Wiz's Computer and Website Security Blog

February 21, 2015

If you own a Lenovo computer (desktop or laptop) that was purchased anytime from the summer September of 2014 through February 2015, and it is not a ThinkPad model, chances are high that it shipped from Lenovo with an adware program named Superfish preinstalled.

A list of the affected Lenovo computers can be found here.

Why would Lenovo do this?

Simple answer: more money. They sell their lower priced, non-ThinkPad models in big box retail stores and online stores. Competition in these stores drives the prices down, which means lower profit margins for the manufacturer (in this case, Lenovo). To compensate, some manufacturers (including Lenovo) strike deals with third party advertisers and ad delivery networks to deliver targeted advertising to buyers and users of these computers. Backhanded, yes; illegal, no.

I know that a lot of my readers go back more than a few years in computer technology. You folks, like me, remember when the ThinkPad brand belonged to IBM computers. The name stayed with IBM from its introduction in April 1992, until their entire computer line was purchased by Lenovo in May, 2005. In fact, Lenovo allowed IBM to continue building and delivering certain ThinkPad models for several years after the acquisition was completed. Built like tanks, these handheld and laptop computers were revered by office workers and traveling business people. They are made for offices, business and traveling telecommuters. They usually sell for big bucks. But, if you recently bought a ThinkPad, read on and assume nothing.

What is Superfish?

Superfish is a company that manages advertising delivery for it client partners. In itself, there is nothing wrong with that, if only that was the end of the story. Hang on folks, it gets uglier from here on.

Superfish is software that by design intercepts your browser based communications with the websites you visit, in real time. Its computers analyze what the content is where you are and where you could possibly click to next. It then injects ads targeted to you, based upon your browsing and clicking history.

Why should I care?

Because Superfish also installs what is known as a self-signed security certificate into your Windows Trusted Certificates Store (on your computer), which are also trusted by Chrome and Internet Explorer browsers, and into Firefox browsers which have their own trusted cert storage. It allegedly does this to allow its injected ads to not trigger a security warning from the browser you are using. It gets even worse...

Superfish not only presents its own self signed trusted certificate when it is going to check for ads to inject. It also replaces the legitimate trusted certificate that may have been supplied by the website you are viewing, or doing your banking on, or using to purchase things and pay at their supposedly secure https checkout. Except, Superfish is now standing in the middle, between your keyboard and the website you are working with. It intercepts your keystrokes, user names and passwords, just like a spyware "keylogger" might do. This in effect is a MiTM (Man in The Middle) attack vector. Still not worried?

Further, it encrypts the data it sends out to its advertising network with a weak, outdated, easily cracked form of encryption. This encryption has a key that unlocks it and allows it to be read by both humans and data processors. Guess what? They use the same key on all Lenovo computers and laptops that contain Superfish adware. Ready for another surprise? That key was cracked and published earlier this week! It is in the wild!

Further background reading (recommended for techies or the very curious). 1: Graham Cluley, who basically broke this story wide open, and, 2: The Verge, quoting a TL:DR technical article by Robert Graham.

What you should do first

Check if your Lenovo (or other computer) has Superfish installed. Security researcher Fillipo Valsorda has created a safe test page. JavaScript is required. If the software is detected, the results will make it very clear. If not, you are probably safe at this time, on that device. Filippo recommends checking with each browser you have installed on a computer, just in case it has affected one, but not the others.

What if the test says I have Superfish installed?

Get it gone, now! At fisrt there were individual tips published by other researchers as to uninstalling the program. But, they had confusing instructions for removing the fake trusted certificate that would be left behind. This would leave the computer vulnerable to a malware attack that tries to exploit leftover Superfish trusted certificates. Remember, the key to the certificate is the same on all Lenovo machines and has been cracked and published.

Thankfully, Lenovo has seen the error of their way and done an about face from an earlier statement about Superfish. Not only have they stopped preinstalling it on new builds, they have published a complete removal tool that will uninstall everything to do with Superfish, its browser plugins and fake certificates. The removal tool and further instructions are here, on the Lenovo website.

Restart your computers after uninstalling this crap!

Posted by Wiz at 7:56 PM | Permalink

back to top ^

February 2, 2015

Prologue
This article is about what is known in the spam fighting trade as a "spear phishing" scam. That means that the message has been custom researched written to target a particular person by name, whom the spammers deem to be important to their evil goals. While my experience deals with Bluehost, if you own a website hosted by another major web hosting company, you may receive a similar email scam message.

The email in question was lingering in the Spam folder of my Gmail account. This is just E Pluribus Unum of the email accounts I use. When I first read the Subject and From lines I thought it might possibly be a legitimate message that got sent to the Spam folder by accident. I was wrong and Gmail was right!

I actually first saw the scam email on my Android smartphone. Although it seemed mildly plausible, some things about the body text aroused my suspicion and raised my bullshit detectors to full height. I will post the contents in my extended content and explain each item that should arouse your suspicion if you receive a similar email message.

The Hook:
From: Bluehost <[email protected]>
Subject: Status Alert: Code: 2502

Body text:

Dear Valued Bluehost Customer (My actual first and last names here!).<!--bhuzxuwtbw-->

Your account contains more than 9191 directories and may pose a potential performance risk to the server.
Please reduce the number of directories for your account to prevent possible account deactivation.

In order to prevent your account from being locked out we <special> recommend that you create special</special> tmp directory.

Or use the link below:

https://my.bluehost.com/tmp.php?doit=dfc7defac6624a80f02b02e22b14e8fd

Thank you,
Bluehost
Toll Free: (888) 401-4678
Outside US: 1 (801) 765-9400

If you viewed an email message like that on your phone you would see the blue underlined link text that appears to point to an account on Bluehost.com. Actual computer users viewing this message in their browser or email client can simply hover their mouse pointer over links in email messages and the actual URL will be displayed in a Status Bar on the bottom of the browser.

Android and Apple smartphones do not support hovering codes at all. But, I have learned that pressing and holding down a hyperlink in an email message (in the Gmail App) causes an action box to open, rather than launching the link in your default web browser. This box plainly showed the hidden poisoned link on the top. It did not lead to Bluehost at all, but rather, to a Russian domain (.ru) that was hosting a Phishing login page for Bluehost customers. The "Press and Hold" link readout function saved me from visiting a fake login page where my credentials for my hosting account would have been stolen by Russian hackers. They would have then taken over my website on Bluehost and installed malware and phishing pages of their choosing.

I dismissed the spam message and closed the Gmail app on my phone. I then opened Gmail in Firefox, on my Windows 7 PC. I went to the spam folder and found that message in the list, then using the down-arrow on the right, chose the drop-down option labeled: "Show original." This opened the message in "source code" mode, in a new tab, where you can plainly read all of the normally hidden "Headers". The Header Source code revealed the following alarming facts:

1. Return-Path: <[email protected]>


2. Received: from mx8.valuehost.ru (mx9.valuehost.ru. [217.112.42.217])


3. More Received headers showing the Russian domain valuehost.ru


4. Message-Id: <[email protected]>


5. Not one header normally associated with Bluehost.com was to be found

Next, let's look at the tricks and mistakes in the Body text.

<!--bhuzxuwtbw--> right after my actual personal name. This is hidden from the email client in normal view. It is a tracking ID associated with this spear phishing attack.

Your account contains more than 9191 directories and may pose a potential performance risk to the server. That is pure bullshit. You can have as many directories as you want, as long as they are under your "public_html" or similarly named web root directory.

Please reduce the number of directories for your account to prevent possible account deactivation. Again, this is a bullshit warning about a non-problem. If you actually are doing or hosting anything harmful to the server, your account will be temporarily suspended with a notice to call Bluehost support.

In order to prevent your account from being locked out we <special> recommend that you create special</special> tmp directory. Note the bad grammar used in this fake recommendation. Further, there is no such HTML tag as "<special>."

<a href=http://mechtarebenka.ru/includes/data/bhuzxuwtbw.php?bhuzxuwtbw=dfc7defac6624a80f02b02e22b14e8fd>
https://my.bluehost.com/tmp.php?doit=dfc7defac6624a80f02b02e22b14e8fd </a>

In the example above, the first italicized part is the poisoned link leading to a compromised Russian domain (.ru). The underlined portion is what they wanted me to see as the link. The spammers were not expecting their potential victims to be aware of how to reveal the actual hidden URL before clicking on it. If the "domain names" (.com, .net, .org, etc) in the visible link (aka, Anchor Text) and the (hovered, or pressed and held readout) actual encoded URL don't match, it is a scam link, or worse.

Note that the spammers even included phone numbers to contact the hosting company, Bluehost. If you receive a suspicious email message like this, use one of those numbers and ask your host if they actually sent that message; they most likely didn't. If you get a wrong number, hang up and be thankful you didn't click through.

Epilogue
The spammers went to some trouble to find the name associated with my hosting account on Bluehost and tie them together in a spear phishing scam. I reported that scam to Spamcop, with whom I have been a long time spam reporting member. Filing reports with Spamcop (promptly) helps to inform the proper authorities about illegal activities on compromised websites and to identify infected computers or handheld devices that are being used to send or relay spam and scams.

Learn how to press and hold down links on your smartphone to display the destination without going to it automatically. When you read email on your PC, hover the mouse pointer over links and look at the bottom of the browser, or desktop email client, for a Status Bar readout of the actual destination URL. If your browser or email client does not show a Status bar, search through all display options for the option to display a Status bar, or to automatically show status when you hover over links. Those displays show and hide their status, as you hover, or move away from, or click on links.

How to protect your email client from spam, scams and malware threats.
Shameless ad for MailWasher Pro. I do not download any email to my desktop email client until first screening it for threats with MailWasher Pro. Read the details on my MailWasher Pro page. I even compose and publish custom spam filters for MailWasher Pro users.

Posted by Wiz at 3:17 PM | Permalink

back to top ^

February 2, 2015

Prologue

I just published a warning about a serious 0-day vulnerability being exploited in Flash Player, 11 days ago. It took 4 days for Adobe to release a good working patch for those exploits. Well, the dust has barely settled and Adobe and threat researchers at Trend Micro just announced another 0-day exploit targeting the freshly patched Flash Player!

Like the previous Flash exploits of mid-January, this one is delivered via malicious advertising that was paid for on an ad delivery network (who were tricked by bait and switch advertisers working for the criminals behind the Angler Exploit Kit). The actual known poisoned ads have been taken down by the ad network, but others may be lingering. There is really no way of knowing if you are going to a page that has those ads in rotation, unless you have substantial security protection installed (see addendum in my extended content).

See my updates at the end of this article

What OS and browsers are affected?

All Windows operating systems from 8.1 down are affected. The targeted browsers are Firefox and Internet Explorer on these platforms. Mac OS is also vulnerable through browser exploits. Affected browser is Safari. Finally, Linux computers are vulnerable through Firefox, if the Flash plugin in installed.

In the case of Firefox, if you have opted for Flash Player to "Ask to Activate," aka, Click to Play, and you don't allow it to run on a page carrying an exploit ad, you are not going to be automatically exploited. If you visit using Internet Explorer, the download is automatic and the exploit happens in the background.

What versions of Flash Player are affected?

Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh are vulnerable. This is the version that was just released last week to patch the previous 0-day being exploited by similar "malvertisements." as they are now called.

What you should do now

Disable Flash Player in Firefox and Internet Explorer until Adobe pushes out another patch. That is expected any day now. They are already working on the patch. If you must keep Flash active, use Google Chrome to browse websites that require Flash support. Chrome is not currently targeted.

If you have Windows computers, go to (Start or Charms Bar) Control Panel > Flash Player > Advanced tab and make sure that the option to "Allow Adobe to install updates (Recommended)" is selected. Then, click on the "Check Now" button to see if a newer version is listed that the ones you have now. This opens the About Flash Player detection page in your default browser.

There are at least two versions of Flash if you have another browser in addition to Internet Explorer. One version is the ActiveX version for IE and the other is a "plugin" version used by Firefox, Opera and Safari. A third version is built into Google Chrome.

If the version you have is less than the ones listed below it, you should download those newer versions on the spot. Click on the link labeled Flash Player Download Center and you will (theoretically) be offered the latest version for the browser with which you are viewing that page. There will also be a link to get Flash for your other installed browsers, labeled: "Need Flash Player for a different computer?"

In both cases, Adobe tries to bundle other software from non-related third parties in your download. I personally deselect those "offers." It's up to you.

Do you really "need" Flash Player?

If all you have been using Flash Player for is to watch YouTube videos, you no longer need it. Almost all video content on YouTube has been converted into a safer, W3C standards compliant HTML 5.0 video format. This format is fully supported by all current versions of the major browsers. But, if you insist on using outdated software, like Internet Explorer 8 or older, it doesn't understand HTML 5 video. Either upgrade your browser to the newest version, or install the current version of Google Chrome or Firefox.

Extra security protection

In the beginning of this article I mentioned having "substantial security protection" installed will help fend off such drive-by download exploit attacks. Here is what I currently use:

1. Malwarebytes Anti-Exploit


2. Malwarebytes Anti-Malware


3. Trend Home Internet Security. Note, most Trend Micro customers are already protected against these exploits by the Trend Micro Smart Protection Network.

Additionally, Firefox (current version) is my default browser, with Flash set to always Ask to Activate. Further, I have the NoScript Add-on for Firefox and only whitelist websites I feel can be trusted. Even with scripting allowed by NoScript, there are protections in place to block known cross site scripting attack vectors. Finally, for the extremely paranoid, there is another Firefox Add-on called AdBlock Plus. I am using it because of these 0-day exploit attacks using ad networks to deliver their payloads. It is really just a backup for NoScript and Ask to Activate, in Firefox. I don't normally block any ads, seeing as how I myself have affiliate ads on my websites. AdBlock allows you to whitelist a domain or a single page with one click.

Internet security has to be multi-layered in order to detect and block newer exploit kits that are usually state of the art in the cybercrime Underworld. I find good security programs that are able to play nice together (like the above three) and keep them active and updated.

Epilogue

Watch for a new Flash Player update coming any time this week (beginning February 2, 2015). I will publish an update to this article, or write a new one, once Adobe completely patches this vulnerability in their Flash Player.

UPDATE; 2/4/2015, at 11:45pm EST

The automatic Adobe Flash updater module just performed an update of Flash for both Firefox and Internet Explorer, from version 16.0.0.296 to 16,0,0,305. The About Flash Player page shows that I have the newer version, but still lists the previous version (.296) as the most recent. The manual download center also incorrectly shows the previous version as current. This means that like last week's updates, those with automatic updates enabled are being patched ahead of those wishing to do so manually.

You can enable automatic updates on Windows computers, via Control Panel > Flash Player > on the Advanced tab. You'll need to supply the Admin password (XP), or at least acknowledge the UAC prompt to change the setting if it wasn't already set to Allow Adobe to install updates (Recommended).

UPDATE: 2/5/2015, 11:45am EST

Adobe has finally updated the About Flash Player page to reflect the new patched version as being current (version 16.0.0.305). You can now download Flash for your OS and various browsers manually, from the Adobe Flash Player Download Center.

Posted by Wiz at 11:38 AM | Permalink

back to top ^