How to detect Superfish and remove it from your Lenovo computer.
February 21, 2015
If you own a Lenovo computer (desktop or laptop) that was purchased anytime from the summer September of 2014 through February 2015, and it is not a ThinkPad model, chances are high that it shipped from Lenovo with an adware program named Superfish preinstalled.
A list of the affected Lenovo computers can be found here.
Why would Lenovo do this?
Simple answer: more money. They sell their lower priced, non-ThinkPad models in big box retail stores and online stores. Competition in these stores drives the prices down, which means lower profit margins for the manufacturer (in this case, Lenovo). To compensate, some manufacturers (including Lenovo) strike deals with third party advertisers and ad delivery networks to deliver targeted advertising to buyers and users of these computers. Backhanded, yes; illegal, no.
I know that a lot of my readers go back more than a few years in computer technology. You folks, like me, remember when the ThinkPad brand belonged to IBM computers. The name stayed with IBM from its introduction in April 1992, until their entire computer line was purchased by Lenovo in May, 2005. In fact, Lenovo allowed IBM to continue building and delivering certain ThinkPad models for several years after the acquisition was completed. Built like tanks, these handheld and laptop computers were revered by office workers and traveling business people. They are made for offices, business and traveling telecommuters. They usually sell for big bucks. But, if you recently bought a ThinkPad, read on and assume nothing.
What is Superfish?
Superfish is a company that manages advertising delivery for it client partners. In itself, there is nothing wrong with that, if only that was the end of the story. Hang on folks, it gets uglier from here on.
Superfish is software that by design intercepts your browser based communications with the websites you visit, in real time. Its computers analyze what the content is where you are and where you could possibly click to next. It then injects ads targeted to you, based upon your browsing and clicking history.
Why should I care?
Because Superfish also installs what is known as a self-signed security certificate into your Windows Trusted Certificates Store (on your computer), which are also trusted by Chrome and Internet Explorer browsers, and into Firefox browsers which have their own trusted cert storage. It allegedly does this to allow its injected ads to not trigger a security warning from the browser you are using. It gets even worse...
Superfish not only presents its own self signed trusted certificate when it is going to check for ads to inject. It also replaces the legitimate trusted certificate that may have been supplied by the website you are viewing, or doing your banking on, or using to purchase things and pay at their supposedly secure https checkout. Except, Superfish is now standing in the middle, between your keyboard and the website you are working with. It intercepts your keystrokes, user names and passwords, just like a spyware "keylogger" might do. This in effect is a MiTM (Man in The Middle) attack vector. Still not worried?
Further, it encrypts the data it sends out to its advertising network with a weak, outdated, easily cracked form of encryption. This encryption has a key that unlocks it and allows it to be read by both humans and data processors. Guess what? They use the same key on all Lenovo computers and laptops that contain Superfish adware. Ready for another surprise? That key was cracked and published earlier this week! It is in the wild!
Further background reading (recommended for techies or the very curious). 1: Graham Cluley, who basically broke this story wide open, and, 2: The Verge, quoting a TL:DR technical article by Robert Graham.
What you should do first
Check if your Lenovo (or other computer) has Superfish installed. Security researcher Fillipo Valsorda has created a safe test page. JavaScript is required. If the software is detected, the results will make it very clear. If not, you are probably safe at this time, on that device. Filippo recommends checking with each browser you have installed on a computer, just in case it has affected one, but not the others.
What if the test says I have Superfish installed?
Get it gone, now! At fisrt there were individual tips published by other researchers as to uninstalling the program. But, they had confusing instructions for removing the fake trusted certificate that would be left behind. This would leave the computer vulnerable to a malware attack that tries to exploit leftover Superfish trusted certificates. Remember, the key to the certificate is the same on all Lenovo machines and has been cracked and published.
Thankfully, Lenovo has seen the error of their way and done an about face from an earlier statement about Superfish. Not only have they stopped preinstalling it on new builds, they have published a complete removal tool that will uninstall everything to do with Superfish, its browser plugins and fake certificates. The removal tool and further instructions are here, on the Lenovo website.
Restart your computers after uninstalling this crap!