Preloaded malware Superfish on Lenovo’s laptops

Program Superfish, which comes preloaded on Lenovo’s laptops Y50, Z40, G50, Yoga 2 Pro and Z50 is a typical malware which is able to collect users information, analyze user’s search queries and browser history and insert ads on web pages that user visits. This adware performs on the system level by intercepting, including HTTPS traffic. To be able to do this, the malware installs CA certificate Superfish to the key store of Windows and filter all traffic between a host an a browser, replacing the certificate on its own. This software comes preloaded on all of the mentioned above models of Lenovo laptops since June 2014. The first report of this program was created on Lenovo’s forum on September 2014.

The news itself is already an unpleasant, but today we discovered one detail which greatly increases the level of danger for Lenovo laptops owners. We’ve discovered that within the program there is not only a public CA certificate, but also an encrypted private key. To get the password for this key was not a problem for us, it is – “komodia”. It means that any hacker with the opportunity to make MitM-attack (Man in the Middle) for example, in a public Wi-Fi network, could use this certificate to intercept the HTTPS traffic and analyze it on his computer.

Lenovo’s representative mentioned on the forum that they have fixed that problem on new laptops in January 2015 and turned off the Superfish for all owners who have already bought laptops. There is also a removal instruction for Superfish malware, however, the removal of the certificate from the windows certificate storage is not included.