Lenovo caught installing adware on new computers

[altrenda]

I know many here like Lenovo hardware, but I've noticed a difference since the full buyout from IBM.

http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/

 

[glennd]

wow, that's disappointing..

 

[joydivision]

I have just bought a B50 laptop for a customer, I spent a good hour removing all the malware and crap from it. What is interesting is I also buy cheap Lenovo desktops and they don't come with any of the crapware.

 

[TechPJC]

Lenovo PCs ship with preinstalled adware and root certificate (by ghacks)

 

[YeOldeStonecat]

Sad to see they've joined most of the others. I know most residential grade models from most manufacturers include adware, I'm going to run some scans on the next order we receive of THinkpads and see if it's on them.

 

[coffee]

Even though Hopkins says the company has stopped installing the software on computers, it appears that’s only “temporary” until the company behind the software makes some tweaks to stop pop-ups.

So, They are going to quit putting it on until they can find a better way to hide it from you? Following the mentality of virus makers, They tweek their "products" to stop pop-ups also.

What about the re-install partition? Im sure its there too. Therefore, If you reload the computer you are also reloading their adware. Geez.... Glad I run linux in the shop.

coffee

 

[oldtech]

It's tough to be number 1 - the other manufacturers have been doing this for years albeit with their own code and not known adware, but the cynic in me believes this hubub is more about Lenovo outselling the other brands than indignation over the practice itself.

 

[altrenda]

There is a bit of a difference between trial ware or crapware and adware that installs its own certificate to spy on your activities, don't you think.
This is more about trying make money with the thin margins in the consumer PC market.

 

[YeOldeStonecat]

There is a bit of a difference between trial ware or crapware and adware that installs its own certificate to spy on your activities, don't you think.
This is more about trying make money with the thin margins in the consumer PC market.

I'm aware of the differences between adware and trialware-crapware. The pre-installed cert in the local store is news...however "adware" in general by the big brands.....HP, Asus, other common el cheapo brands..that's now new. (wild tangent is a quick one that comes to mind..given time I could come up with lots more)
What will concern me is if it's on their business models. Not worried about their residential models...don't deal with 'em.

 

[nlinecomputers]

I'm not buying the certificate claims. For a certificate to spy on you you would have to have a secure connection between all parties of the cert. Just because you have MY certificate on YOUR machine doesn't mean that I can view YOUR activities with YOUR bank. My certificate means you only have a secure connection to me. If that was the case then ALL certificates would give you access to everything you do. If Superfish is somehow accessing Bank of America then BofA must of agreed to it. That is more concerning the Lenovo.

 

[nlinecomputers]

There is a test website to see if you have this hijack running on your system.

https://filippo.io/Badfish/

 

[nlinecomputers]

http://arstechnica.com/security/201...-middle-adware-that-breaks-https-connections/

 

[phaZed]

I'm not buying the certificate claims. For a certificate to spy on you you would have to have a secure connection between all parties of the cert. Just because you have MY certificate on YOUR machine doesn't mean that I can view YOUR activities with YOUR bank. My certificate means you only have a secure connection to me. If that was the case then ALL certificates would give you access to everything you do. If Superfish is somehow accessing Bank of America then BofA must of agreed to it. That is more concerning the Lenovo.

Not to sound like a jerk here, but it is clear you are not understanding how MITM attacks and root certificates work. The way in which Superfish displays advertisements, especially on HTTPS sites is a MITM attack in itself. The root cert is the same across all Superfish systems and the private key is shared.. that means anyone (or site, rather) can use that certificate to "authenticate" with. It turns the whole idea of HTTPS and certificates on its head!

Now you could think that you’re not affected because most of the shopping sites you’re visiting are already behind a HTTPS connection. That’s why this great piece of softwarealso installs a root certificate in your windows certificate store!

But hey, if that didn’t catch your attention yet: The pre-installed certificate is the exact same on all systems as it seems. And so is obviously the private key, which seems to be part of the Superfish software as well. What it means? Well, you can just issue certificates and computers having the Superfish software installed will recognize them as valid.

https://infected.io/120/lenovos-superfish-security-nightmare

 

[nlinecomputers]

I understand it. I'm just doubtful of it being very mathematically possible. Ads can be injected into webpages without having to transmit the data in them. The article is claiming that somehow the machine is substituting it's own certificate for every other certificate on the machine. I'm doubtful that is possible becausethe way such encryption works. But it isn't impossible but I have my doubts. I want to see further conformation of it.

 

[nlinecomputers]

Virustotal results on Superfish. Lots of our favorite AV/AM programs are passing on it.

https://www.virustotal.com/en/file/...d3d99ae2c810166402260a67/analysis/1424372221/

 

[phaZed]

I'm not sure what mathematics has to do with it. How does the advertising software determine which context sensitive (or in this case, claimed image sensitive) ads to display to you? Obviously they are sent to the advertising server which then serves your ads!
http://en.wikipedia.org/wiki/Public_key_certificate

The list of built-in certificates is also not limited to those provided by the browser developer: users (and to a degree applications) are free to extend the list for special purposes such as for company intranets.[7] This means that if someone gains access to a machine and can install a new root certificate in the browser, that browser will recognize websites that use the inserted certificate as legitimate.

And that's where the problem lays. The Superfish software is basically a local proxy on the host machine. It doesn't need to be unencrypted, the machine is going to do that for Superfish, then Superfush contacts the ad server with the unencrypted page data and sent back to the host. While Superfish's intentions may be wholly admirable - you rely on them to be admirable. Then, on top of all that the certificate is publicly available so that any software or unscrupulous attacker could easily use that cert to do their bidding.

The certificate is a Class 3 certificate and is listed as applying to "All application policies". This need not be the case, nor should it ever be, even for Superfish's Ad capabilities.

This user reports:

Here's an example of my connection to a bank, which looked OK to browser but certificate obviously has been tampered with allowing Superfish to collect all data unecrypted!

This is essentially the Heartbleed bug, sanctioned.

EDIT: Found this Ars Technica article:

The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.

Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries—a failure that completely undermines the reason HTTPS protections exist in the first place.

http://arstechnica.com/security/201...-middle-adware-that-breaks-https-connections/

Superfish's main product, WindowShopper, is installed as a man-in-the-middle proxy on some Lenovo laptops.[10][11] It injects advertising into results from Internet search engines; it also intercepts encrypted (SSL/TLS) connections.

http://en.wikipedia.org/wiki/Superfish

Superfish, supported by this really shady venture capitalist fund, Draper Fisher Jurvetson, which has had it's hand in MANY horrible and deceptive advertising schemes.
http://www.businessweek.com/the_thr...etson_sees_more_digital_ad_opportunities.html

The venture-capital firm recently became a small investor in TrialPay Inc., which lets online merchants to place targeted ads during purchases, Bailey said. (Bailey declined to disclose the exact details of the investment.) It’s also an investor in Tremor Media, which serves up video ads to connected TVs and set-top boxes, as well as in online media and advertising network Glam Media, ad platform isocket and online ad network RadiumOne. Draper Fisher Jurvetson also continues to look for mobile advertising startups, Bailey said.

I bet if you look at all the advertising adware and malware, a good portion of them come from them. Because traditional banner ads do not work, they have invested in ways to push advertising in ways that users are unaware of or are forced into. Exactly the types of people you don't want to let control your computer.

 

[nlinecomputers]

The problem is that you would not need to tamper with a certificate to do any of that. Keyloggers run in the background and capture secure information all the time without having to disrupt an SSL connection. This is why I am having doubts about this claim. To do anything that is being claimed here, even capturing login information it isn't necessary to insert yourself into the SSL link. As you said your computer decrypts this for you. The only reason for a key from Superfish would be so that you would not get an "Some items on this page are not encrypted" error. as it was displaying advertising.

I'm not saying that there is anything good about Superfish. I am just doubtful that it is inserting itself at the SSL level and replacing certificates as being claimed. Minor nitpic perhaps but that was my only point.

 

[Slaters Kustum Machines]

Just saw this on Reddit: http://news.lenovo.com/article_display.cfm?article_id=1929

 

[YeOldeStonecat]

As suspected...consumer grade (residential) models...not their biz lineup.
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

source..same as above link from slaters.
http://news.lenovo.com/article_display.cfm?article_id=1929

 

[cypress]

Sucks none the less that they are adding this junk to their systems.