Preloaded spyware, courtesy Lenovo

[xtabber]

It seems that Lenovo has been preloading their consumer grade laptops with ad-injecting spyware.

Even worse, this particular spyware installs its own root certificate and serves fake certificates on the fly.

You can read more about it here.

[hamradio]

Could it be that it is the Chinese equivalent of the NSA intercepting them on export and adding it then sending em on the way...lol

[mwb1100]

I hope that this behavior is found to be against some anti-hacking laws somewhere and that Lenovo can be hit with something more damaging then bad press.  Certainly, a MITM attack breaching secure banking sites must be against the law?

[ewemoa]

Thanks for sharing this.

The article contained some nice links:

• Lenovo installs adware on customer laptops and compromises ALL SSL. -> Has sections "HOW TO CHECK IF YOU ARE AFFECTED" and "WHAT TO DO IF YOU ARE AFFECTED" near the end of the article (before the comments section)
• Errata Security: Some notes on SuperFish -> Had clear timing info: "It's been going on since at least June 2014"
• What You Need to Know About Superfish, The Man-in-the-Middle Adware Installed on Lenovo PCs

[xtabber]

I feel personally aggrieved in this matter.  I bought a Lenovo Miix 2-8 nearly a year ago (before they began loading Superfish) and was pleasantly surprised at how well it runs Windows. But the screen is too small and low-res to use for any real work, so I was about to buy a Lenovo Yoga 2 10 inch Windows tablet. Needless to say, I will look elsewhere and expect to never purchase a Lenovo product again.

It’s pretty clear from their statements that the folk at Lenovo don’t think that they did anything wrong, just that they “messed up” and got caught.  The only way to teach people like this is to hit them where it hurts, in the pocketbook.

I generally detest lawyers who file class action lawsuits, but I would suspect that Lenovo is going to face a bunch of them and this is one situation where I hope the predators get their pound of flesh.

[IainB]

Could it be that it is the Chinese equivalent of the NSA intercepting them on export and adding it then sending em on the way...lol

-hamradio (February 19, 2015, 12:45 PM)

Many a true word spoken in jest.

[Renegade]

I've almost always had custom built computers, but the "stock" ones that I've had have really sucked by comparison.

[wraith808]

You can check to see if you're affected: https://filippo.io/Badfish/

[rgdot]

Have a Lenovo, but long since overwritten with Mint (from original Windows)

FWIW this is what I see:

[wraith808]

If you overwrite, you're fine.  I received that link from my IT department (we use Lenovo's), and they do the same thing.  When we get them in, they overwrite with a standard image.

[ewemoa]

I overwrite too.  Definitely takes time to set up from installation media first time (e.g. today from W7 SP1, literally had over 130 updates total), but apart from avoiding the questionable content that is preloaded there are a few additional benefits IMHO:

bloat reduction
a somewhat more up-to-date image to restore from and possibly customized more to one's taste
a bit more flexibility regarding use of HDD -- e.g. can use the space reserved for restoration (i.e. onekey) for other purposes

May be others have additional / different reasons for doing likewise?

[Steven Avery]

Are you saying that you overwrite their OS with the installation media that comes with the hardware?  
If so, do they supply CDs, or do you burn them, or have another source?  If from Lenovo, these are clean unlike the PCs they sent out?

Just want to have a clearer explanation.
Clearly overwriting with Mint is another story.

Steven

[wraith808]

Are you saying that you overwrite their OS with the installation media that comes with the hardware? 
If so, do they supply CDs, or do you burn them, or have another source?  If from Lenovo, these are clean unlike the PCs they sent out?

Just want to have a clearer explanation.
Clearly overwriting with Mint is another story.

Steven

-Steven Avery (February 21, 2015, 09:02 AM)

Well, from a corporate standpoint, they have images that they have created that are licensed and install the exact same image onto each category (developer, analyst, etc) of user.

Personally, I don't buy laptops that don't include actual installation media that is certified bare bones windows.  In the case of those that don't provide the same, in many cases they provide computers without the operating system.

Some include restoration partitions that already have the crapware in them.

Of course, I haven't bought a laptop in years... so not sure if it's possible to buy a mainstream without the OS now.  But in that case, you'd have to purchase the OS separately and install it.  I had to do that on my last laptop.

[TaoPhoenix]

I've almost always had custom built computers, but the "stock" ones that I've had have really sucked by comparison.

-Renegade (February 20, 2015, 09:26 AM)

I think I stand by this. I am making my own problems with upgrade woes but my current comp is custom built that we did as a project and when it's your buddy building it you know generally there's no weird stuff (initially!) on there.

You don't have to de-construct it in labor-hours what you saved in build dollars.

 

[ewemoa]

Are you saying that you overwrite their OS with the installation media that comes with the hardware?  

-Steven Avery (February 21, 2015, 09:02 AM)

In my case, I have purchased separate installation media -- can get a bit expensive, but then these days there are some places that offer the purchase of PCs without a bundled OS.

Didn't mention this earlier, but up through this post I've had notebook PCs in mind.

[ewemoa]

I think I stand by this. I am making my own problems with upgrade woes but my current comp is custom built that we did as a project and when it's your buddy building it you know generally there's no weird stuff (initially!) on there.

-TaoPhoenix (February 21, 2015, 07:32 PM)

I haven't found a practical way to assemble appropriate notebook PCs, but for desktop / server, have almost always gone with custom.

[wraith808]

I think I stand by this. I am making my own problems with upgrade woes but my current comp is custom built that we did as a project and when it's your buddy building it you know generally there's no weird stuff (initially!) on there.

-TaoPhoenix (February 21, 2015, 07:32 PM)

I haven't found a practical way to assemble appropriate notebook PCs, but for desktop / server, have almost always gone with custom.

-ewemoa (February 21, 2015, 07:47 PM)

Same here.  It just isn't practical to assemble a laptop from what I've seen.  The desktop/server- because of the ability to choose individual parts- is practical for a build.  Laptops haven't seemed to reach that level yet.

And I do think it's only laptops that were affected by this...

[Target]

saw this on Ghacks this morning - privdog-is-superfish-all-over-again

it appears Privdog (which ships with Comodo) may be a similar application...

and so it goes...

[ewemoa]

Thanks for sharing...tip of the iceberg, anyone?

Nice to have instructions for removal (near the end of the article).

On a side note, I found it particularly irksome that for the GUI-ishly inclined that one has to "Add/Remove Snap-in".  Grrr!  On a positive note, the Ghacks article described a language-independent way of accessing the UI window that's relevant for this process, and that is much appreciated.  Some other articles describe steps that use searching which don't work on (at least some) non-English-based Windows machines (at least they didn't work for me).

Screenshots would be a plus for some of the steps to help guide (though of course that probably wouldn't help in the case where searching is part of the instructions...).

Spoiler

The last 2 paragraphs in the article...

[mwb1100]

So when will legitimate security vendors (whoever they might be) start reporting when there are fishy root certs installed?  Because I don't know about you, but when I look at the collection of root certs installed on my machine (run the certmgr.msc management console plug-in program), there's no way I could say which (if any) didn't belong. 

There are 100 or so certificates (including 27 "Untrusted certificates") installed on my system - and I think that my anti-malware should tell me if they're OK or not.

[Target]

I think the most irritating thing here is that these are 'trusted' vendors

Comodo seems to be a well regarded security vendor which is doubly disturbing (though i suppose not altogether surprising, it's not like it's the first time something like this has happened)

[ewemoa]

So when will legitimate security vendors (whoever they might be) start reporting when there are fishy root certs installed?  Because I don't know about you, but when I look at the collection of root certs installed on my machine (run the certmgr.msc management console plug-in program), there's no way I could say which (if any) didn't belong. 

There are 100 or so certificates (including 27 "Untrusted certificates") installed on my system - and I think that my anti-malware should tell me if they're OK or not.

-mwb1100 (February 23, 2015, 11:50 PM)

I agree about it being impractical to tell -- didn't have that many here, but there were a few completely unfamiliar ones.

Something to help assess what should and shouldn't be there does sound like it could be useful....not sure how practical and effective it would end up being, though perhaps much better than nothing.

Wouldn't really trust what one specific vendor had to say about a specific cert (cf. the value of VirusTotal, Jotti, etc.), but with a collective assessment, may be some suspicious things could be detected.

Spoiler

It's not like the whole root cert idea is foolproof, but that would be a different type of discussion I guess

[ewemoa]

I think the most irritating thing here is that these are 'trusted' vendors

Comodo seems to be a well regarded security vendor which is doubly disturbing (though i suppose not altogether surprising, it's not like it's the first time something like this has happened)

-Target (February 23, 2015, 11:57 PM)

So where's our "anti-virus / security vendor" scanner

[Stoic Joker]

There are 100 or so certificates (including 27 "Untrusted certificates") installed on my system - and I think that my anti-malware should tell me if they're OK or not.

-mwb1100 (February 23, 2015, 11:50 PM)

Why? SSL Certs only serve to verify the identity of the entity on the other end of a connection ... Not the purity of their intentions..

[mwb1100]

There are 100 or so certificates (including 27 "Untrusted certificates") installed on my system - and I think that my anti-malware should tell me if they're OK or not.

-mwb1100 (February 23, 2015, 11:50 PM)

Why? SSL Certs only serve to verify the identity of the entity on the other end of a connection ... Not the purity of their intentions..

-Stoic Joker (February 24, 2015, 06:31 AM)

Because a company that is in the business of to helping deal with malware on my computer is in a better position to track certs that are known to be used for MITM schemes than I am.  Or they could track certs that are trustworthy and flag the other ones as something suspect.  That's what some of the more aggressive anti-malware does with programs.

I'm not sure how it would work. I'm just suggesting that it's a service that I would like to be included in the package for the fee that I'm paying.