'SuperFish' a advertising software recently found pre-installed on Lenovo laptops. It affected dozens of consumer-grade Lenovo laptops shipped before January 2015, exposing users to a hijacking technique by sneakily intercepting and decrypting HTTPS connections, tampering with pages and injecting advertisements.
Lenovo just released an automated Superfish removal tool to ensure complete removal of Superfish and Certificates for all major browsers.
And now, Facebook has discovered at least 12 more titles using the same HTTPS-breaking technology that gave the Superfish malware capability to evade rogue certificate. The researcher also says that Facebook discovered more than a dozen software applications other than Superfish that use the same Komodia library that gives the Lenovo-spawn its certificate-hijacking powers.
The operators listed in the post are as follows:
1) CartCrunch Israel LTD
2) WiredTools LTD
3) Say Media Group LTD
4) Over the Rainbow
5) Tech System
6) Alerts Arcade Giant
7) Objectify Media Inc
8) Catalytix Web Services
9) Optimizer Monitor
Superfish uses a technique known as "SSL hijacking", appears to be a framework bought in from a third company, Komodia, according to a blog post written by Matt Richard, a threats researcher on the Facebook security team. The technique has ability to bypass Secure Sockets Layer (SSL) protections by modifying the network stack of computers that run its underlying code.
Komodia installs a self-signed root CA certificate that allows the library to intercept and decrypt encrypted connections from any HTTPS-protected website on the Internet. The company’s SSL Decoder like Superfish and other programs are present in numerous other products as well.
In 2012, the Social Network giant started a project with researchers from Carnegie Mellon University in order to measure how prevalent SSL man-in-the-middle (MitM) attack are.
The team found that various deep packet inspection (DPI) devices were making use of the same private key across devices, which an attacker can easily exploit to extract the key from any single device.
The researchers said that the Komodia library can be easily detected as the software that installs the root CA contains a number of easily searchable attributes that enable the team to match up the certificates they see in the wild with the actual software.
No comments:
Post a Comment