Skip to main content

Lenovo's Security-Killing Adware: How to Get Rid of It

Credit: 501room/Shutterstock

(Image credit: 501room/Shutterstock)

UPDATED at noon Thursday EST with further information on how to detect and remove the Superfish adware. UPDATED at 10 a.m. Friday with list of affected machines. UPDATED at 4 p.m. Friday with Microsoft removal news and Firefox removal instructions. UPDATED at 4:45 p.m. Friday with a Department of Homeland Security warning about Superfish, and a denial by Superfish that its software poses a security risk.

Since at least last September, Lenovo has sold consumer PCs with preinstalled adware that hijacks secure Web connections, undermining the entire fabric of Internet security and putting Lenovo customers at risk of malware infection, financial fraud and identity theft, a new analysis finds.

The adware, called Visual Discovery and made by an Israeli company called Superfish, scans Web pages for retail products and inserts ads that offer similar products at lower prices. Many retail websites use secure HTTPS connections, but Visual Discovery breaks those connections; as a result, users who think they're connecting to Amazon.com may instead be giving their credit-card numbers to Ivan the Criminal somewhere in eastern Europe.

"You've got good guys doing what the bad guys do," Kevin Bocek of Salt Lake City-based online-security firm Venafi, said in a statement. "In this case, they're breaking everything that's been built over 20 years to create trust and privacy on the Internet."

MORE: How to Install and Use Malwarebytes Anti-Malware

In a statement provided to Tom's Guide, Lenovo said: "Superfish was previously included on some consumer notebook products shipped in a short window between October and December to help customers potentially discover interesting products while shopping."

It added that "user feedback was not positive" — complaints began arising on Lenovo user forums in September — and that "the product is no longer active" on "all [Lenovo] products in market."

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," Lenovo stated.

Opening the door to online criminals

However, Chris Palmer, a San Francisco-based security researcher, bought a Lenovo laptop Wednesday night (Feb. 18) and immediately discovered that his connection to the Bank of America website had been hijacked by Superfish's own root digital certificate, which had substituted itself for Bank of America's own digital certificates.

Digital certificates are long encryption keys that guarantee Web security; they tell you that you are indeed connecting to the Bank of America site, for example. Because Superfish swaps in its own certificate, there is no guarantee for the user that he really is connected to Bank of America instead of a criminal site spoofing Bank of America. (The Superfish hijack affects Internet Explorer and Google Chrome, but not Mozilla Firefox, which uses its own certificate system.)

"When you have a Lenovo computer, it appears as SuperFish is the root CA [certificate authority] of all the websites you visit," Rob Graham, CEO of Atlanta-based Errata Security, wrote on his personal blog today (Feb. 19). "This allows SuperFish to intercept an encrypted SSL [Secure Sockets Layer] connection, decrypt it, then re-encrypt it again." (Later, Graham explained how he'd cracked the Superfish certificate's password, theoretically enabling him to stage man-in-the-middle attacks on Lenovo PCs.)

Even worse, Palmer and other security researchers on Twitter quickly found that Superfish uses the same private key, an essential part of the digital certificate, for all Lenovo computers, meaning that a criminal could easily spoof the certificate. A Dutch security researcher, Yonathan Klijnsma, tweeted out the Superfish private key and posted it on Pastebin this morning.

"In this current climate of rising cybercrime, if you can't trust your hardware manufacturer, you are in a very difficult position," Marc Rogers, another security researcher in San Francisco, wrote on his blog today.

Rogers added that this was "quite possibly the single worst thing I have seen a manufacturer do to its customer base. At this point, I would consider every single one of these affected laptops to be potentially compromised and would reinstall them from scratch."

How to throw out the Superfish

That might seem a little drastic. There's actually a two-stage process to first disable Visual Discovery, and then remove the Superfish digital certificate, from a Lenovo PC, without having to wipe the hard drive and reinstall Windows.

A YouTube video suggests that Lenovo users open the Task Manager (hit Control + Shift + Esc simultaneously), open the Services tab and scroll down to find Visual Discovery. Right-clicking on Visual Discovery will allow you to stop the service; after that is done, refreshing Internet Explorer or Chrome should remove the Visual Discovery ads.

As for the Superfish root certificate, it must be manually removed from Internet Explorer and Google Chrome individually.

In Internet Explorer:

  • Click the gear icon at the top right of the browser window.
  • In the resulting drop-down menu, scroll down and click Internet Options.
  • Select the Content tab.
  • Click the Certificates button.
  • Search for Superfish or Visual Discovery in both the Intermediate Certification Authorities and Trusted Root Certification Authorities tabs.
  • If you find either, select it and then click the Remove button underneath the listings field.
  • You may have to reboot your PC to make the change effective.

In Google Chrome:

  • Click the icon resembling three stacked lines at the top right of the browser window.
  • In the resulting drop-down menu, scroll down and click Settings.
  • On the Settings page, scroll down to the bottom and click Show Advanced Settings.
  • Scroll down to HTTPS/SSL, and click Manage Certificates.
  • Search for Superfish or Visual Discovery in both the "Intermediate Certification Authorities" and "Trusted Root Certification Authorities" tabs.
  • If you find either, select it and then click the Remove button underneath the listings field.
  • You may have to reboot your PC for the change to take effect.
  • It's not clear whether other PC manufacturers may also have installed Superfish adware on their machines. Lenovo says it will no longer include the software.

UPDATE: Italian security researcher Filippo Valsorda has put up a quick browser-based test for Lenovo users to see whether their Web connections are being intercepted by Superfish.

Meanwhile, Malwarebytes security researcher Chris Boyd showed PC World an even quicker method of removing the Superfish root certificate:

  • Click the Windows icon at the bottom left corner of the screen.
  • Type "cmd.exe" into the resulting search field and hit the Enter key.
  • Type "certmgr.msc" at the command-prompt in the resulting terminal window and hit Enter.
  • Select "Trusted Root Certification Authorities"in the left-hand navigation window of the resulting dialogue box, then select Certificates.
  • Select Superfish and/or Visual Discovery. Right-click and select Delete.
  • You may have to reboot the PC to effect the change.

UPDATE: Lenovo has posted a list of models affected by the Superfish software. No ThinkPad models are included.

"We're sorry. We messed up," the Lenovo US Twitter feed stated last night. "We're owning it. And we're making sure it never happens again."

The company has also posted its own set of instructions to remove both Visual Discovery and the Superfish root certificate on Windows 8.1. It promises to release a removal tool later Friday (Feb. 20).

UPDATE: Microsoft has added the Visual Discovery software and the Superfish root certificate to the list of malware and other unwanted programs to be detected and deleted by Windows Defender (in Windows 8, 8.1 and RT) and Microsoft Security Essentials (in Windows Vista and 7).

However, Windows Defender will go dormant if a third-party security solution is in place on the same machine. Microsoft Security Essentials must be manually downloaded and updated, and is not recommended if a third-party security solution is already in place.

We mentioned above that Firefox users need not worry about Visual Discovery and Superfish, but it's now apparent that's not entirely accurate. Firefox maintains its own list of recognized certificates, and the Superfish certificate, if present, must be deleted manually. Here's how:

  • Click the icon resembling three stacked lines at the top right of the browser window.
  • Click Options in the resulting drop-down menu.
  • Select the Certificates tab in the resulting dialogue box.
  • Click the button labeled View Certificates.
  • Scroll down to find Superfish.
  • Select Superfish, if you find it.
  • Click the Delete or Distrust button under the list field.
  • Click OK in the resulting warning dialogue box.

UPDATE: The Department of Homeland Security's US-CERT has issued a warning advising users and administrators of Lenovo PCs, as well as users of several other products that employ Superfish software, to remove the software and associated certificates. 

Meanwhile, Superfish told Ars Technica's Dan Goodin that "despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk."

----------------------------------------------------------------------------

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

  • Steveymoo
    Isn't this basically spyware? GJ Lenova, pre-loading your products with spyware.
    Reply
  • Paul Wagenseil
    Isn't this basically spyware? GJ Lenova, pre-loading your products with spyware.


    It doesn't seem to transmit information about the user back to any server, so no, it's not spyware. But breaking, and then faking, SSL encryption is arguably much worse.
    Reply
  • pbike908
    Wow. This is an eye opener. Big question I have is how do I know if any other of my certificates are hijacked. I was always under the assumption that if the URL said HTTPS and I recognized the URL I was safe.

    Will malwarebytes uncover this sort of stuff? I do regularly run the free version of Malwarebytes.
    Reply
  • Xivilain
    Lenovo, we bought your laptops because they had the least amount of bloatware among HP, Dell, Gateway, and others. And they usually performed better. ---- Now look what you did. Clean this mess up. Give your customers a script to fix this, and take responsibility for your mistake.
    Reply
  • Paul Wagenseil
    Wow. This is an eye opener. Big question I have is how do I know if any other of my certificates are hijacked. I was always under the assumption that if the URL said HTTPS and I recognized the URL I was safe.

    Will malwarebytes uncover this sort of stuff? I do regularly run the free version of Malwarebytes.

    I don't think you could know about similar situations, since the certificate and the software is pre-installed on the machine. But an Italian researcher has already created a page for Lenovo users to test their machines: https://filippo.io/Badfish/

    As for Malwarebytes, it may not yet detect this, if this VirusTotal page is up to date: https://www.virustotal.com/en/file/dc937aec71daf6ebcb5876c3e9ba26846d6c4678cb95c60fc9dde6ff81b5323a/analysis/
    Reply
  • Lenovo computers are used in most businesses, maybe because it used to be IBM, but also because they are supposed to be reliable and secure products. I hope large companies start dumping Lenovo over this.

    A lot of these types of companies seem to be based in Israel, like Snap.Do and some other ones. Maybe they have specials laws in Israel that makes these companies not liable to damage?
    Reply
  • Paul Wagenseil
    Lenovo computers are used in most businesses, maybe because it used to be IBM, but also because they are supposed to be reliable and secure products. I hope large companies start dumping Lenovo over this.

    A lot of these types of companies seem to be based in Israel, like Snap.Do and some other ones. Maybe they have specials laws in Israel that makes these companies not liable to damage?

    The Superfish adware appears to be only on consumer machines, not models destined for enterprise customers. As for adware liability, adware is entirely legal in the U.S. -- that's why some big U.S. media companies have subsidiaries that create and distribute it.
    Reply
  • brandonclone1
    Not surprised. I set up hundreds of new PCs working at the Geek Squad and all Lenovo models were littered with bloatware. This just takes the cake!
    Reply
  • nebun
    china has done it again...lol...i pitty the people that trust the chinese, they will do anything and everything to steal as much info as they can...this is modern day espionage
    Reply
  • nebun
    almost forgot...on all machines that i've purchased i've performed a clean install, not restore...there is a big difference...i suggest everyone should do it, no matter who makes the machine
    Reply