Home » How Lenovo’s Superfish ‘Malware’ Works And What You Can Do To Kill It

How Lenovo’s Superfish ‘Malware’ Works And What You Can Do To Kill It

by Thomas Fox-Brewster

Lenovo might have made one of the biggest mistakes in its history. By pre-installing software called ‘Superfish ’ to get ads on screens it’s peeved the entire privacy community, which has been aghast this morning on Twitter. There are serious security concerns about Lenovo’s move too as attackers could take Superfish and use it to ensnare some unwitting web users.
Here’s what you need to know about Superfish and what you can do to stop it chucking irksome ads on your browser and leaving you open to hackers.
Is Superfish malware?
Lenovo won’t want anyone to call it that, but Superfish has been described as a piece of malware, or an adware pusher, that the Chinese firm pre-installs on consumer laptops. Superfish is also the name of the development company, with bases in Tel Aviv and Palo Alto, behind the tool. It claims it has “developed the most advanced and scalable visual search technology in the world” and was ranked America’s 64th most promising company by Forbes.
From what’s known about it thus far, Lenovo uses Superfish to place adverts into Google search results that the laptop manufacturer wants them to see. It’s a good way to make money after all.
Users were complaining about Superfish back in mid-2014, but since then consumers have been moaning about it en masse. A Lenovo administrator finally sought to address their ire with this comment on 23 January: “Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.
“Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior.  It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted.  Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled.”
That all sounds very innocent. But privacy advocates are concerned about how this might be used to intercept people’s traffic and be abused for more surreptitious means. For non-encrypted traffic (i.e. connections running over HTTP rather than HTTPS), Superfish is used to inject JavaScript into web pages.
But there’s a bigger concern that Lenovo is intercepting encrypted traffic so it can show ads on people’s computers. In the security world, this is known as a man-in-the-middle attack. If Lenovo was doing this, it would have to interrupt what’s known as the certificate chain. This is a chain of trust, whereby companies who run the machines that users visit on their way to a particular website provide certificates to prove they’re a legitimate party and not a malicious actor, like a criminal or a spy.
With Superfish, it’s been claimed Lenovo is using a self-signed certificate to appear as a trusted party (which it no doubt considers itself to be) along the chain. In theory, it is therefore able to see users’ traffic and alter it in whatever way it sees fit. This method, according to Robert Graham of Errata Security, makes Superfish the root Certificate Authority (CA) – essentially the link that decides what encrypted communications to trust.
“It means Superfish can generate a valid (from the browser’s standpoint) encryption certificate for Facebook or Google, or any other site using HTTPS,” noted security analyst Andreas Lindh.
From a privacy perspective, this isn’t ideal. Lenovo could easily abuse this trust to spy on its PC owners. But, as far as anyone is aware, it would never do that.