Researchers find Superfish-type code in other apps

Following the discovery that computer manufacturing giant Lenovo was pre-installing adware known as Superfish onto its computers (which Lenovo flippantly dismissed as posing no security concerns), security researchers have discovered the same code in at least a dozen other programs.

The technology, which intercepts a user’s connection to websites secured by SSL protocol and allows the software to spy on the connection, has been tracked back to an Israeli company called Komodia. According to a blog post from Facebook security researcher Matt Richard, Superfish and other applications use a library from Komodia to “modify the Windows networking stack and install a new root Certificate Authority (CA).” This allows the program to impersonate any SSL-enabled site.

“Basically, Komodia makes the little green lock you see when you go to an HTTPS site essentially useless,” security researcher and Twitter user @TheWack0lian explained to the Daily Dot (the researcher asked to be identified by Twitter handle only). “An attacker could easily create a malicious website which would show up with a green lock on a computer with a Komodia proxy installed.” He noted that even if it was uninstalled but left a root certificate authority behind, the computer would still be at risk.

Despite an application with a similar install base as Superfish being identified as a malicious trojan by antivirus provider Symantec, Komodia’s self-described “SSL hijacker” code has now been found in 14 applications. Richard listed the following applications he found using the Komodia library:

• CartCrunch Israel LTD

• WiredTools LTD

• Say Media Group LTD

• Over the Rainbow Tech

• System Alerts

• ArcadeGiant

• Objectify Media Inc

• Catalytix Web Services

• OptimizerMonitor

@TheWack0lian published findings over the weekend that document the rootkit technology present in the Komodia code.

@TheWack0lian stated that some products using Komodia bundle a ring-0 rootkit “which hooks into things at a low (kernel) level and this could theoretically be abused by malware.” This means a malicious program could install and configure itself through the Komodia rootkit if it got access to the necessary privileges. “That would mean it’d be harder to remove that malware.”

@TheWack0lian has made note of Komodia’s appearance in several programs, including parental control software SecureTeen. “Komodia is mainly used in adware (SearchProtect, DiscountCow) and parental control software (Qustodio), but it has also been used in Lavasoft Web Companion,” @TheWack0lian said, noting that Lavasoft “should know better.” It has also appeared in a corporate product from Barracuda.

“I’m really not sure [how widespread Komodia is], all I can do is help to document what uses it,” @TheWack0lian said.

It has been noted by security experts that the behavior of Komodia is not uncommon; Antivirus and security-related applications regularly install root certificates. In those cases, the action is performed to monitor connections for any malicious activity. Komodia enables attackers because it reuses the same digital certificate across many computers.

“By reusing the same certificate, a bad actor could potentially obtain that CA file and perform ‘man-in-the-middle’ (MITM) attacks on untrusted networks like public WiFi, set up authentic-looking phishing pages, or sign software that makes people vulnerable to other malicious code as they browse the Internet,” Richard writes.

Removal methods for Superfish have already circulated widely, and Richard points out that the Komodia library has proven relatively easy to detect. He writes “Facebook is actively working with our anti-virus partners to find and remove instances of malware we detect when people visit our service.”

H/T Ars Technica | Photo via Yuri Yu. Samoilov/Flickr (CC BY 2.0)