1. News
  2. 2015
  3. February
  4. Revealing hidden malware threats
News from City, University of London
Lenovo laptop close up image
Science & Technology Series: Expert Comment

Revealing hidden malware threats

Professor Tom Chen comments on Lenovo's Superfish software.
by John Stevenson

City Professor of Cybersecurity, Professor Tom Chen, says computer manufacturer Lenovo's pre-installed Superfish VisualDiscovery or Superfish software, still poses a security risk.

From September 2014 to January 2015, the Superfish adware program was installed on some of Lenovo's notebooks and is designed to intercept users' web traffic to provide targeted advertisements popping up on web browsers.

nullAfter an outcry from affected owners of Lenovo devices, the company was forced to remove the hidden software which appears to be more like malware and potentially compromised their security.

"Superfish is able to intercept encrypted connections (using HTTPS) and inject ads into the connections by means of a software component made by another company, Komodia SSL Decoder/Digestor", says Professor Chen, who is also leading a research into malicious app collusion detection on the Android mobile platform. He says that the Komodia software installs a root CA certificate in the browser trusted certificate stores, enabling it to carry out a man-in-the-middle attack:

"When a user visits a website via HTTPS, the software intercepts the connection and places itself between the browser and the server, connecting to the server as a client. The user is unaware that the Komodia software is intercepting, decrypting, modifying, and re-encrypting data in the secure web connection. The certificates used by the Komodia software are signed by the root CA it installed, so the web browser will not display any warnings."

Despite Lenovo being forced to remove the hidden adware and offering users a patch to remove Superfish, questions still remain about why and for how long it was pre-installed on machines and what data might have been collected.

Professor Chen believes that it still poses a security risk, "because the same root certificate is used on all systems, and the private key corresponding to that certificate was easy to extract (and is now public knowledge). With the private key, criminals can spoof websites with signed fake certificates that will not elicit a warning in the user's browser. The Komodia software has been found to be used by several other applications as well. Those applications can intercept encrypted web traffic in the same way as Superfish."

He adds:

"The applications undermine the normal security of SSL-protected web connections by essentially using spyware. In doing so, the software has exposed computers to more web threats. It becomes difficult to know what can be really trusted on the computer or on the web. It will be also necessary to uninstall the root CA certificate that is installed by the Komodia component. Microsoft provides guidance on deleting and managing certificates in the Windows certificate store, and has updated its free Windows Defender and Security Essentials antivirus programs to delete the certificate associated with Superfish."


Adware is a type of software that comes bundled with other software. It displays advertisements on a user's computer that relate to the type of internet searches and webpages that the user has viewed and is a threat to a user's personal information.

Tags , , , , , , ,
Share this article