Lenovo's Security-Killing Adware: How to Get Rid of It

Credit: 501room/Shutterstock

(Image credit: 501room/Shutterstock)

UPDATED at noon Thursday EST with further information on how to detect and remove the Superfish adware. UPDATED at 10 a.m. Friday with list of affected machines. UPDATED at 4 p.m. Friday with Microsoft removal news and Firefox removal instructions. UPDATED at 4:45 p.m. Friday with a Department of Homeland Security warning about Superfish, and a denial by Superfish that its software poses a security risk.

Since at least last September, Lenovo has sold consumer PCs with preinstalled adware that hijacks secure Web connections, undermining the entire fabric of Internet security and putting Lenovo customers at risk of malware infection, financial fraud and identity theft, a new analysis finds.

The adware, called Visual Discovery and made by an Israeli company called Superfish, scans Web pages for retail products and inserts ads that offer similar products at lower prices. Many retail websites use secure HTTPS connections, but Visual Discovery breaks those connections; as a result, users who think they're connecting to Amazon.com may instead be giving their credit-card numbers to Ivan the Criminal somewhere in eastern Europe.

"You've got good guys doing what the bad guys do," Kevin Bocek of Salt Lake City-based online-security firm Venafi, said in a statement. "In this case, they're breaking everything that's been built over 20 years to create trust and privacy on the Internet."

MORE: How to Install and Use Malwarebytes Anti-Malware

In a statement provided to Tom's Guide, Lenovo said: "Superfish was previously included on some consumer notebook products shipped in a short window between October and December to help customers potentially discover interesting products while shopping."

It added that "user feedback was not positive" — complaints began arising on Lenovo user forums in September — and that "the product is no longer active" on "all [Lenovo] products in market."

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," Lenovo stated.

Opening the door to online criminals

However, Chris Palmer, a San Francisco-based security researcher, bought a Lenovo laptop Wednesday night (Feb. 18) and immediately discovered that his connection to the Bank of America website had been hijacked by Superfish's own root digital certificate, which had substituted itself for Bank of America's own digital certificates.

Digital certificates are long encryption keys that guarantee Web security; they tell you that you are indeed connecting to the Bank of America site, for example. Because Superfish swaps in its own certificate, there is no guarantee for the user that he really is connected to Bank of America instead of a criminal site spoofing Bank of America. (The Superfish hijack affects Internet Explorer and Google Chrome, but not Mozilla Firefox, which uses its own certificate system.)

"When you have a Lenovo computer, it appears as SuperFish is the root CA [certificate authority] of all the websites you visit," Rob Graham, CEO of Atlanta-based Errata Security, wrote on his personal blog today (Feb. 19). "This allows SuperFish to intercept an encrypted SSL [Secure Sockets Layer] connection, decrypt it, then re-encrypt it again." (Later, Graham explained how he'd cracked the Superfish certificate's password, theoretically enabling him to stage man-in-the-middle attacks on Lenovo PCs.)

Even worse, Palmer and other security researchers on Twitter quickly found that Superfish uses the same private key, an essential part of the digital certificate, for all Lenovo computers, meaning that a criminal could easily spoof the certificate. A Dutch security researcher, Yonathan Klijnsma, tweeted out the Superfish private key and posted it on Pastebin this morning.

"In this current climate of rising cybercrime, if you can't trust your hardware manufacturer, you are in a very difficult position," Marc Rogers, another security researcher in San Francisco, wrote on his blog today.

Rogers added that this was "quite possibly the single worst thing I have seen a manufacturer do to its customer base. At this point, I would consider every single one of these affected laptops to be potentially compromised and would reinstall them from scratch."

How to throw out the Superfish

That might seem a little drastic. There's actually a two-stage process to first disable Visual Discovery, and then remove the Superfish digital certificate, from a Lenovo PC, without having to wipe the hard drive and reinstall Windows.

A YouTube video suggests that Lenovo users open the Task Manager (hit Control + Shift + Esc simultaneously), open the Services tab and scroll down to find Visual Discovery. Right-clicking on Visual Discovery will allow you to stop the service; after that is done, refreshing Internet Explorer or Chrome should remove the Visual Discovery ads.

As for the Superfish root certificate, it must be manually removed from Internet Explorer and Google Chrome individually.

In Internet Explorer:

  • Click the gear icon at the top right of the browser window.
  • In the resulting drop-down menu, scroll down and click Internet Options.
  • Select the Content tab.
  • Click the Certificates button.
  • Search for Superfish or Visual Discovery in both the Intermediate Certification Authorities and Trusted Root Certification Authorities tabs.
  • If you find either, select it and then click the Remove button underneath the listings field.
  • You may have to reboot your PC to make the change effective.

In Google Chrome:

  • Click the icon resembling three stacked lines at the top right of the browser window.
  • In the resulting drop-down menu, scroll down and click Settings.
  • On the Settings page, scroll down to the bottom and click Show Advanced Settings.
  • Scroll down to HTTPS/SSL, and click Manage Certificates.
  • Search for Superfish or Visual Discovery in both the "Intermediate Certification Authorities" and "Trusted Root Certification Authorities" tabs.
  • If you find either, select it and then click the Remove button underneath the listings field.
  • You may have to reboot your PC for the change to take effect.
  • It's not clear whether other PC manufacturers may also have installed Superfish adware on their machines. Lenovo says it will no longer include the software.

UPDATE: Italian security researcher Filippo Valsorda has put up a quick browser-based test for Lenovo users to see whether their Web connections are being intercepted by Superfish.

Meanwhile, Malwarebytes security researcher Chris Boyd showed PC World an even quicker method of removing the Superfish root certificate:

  • Click the Windows icon at the bottom left corner of the screen.
  • Type "cmd.exe" into the resulting search field and hit the Enter key.
  • Type "certmgr.msc" at the command-prompt in the resulting terminal window and hit Enter.
  • Select "Trusted Root Certification Authorities"in the left-hand navigation window of the resulting dialogue box, then select Certificates.
  • Select Superfish and/or Visual Discovery. Right-click and select Delete.
  • You may have to reboot the PC to effect the change.

UPDATE: Lenovo has posted a list of models affected by the Superfish software. No ThinkPad models are included.

"We're sorry. We messed up," the Lenovo US Twitter feed stated last night. "We're owning it. And we're making sure it never happens again."

The company has also posted its own set of instructions to remove both Visual Discovery and the Superfish root certificate on Windows 8.1. It promises to release a removal tool later Friday (Feb. 20).

UPDATE: Microsoft has added the Visual Discovery software and the Superfish root certificate to the list of malware and other unwanted programs to be detected and deleted by Windows Defender (in Windows 8, 8.1 and RT) and Microsoft Security Essentials (in Windows Vista and 7).

However, Windows Defender will go dormant if a third-party security solution is in place on the same machine. Microsoft Security Essentials must be manually downloaded and updated, and is not recommended if a third-party security solution is already in place.

We mentioned above that Firefox users need not worry about Visual Discovery and Superfish, but it's now apparent that's not entirely accurate. Firefox maintains its own list of recognized certificates, and the Superfish certificate, if present, must be deleted manually. Here's how:

  • Click the icon resembling three stacked lines at the top right of the browser window.
  • Click Options in the resulting drop-down menu.
  • Select the Certificates tab in the resulting dialogue box.
  • Click the button labeled View Certificates.
  • Scroll down to find Superfish.
  • Select Superfish, if you find it.
  • Click the Delete or Distrust button under the list field.
  • Click OK in the resulting warning dialogue box.

UPDATE: The Department of Homeland Security's US-CERT has issued a warning advising users and administrators of Lenovo PCs, as well as users of several other products that employ Superfish software, to remove the software and associated certificates. 

Meanwhile, Superfish told Ars Technica's Dan Goodin that "despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk."

----------------------------------------------------------------------------

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.