How to detect if I am vulnerable to "Superfish," and how to remove it?

Question

The site has already a discussion of the security risks of "Superfish". It seems to me that anything that tampers with the bits of one's connection is bad. If it tampers with TLS connections, it is evil.

How can I determine if I am vulnerable to Superfish?

Lenovo has issued a statement on Superfish (after they got caught red-handed) saying it has been "disabled."

As I can no longer trust Lenovo, is there a way to remove it completely other than format c:?

Edit: the Lenovo statement linked above now has a list of model numbers on which Superfish may have been installed. Um, but it says "appeared" rather than "installed," rather like it sneaked on those computers in the middle of the night.

You can start by removing the rogue CA from your trust store — Dillinur, Feb 19 '15 at 16:05
I'm hoping to get an answer with some step-by-step instructions what may help people for whom "remove the rogue CA" is not enough information. — Bob Brown, Feb 19 '15 at 16:10
Well, rats. I searched "security" but not "SO." I apologize. Perhaps I should delete my question as a duplicate, but I'm inclined to leave it so that others will find the link in your comment. — Bob Brown, Feb 19 '15 at 16:13
@BobBrown Please keep the question, it's a perfectly good question here as well (and in fact, makes more sense here than there). — cpast, Feb 19 '15 at 16:19
@cpast: OK... thanks. Also, what's on SO seems to be directions for removing the root CA only. It would be good to get rid of whatever executable code there is, too. — Bob Brown, Feb 19 '15 at 16:21
If you don't trust Lenovo I'm afraid the best solution is to indeed "format c:", as there may be something else (rootkit?) planted in your system that's more sneaky than Superfish. — , Feb 19 '15 at 17:25
@AndréDaniel: A company that purposely compromises the security of TLS may indeed have other bad habits. Sadly, even reinstalling the OS means updating the Thinkpad drivers... from Lenovo. In the long run the answer is going to have to be a different hardware manufacturer. — Bob Brown, Feb 19 '15 at 17:43
@BobBrown Is Superfish installed on Thinkpads? I'm pretty sure they only installed on the consumer line. — cpast, Feb 19 '15 at 18:21
Lenovo has some amount of internal separation between consumer-line computers and Think-line computers, and I'm pretty sure they only put these on consumer-line computers. I can confirm that with Lenovo drivers on a ThinkPad (but with a reinstalled OS for other reasons) I do *not* have the CA in question. — cpast, Feb 19 '15 at 18:26
@cpast: As far as I know, you are correct... only their consumer line computers. But if they'll compromise the security of some of their customers, they may have other bad habits. Once they've pulled something like this, it will be hard to trust them with *anything* in the future. — Bob Brown, Feb 19 '15 at 18:37
"*We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.*". Hum... besides the fact they were apparently shipping the same trusted CA certificate **and its private key** (embedded somewhere in that software) to all affected units. Terrible statement. — Bruno, Feb 19 '15 at 19:36
@BobBrown you can often get (better, updated) drivers directly from the components' manufacturers (Intel, Nvidia, Broadcom, Atheros, etc) so installing Lenovo-provided drivers isn't mandatory. — , Feb 19 '15 at 20:30
@cpast I have a ThinkPad Edge E520 that I bought in January of 2012 with its original drivers. I've confirmed that it does *not* have Superfish certificates installed. Even so, very concerning that they'd even *consider* installing this kind of software. — JDB, Feb 19 '15 at 23:29

RoraΖ · Accepted Answer · 2017-12-29T17:50:00.970

You can check to see if you're machine is vulnerable by browsing to this site: https://badssl.com/dashboard/

Everyone keeps saying that you need to completely reinstall a clean version of Windows. I would first try to remove Superfish first. To remove the executable you should be able to use the normal Windows Add/Remove programs method. I believe the executable is called Visual Discovery.

To remove the certificate follow these steps from StackOverflow:

FYI, this Superfish software is now a major news headline: http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

It is preloaded by Lenovo (there may be other vendors). You have to uninstall it, but that will not remove the certificate. To remove the certificate, you must do the following:

Run mmc.exe

Go to File -> Add/Remove Snap-in

Pick Certificates, click Add

Pick Computer Account, click Next

Pick Local Computer, click Finish

Click OK

Look under Trusted Root Certification Authorities -> Certificates.

Find the one issued to Superfish and delete it.

If you are really paranoid, the best solution would be to reformat your laptop and install Windows with Microsoft media, not the factory recovery stuff.

While the above removes it from the Microsoft Trusted Store, this link indicates that the root certificate might be injected into browser trusted stores. Check that your browser also does not trust the Superfish Inc certificate. Chrome and IE both use the operating system's trusted root store. If you're using FireFox you need to manually remove it.

Remove Trusted CA from FireFox Trusted Store

Click the menu button, then choose Preferences
Click the Advanced in the upper tab menu
Then click Certificates in the lower tab menu.
Click View Certificates
Under the Authorities tab check for the Superfish Inc certificate
If it's found, then click on the certificate and then click Delete or Distrust
Finally click the Ok button to confirm that you're removing it.

Does that mean uninstalling through "add/remove programs" gets rid of the executable part? — Bob Brown, Feb 19 '15 at 16:33
Bit defender does a good Job + Firefox Update ans removal of the certificate. — Daniel W., Feb 21 '15 at 00:24

score 0 · Answer 2 · edited Mar 17 '17 at 13:21

0

I did everything that raz mentioned in his answer - the https://filippo.io/Badfish site checked out OK, I had nothing named "Visual Discovery" in my Add/Remove Programs, and I found no Superfish certificates in mmc or Firefox. But I still found a variant of Superfish on my machine, and I don't even have a Lenovo computer.

I searched for filenames containing the string "superfish", and I found 2 files in a subdirectory of the Flash Video Downloader addon for Firefox (one of the most popular addons):

superfish_titles.txt (contains a long list of web site names)
superfish.js (appears to have the ability to modify web pages in your browser and load material from that best-deals-products site)

Based on reading a few forums, some browser addons nowadays include adware/malware such as this. The unfortunate thing is that neither the MBAM scanner nor VirusTotal recognized those files as malware. Hopefully just uninstalling the addon is enough to remove all traces of it from the system.

edited Mar 17 '17 at 13:21

Community

1

answered Feb 23 '15 at 16:39

pacoverflow

262
1
10

Superfish is not a Lenovo thing - it's a legitimate company doing advertising. It will not be surprising to see references to the company on any computer. The real problem was the trusted CA. – schroeder Feb 23 '15 at 17:55
@schroeder: I'm sorry, but I have to disagree with "legitimate" when applied to a company whose business model is to modify others' web pages without the consent of the authors of the pages being modified. – Bob Brown Feb 24 '15 at 01:15
As far as I can tell, `superfish.js` is not connected with the "Superfish" of Lenovo fame, or maybe there are two different files of that name. One is a jQuery menu enhancer and has MIT and GPL license notices at the top. That one, as far as I know, is harmless, and is likely to be found only in your browser's cache. I have no experience with `superfish_titles.txt` but it sounds suspicious. – Bob Brown Feb 24 '15 at 01:22
1

@BobBrown I just posted the [superfish.js](http://pastebin.com/2T5UF27q) and [superfish_titles.txt](http://pastebin.com/WTx3aHPQ) files to pastebin. Neither one is related to the jQuery menu enhancer. As you can see, superfish.js connects to best-deals-products.com, which is the same site I've seen mentioned in articles about the Superfish of Lenovo fame, such as [this article](http://bits.blogs.nytimes.com/2015/02/19/researcher-discovers-superfish-spyware-installed-on-lenovo-pcs/). – pacoverflow Feb 24 '15 at 02:09
@pacoverflow: *EEeewww...* There are two of `superfish.js`, one of which is evil. Thank you for following this up. – Bob Brown Feb 24 '15 at 02:25

score -5 · Answer 3 · answered Feb 21 '15 at 00:07

-5

Or, the network administrator can bar access to SuperFish all together. This will circumvent all attempts to get a cert even if this app or certificate gets re-installed as so many Windows viruses do so very well.

answered Feb 21 '15 at 00:07

fmotta

1
1

3

How would you go about doing that? The software is pre-installed and the bogus certificates are created on the fly. There isn't any "access." Superfish does a MITM attack from within the computer. (Yes, you could bar access to whatever serves the ads, but that doesn't really help.) – Bob Brown Feb 21 '15 at 00:21
I may be wrong as I have not looked at the whole architecture of the exploit. If Superfish needs to contact its own CA to do its 'thing' and it cannot because the server is inaccessible - then it may need to fall-back and do things without the exploit or die horribly. – fmotta Feb 21 '15 at 00:31
7

Superfish doesn't need to contact anything. It comes with its own built-in CA. – Mark Feb 21 '15 at 00:40

How to detect if I am vulnerable to "Superfish," and how to remove it?

3 Answers3

Linked