Lenovo caught installing adware on new computers

Discussion in 'malware problems & news' started by SweX, Feb 19, 2015.

  1. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  2. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,436
    Location:
    U.S.A.
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    One that jumps out is Lavasoft. From Wikipedia:
    Unintentional irony there?

    I wonder whether any other anti-malware apps break HTTPS in similarly stupid ways.
     
  4. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
  5. Emre TINAZTEPE

    Emre TINAZTEPE Registered Member

    Joined:
    Dec 28, 2014
    Posts:
    85
    Hello Everyone,

    Zemana AntiLogger Pro & Free versions build last year successfully blocks the Lenovo superfish root CA certificate. (Including the other third-party software using komodia SSL sniffing/hijacking SDK)
    Here is the video: http://youtu.be/FRyw6n-FMK4

    if someone wants to test it out and see if how it works please PM me so I can send you the installer of Lenovo StarFisher.
     
  6. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,501
    Location:
    .
  7. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    Is Lenovo the only brand doing this?
     
  8. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  9. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
  10. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    OMG What a block-head business decision.

    Almost as block-headed as my misunderstanding that Lenovo was a Russian Company.

    As of 2012 Lenovo has been The Official "Laptop, Workstation, PC" sponsor of the NFL.

    Have not yet read of any announcements of NFL investigating reports of under-inflated Lenovo Laptops.
     
    Last edited: Feb 21, 2015
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Cool, I asked about this earlier in the thread. Did it stop it by monitoring for certificate installation? Can you give some more technical details?
     
  12. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Only Lenovo and several other PC brands are bundling the SuperFish adware at the factory.

    Installation CD's should not have this issue. Reach out to Microsoft on this to be 100% certain.
    I've not heard of any cases of folks getting infected via a CD. This would be a first instance.

    • EDIT to show -
    The unwelcome and potentially dangerous software was preinstalled on some Lenovo consumer PCs between September and December 2014. If you purchased a Lenovo PC before that date, you're unlikely to be affected. PCs sold in January or February might still be at risk if they were shipped during the last quarter of 2014 and have been on warehouse or store shelves in the interim.

    http://www.zdnet.com/article/microsoft-updates-windows-defender-to-remove-superfish-infection/
     
    Last edited: Feb 21, 2015
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    If you're using software that can prevent modifications of files and registry keys(HIPS for example) you can set them to protect the root certificates.

    Windows Root Certs(includes Internet Explorer, Chrome, Safari and lots of other softwares):
    HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
    Firefox and Thunderbird Root Certs:
    cert8.db in your Profile folders.(For example, FF's certs on Win7 can be found here C:\Users\Name\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default\cert8.db)
     
  14. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  15. guest

    guest Guest

    Will do, thanks. :thumb:
     
  16. Emre TINAZTEPE

    Emre TINAZTEPE Registered Member

    Joined:
    Dec 28, 2014
    Posts:
    85
    Yes, because encrypted traffic cannot be inspected, any type of application (whether it is malicious or not), in order to inspect SSL traffic, must utilize an SSL proxy and install a fake root certificate into the trusted certificate store; this way they trick the browser into believing that the proxy certificate is valid, and avoid displaying a warning.

    When Zemana "SSL Intrusion Prevention" feature is active, it does not let the browser trust in fake certificates.

    Most of the banker Trojans use the same SSL proxy technic for webinjection: https://web.archive.org/web/20150220024518/http://www.komodia.com/ad-injection-sdk/

    There are other techniques such as hooking SSL encryption APIs (Zeus, Carberp and etc) and via browser toolbars. AntiLogger Pro & Free covers all of them.
     
  17. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    SSL-busting code that threatened Lenovo users found in a dozen more apps
    http://arstechnica.com/security/201...ened-lenovo-users-found-in-a-dozen-more-apps/
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for the feedback. Can you perhaps give some more info about the Zemana "Trust-list", what is the purpose? Perhaps I'm going to give Zemana AL Free a try. A bit off topic, but I hope you can improve the GUI of Zemana AL Pro, to make it look more like the free version, or perhaps like Zemana AntiMalware. The current one is really bad.
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Comodo Privdog is even worse than SuperFish. It just totally destroys HTTPS!
    https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html
     
  20. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    So Lavasoft has come out on their Facebook page with the announcement that their web filtering app uses the Komodia SDK:
     
  21. 142395

    142395 Guest

    Interesting, I'll look into it. I used Comodo Dragon much before, and at that time there's no Privdog but they re-introduced it after that.

    [EDIT:] I've read the blog and it seems too much bad. If Comodo can't make any persuasive counter argument about its security implication, I can not to trust Comodo any more.
     
    Last edited by a moderator: Feb 23, 2015
  22. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Here you can find Melih's respond
    https://forums.comodo.com/help-priv...t-hijacks-your-ssl-connections-t109892.0.html

    And discussion of privdog
    https://forums.comodo.com/general-s...ish-vulnerability-ssl-hijacker-t109881.0.html
     
  23. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,436
    Location:
    U.S.A.
     
  24. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Mozilla mulls Superfish torpedo
    http://www.theregister.co.uk/2015/02/23/mozilla_mulls_super_phish_torpedo/
     
  25. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.