as its issuer instead of \u201cVeriSign\u201d.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/02\/05195555\/superfish-scr-21.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-5469\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/02\/05195555\/superfish-scr-21.png\" alt=\"superfish-scr-2\" width=\"932\" height=\"620\"><\/a><\/p>\n<p>What is the cause of this change, then? Superfish has its own CA on its software. This makes it possible to hijack user\u2019s web session, generate a self-signed certificate, and establish SSL connection using it. Unfortunately, web browsers treat the Superfish-generated certificate as legitimate. So, the CA is now Superfish, not VeriSign.<\/p>\n<p><strong><div class=\"pullquote\">&lt;\/strong&gt; &lt;strong&gt;The worst possible scenario is a data theft from a web session with an online banking site<\/div><\/strong><\/p>\n<p>In addition, a <a href=\"https:\/\/www.kaspersky.com\/blog\/pgp-reliable-privacy-security-and-authentication-for-everyone\/\" target=\"_blank\" rel=\"noopener nofollow\">private key<\/a> for generating a certificate is included in the software and available to anyone who wants it. The <a href=\"https:\/\/threatpost.com\/lenovo-superfish-certificate-password-cracked\/111165\" target=\"_blank\" rel=\"noopener nofollow\">password of the key has been revealed on the Internet<\/a>. With the key-password pair, someone with malicious intent possibly eavesdrop the data transmitted through encrypted connection or inject malicious code in it. The worst possible scenario in this case is a data theft from a web session with an online banking site.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">We're sorry. We messed up. We're owning it. And we're making sure it never happens again. Fully uninstall Superfish: <a href=\"http:\/\/t.co\/mSSUwp5EQE\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/mSSUwp5EQE<\/a><\/p>\n<p>\u2014 Lenovo United States (@lenovoUS) <a href=\"https:\/\/twitter.com\/lenovoUS\/status\/568578319681257472?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 20, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Users of Lenovo laptop with Superfish are strongly recommended to delete both a software named \u201cSuperfish Inc. Visual Discovery\u201d (from Windows Control Panel) and Superfish\u2019s certificate (from the list of Trusted Root Certification Authorities).<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Lenovo laptop users with #Superfish are strongly recommended to delete both #adware itself AND certificate<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FtnU3&amp;text=Lenovo+laptop+users+with+%23Superfish+are+strongly+recommended+to+delete+both+%23adware+itself+AND+certificate\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p><a href=\"https:\/\/www.kaspersky.com\/advert\/free-trials\/multi-device-security?redef=1&amp;THRU&amp;reseller=blog_en-global\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky products<\/a> can help you specify, if you laptop is affected: our product detects the adware as Not-a-virus:AdWare.Win32.Superfish.b.<\/p>\n<p>\u00a0<\/p>\n<div id=\"attachment_5467\" style=\"width: 413px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/02\/05195557\/superfish-scr-3.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-5467\" class=\"size-full wp-image-5467\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/02\/05195557\/superfish-scr-3.png\" alt=\"Fig 2. Accessing online banking site from an infected laptop.\" width=\"403\" height=\"360\"><\/a><p id=\"caption-attachment-5467\" class=\"wp-caption-text\">Fig 2. Accessing online banking site from an infected laptop.<\/p><\/div>\n<p>Lenovo is offering <a href=\"http:\/\/support.lenovo.com\/en\/product_security\/superfish_uninstall\" target=\"_blank\" rel=\"noopener nofollow\">Automatic Removal Tool for Superfish<\/a> in their <a href=\"http:\/\/support.lenovo.com\/en\/product_security\/superfish\" target=\"_blank\" rel=\"noopener nofollow\">Security Advisory (LEN-2015-101)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>On February 19th\u00a0of 2015, it came out that Lenovo\u2019s laptops had been shipped with an adware Superfish preinstalled. There are two major problems with this issue. The first one is<\/p>\n","protected":false},"author":40,"featured_media":5465,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2026],"tags":[552,909,36,43,877,97,690,578,910],"class_list":{"0":"post-5464","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-adware","10":"tag-lenovo","11":"tag-malware-2","12":"tag-privacy","13":"tag-private-data","14":"tag-security-2","15":"tag-spying","16":"tag-ssl","17":"tag-superfish"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/lenovo-pc-with-adware-superfish-preinstalled\/5464\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/lenovo-pc-with-adware-superfish-preinstalled\/4637\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/lenovo-pc-with-adware-superfish-preinstalled\/4598\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/lenovo-pc-with-adware-superfish-preinstalled\/7712\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/lenovo-pc-with-adware-superfish-preinstalled\/6925\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/lenovo-pc-with-adware-superfish-preinstalled\/7712\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/lenovo-pc-with-adware-superfish-preinstalled\/7712\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/adware\/","name":"Adware"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/5464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=5464"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/5464\/revisions"}],"predecessor-version":[{"id":19194,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/5464\/revisions\/19194"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/5465"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=5464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=5464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=5464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}