Lenovo Superfish: Not The First Time Vendors Have Preinstalled Malware

The recent fiasco involving Lenovo and what has come to be known as Superfish that amongst other things performs a MiTM attack on TLS encrypted HTTP traffic so that it can still insert advertisments into encrypted pages.

The story broke on Feb 18 when major tech sites and even mainstream media began speaking of a security issue affecting recent laptops from Chinese vendor Lenovo. Given the large amount of negative publicity the company has reacted quite swiftly an has even provided a list of affected laptops and portables along with an easy to use Superfish removal tool. LastPass has a third party tool which will quickly identify the presence of Superfish on your machine. Given that it does not actively hide its presence, there are likely far more straightforward ways to identify the presence of the malware.

Of course this isn’t the first time OEMs have saddled their customers with preinstalled junk that is either annoying or worse compromises the confidentiality of any data on that machine. An excellent example would be the multiple vendors who include a variety of Popcap games which include the perennially problematic OpenCandy advertising engine and trial copies of software that you have no realistic chance of ever requiring let alone purchasing on a whim.

I have a big problem with Microsoft Windows, particularly 8x so any time I purchase a new machine I typically do the following:

  • Boot the machine, skipping the sysprep/OOBE screens so that i may enter Device Manager and note down the hardware within the machine (generally done only if the unit’s manual does not list full specifications and there is no reliable information online).
  • Reboot whilst pressing the boot selection hotkey so that I can boot the clonezilla DVD, which is relatively lightweight and includes the tools we need. Obviously you could substitute any similarly equipped Linux, *BSD or Solaris live CD/DVD.
  • Using hdparm(8) a master password is set on the HDD and if the disk appears frozen, the power connector is temporarily disconnected. An ATA SECURE ERASE (enhanced) is then executed. This ensures that there is no chance of any data remanence (particularly important if your new PC is ex-display and there have been myriad of people playing with it in the store).
  • Following the conclusion of the ATA SECURE ERASE command, smartctl(8) is used to run a long self-test and the outcome of this is noted.
  • I go ahead with the installation of FreeBSD or Debian Linux.

2 thoughts on “Lenovo Superfish: Not The First Time Vendors Have Preinstalled Malware

  1. The problem with not just certificates, but all manner of security related things is the gulf in understanding between even the best of users and those who feel it’s their right to breach for their own ends the security or privacy of the user.

    Even security experts who have been working with computers since before the PC can not have the breadth of knowledge required to ensure even modest privacy against the opportunistic “fire and forget” malware merchants of big data gatherers and low hanging fruit cyber criminals, let alone those who carry out “targeted attacks”, be they run of the mill cyber-criminals or those who commit their crimes whilst being called to the false flag of authoritarian “patriotism”.

    The reasons for this gulf are many and getting worse daily, often those who give warning of how such attacks are possible are ignored or rebuked. Untill years if not decades later, when the proof is revealed, those who ignored or criticized turn on those who gave warning and blaim them for not making the warning stronger / louder / etc…

    As I’ve said many times there is very little the state level attackers are doing that is either new or not easily predictable, they like us are constrained by the laws not just of physics but banality.

    There could be many reasons for this, but the simplest starting point is the apathy of the targets and the stupidity of marketing led development, where unfit for purpose let alone security products are decked out in worthless baubles and foisted on users by those who make ill judged and ill informed purchasing decisions. We know from the past “snow white” behaviour that sales inducments are offered and accepted by those with purchasing power, and those who are not easily bribed can be induced in other unseamly ways usually by contacting their superiors with faux allegations (see past behaviour of IBM et al).

    This starting point when coupled to the Internet and endless patch cycles actually weakened security and caused even hardware manufactures to design their products totaly insecurely such that firmware updates could be installed at minimum impact to profits.

    The result is the mess we currently find ourselves in where it takes just one of a myriad of attack vectors unknown to the user, to be exploited and malware is quickly lodged so deeply into a PC that the user has no chance on earth of detecting it let alone removing it.

    How we move forward from this mess is unknown few if any can see effective ways to stop the insecurity because it is endemic to the point of totality. Even those who can see ways to mitigate the insecurity still suffer from the effects of being rebuked or ignored due to apathy or worse.

    I am reminded of the last part of the 1983 film “Wargames” in the ‘lesson scene’ when even the WOPR computer realised that you could not win thus the only sensible course of action was not to play…

    Which begs the question of “Can the first world stop it’s addiction to insecure ICT? And will the governments let them?”.

    • Absolutely agree with you there. The purchasing users don’t care enough about security, so why the hell would the vendors? By the way, you reminded me of the old shell game (if you can call it that) ‘wargames’ that was in Berkeley UNIX circa late 80s early 90s. “Would you like to play a game?” it asked, followed by the canned answer from the movie if you said ‘yes’. I remember noticing that it was a binary and not a shell script and shook my head at why they couldn’t have implemented it in two lines of sh or perl.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s