All the software is based around the Komodia technology. They all use insecure root certificates to authorise themselves to servers through a “middle-man” SSL proxy.
One of the new programs to be found has been categorised as a major Trojan virus by Symantec’s anti-virus software since December and is now known as Trojan.Nurjax. Once it has infected a computer, it hijacks any installed web browsers to download more threats. It does this by bypassing HTTPS with the help of Komodia.
Komodia is the work of an Israeli company who advertise the software as an “SSL hijacker”. Its website is currently offline due to “an exceptional amount of traffic” from a suspected DDOS attack because of the media attention.
Its software manipulates the socket stacks of computer network cards so that it can intercept encrypted HTTPS communications from websites.
Security researchers didn’t take long to uncover one amusing weakness in the otherwise impressive software, however. The password protecting the majority of the Komodia certificates that it relies upon is none other than “komodia”.
Errata Security CEO and whitehat hacker Rob Graham discovered this in under three hours. He then used it to create fake HTTPS-enabled websites for the Bank of America and Google that were fully trusted by Lenovo laptops that were running Superfish with the Komodia certificates installed. Other researchers had soon replicated his results.
Matt Richard, a member of Facebook’s security team, said of the growing issue “It is likely that these intercepting SSL proxies won’t keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic.”
He then published the SHA1 cryptographic libraries that identified the programs using Komodia certificates in the hope that other researchers will be able to use them to uncover further programs using the technology online. With Lenovo now being forced into making formal apologies to customers and issuing a special tool to remove Superfish and the Komodia code it harbours, it is clear that the threat could be considerable if not contained soon.
