February 27, 2015 By Doug Franklin 7 min read

Over the past few days, we have seen a security incident involving adware explode in the press. The original claims surprised the industry, and the reality actually became more surprising as we learned more. However, as Mark Twain said, “Fiction is obliged to stick to possibilities. Truth isn’t.” This adware incident varies in one very significant way from the notable vulnerability incidents of 2014. Those incidents originated with programming errors latent in software implementations, while the adware incident started with conscious decisions.

The Superfish incident began with revelations about adware installed by a computer vendor on some models of its consumer laptops. Vendors agree to install this software to reduce the purchase price of the computers. The producers of the adware either pay the vendor to install their products, offer the vendor a cut of the ad revenue or conduct some combination of both. The Superfish Visual Shopper adware, though, was caught snooping on secure HTTPS connections. The scrutiny invited by those discoveries quickly revealed a much bigger problem, and although the snooping was bad enough, the implications of the methods used were a lot scarier.

A Comment on Adware

Adware needs no introduction for this audience, having been an issue for a long time. Nonetheless, it’s an opportunity to point out that any software added to a system increases its attack surface and therefore, its risk of compromise. However, most adware doesn’t try (at least actively) to compromise secure connections. In that sense, it presents less of a concern than the current flap surrounding Komodia and Superfish and the companies that distribute them.

How the Adware Works

At the root of this incident, the Visual Shopper adware uses technology from Komodia to snoop on secure connections. The Komodia software installs a local proxy to perform a man-in-the-middle (MitM) attack on secure connections. To do this without raising alarms from browsers, it installs a certificate into the system. The installation registers this certificate as being that of a root certificate authority (CA). That privileged status allows the certificate to sign any other certificate while avoiding warnings from the browser or notice from the user.

As if that wasn’t bad enough, the adware installs the same certificate on large numbers of computers. It also packages the private key with the certificate so that the proxy can sign additional certificates. Additionally, the certificate uses an outdated SHA1 hash and RSA encryption with a weak 1,024-bit key. The passwords for many certificates are trivial and the same: seven letters, all lowercase.

To complete the mess, if the MitM proxy runs into a certificate that fails validation, it creates a new one for that domain and signs it with the root CA certificate; the user never sees the problem with the original certificate.

Why Is This Bad?

Adversaries can use these certificates in the same way the interception technology uses it: to unveil the contents of sessions that users believe to be secure. Adware producers insist they use their technology only to provide ad services. But those root CA certificates make it simple for anyone to steal credentials, account details and anything else protected by an Secure Socket Layer (SSL) connection.

To make use of the certificate, the adversary must accomplish a couple of things. First, it needs the private key that goes with the certificate. Unfortunately, the private key is packaged with the certificate, so the proxy can sign new certificates. Second, it needs the signing password for the key. Within hours of publicly disclosing this issue, security researcher Rob Graham determined the password and, because he’s so good, that the password was trivial. So, the first two obstacles fell in the first 48 hours of public scrutiny. Within another 48 hours, the scrutiny revealed an entire suite of these fake root CA certificates used by different adware campaigns.

The final serious hurdle for an adversary is getting the fake root CA certificate onto a target computer. That may sound difficult, but exploit kits, drive-by download servers and the tools they dispense can handle it easily. The success of phishing and spear phishing campaigns implies a reasonable likelihood of finding victims, even from a narrowly targeted group. Plus, the adversaries have the adware companies and distributors working for them to distribute these certificates far and wide.

What can an adversary do once he or she smuggles one of these certificates into a computer? That link in a spear phishing email that used to produce browser warnings about security doesn’t anymore. Perhaps it was an HTTP link, and now it’s an HTTPS link so that the malware can hide its activities from network defenses and not produce warnings from the browser. The adversary could do what the adware does and install a local proxy that uses that fake root CA certificate to strip the security from the sessions intended to be secure.

How Bad Is It?

It’s bad enough that the U.S Computer Emergency Readiness Team felt the need to issue Vulnerability Note VU#529496, “Komodia Redirector with SSL Digestor fails to properly validate SSL and installs non-unique root CA certificates and private keys.” It’s bad enough that, according to ZDNet, Microsoft promptly reported the Windows Defender system would start by identifying and eliminating Superfish applications and certificates. Antivirus software vendors are also moving quickly to add protection to their products.

As we continue to see expansion in the breadth of the applications affected, the number of fake root CA certificates and the techniques to exploit them, things could get pretty rough. The furor started over a single laptop vendor and the software it loaded onto some consumer models of laptops. The passing days have shown a number of other applications affected, as listed by Ars Technica, and those discoveries are likely to continue. The adware involved in the situation has reportedly been bundled with various software downloads and loaded by computer vendors. At the very least, thousands or more individual machines harbor suspicious adware and discredited but powerful SSL certificates. Further research is uncovering simpler ways of exploiting the certificates.

Fortunately, this batch of fake root CA certificates can mostly be identified as a class. The certificates use very weak basic parameters and should be banned for that alone. Simply identifying those weak parameters can allow for more generic protection than “block any certificate with Superfish in the text fields.”

However, the adware could just as easily have used certificates with stronger parameters, making the certificates impossible to distinguish as a class — that is, unless the creators leave “footprints.” Superfish did this by leaving its name in the text fields of the certificates and using suspiciously weak certificate parameters. Had Superfish used a little more finesse, those certificates likely would have gone unnoticed for even longer. It helps to eliminate the certificates individually as they become known, but this represents another game of Whac-A-Mole.

Any MitM attack can obviously extract credentials and other sensitive information if the operator wants, or if a third party manages to co-opt the infrastructure. The MitM attack has full access to the contents of those supposedly secure sessions, but the adware companies insist they don’t to and wouldn’t do that. Even if they don’t, however, the certificates they’re dropping on unsuspecting users’ computers enable others to compromise “secure” connections, too, even without taking over the rest of the adware infrastructure.

Adware companies are surely not the only threat, either. As the Superfish saga unfolded, researchers caught another adware tool snooping on HTTPS connections. It also uses fake root CA certificates, but it at least generates new ones for each installation. Nonetheless, its proxy signs every certificate with its root key, hiding problems with the original certificate from the browser and the user. An article by ITworld gives a good overview on the difference.

In addition, the Gogo airline in-flight Wi-Fi service stands accused of stripping “secure” connections as well, according to Symantec, and intentionally issuing fake SSL certificates. This report probably caused more consternation in enterprise IT departments than the Superfish situation, because executives and other staff may use Gogo for Virtual Private Network sessions while in flight. Even some Adobe Reader updates attempt to slip “bundleware” onto your system in the form of McAfee’s antivirus product.

What to Do

The adware situation should not affect enterprises that provision computers from standardized operating system images, since that eliminates any software loaded by the vendor. Businesses that purchase commodity systems may need to exercise caution to ensure the machines they receive come without vendor-installed software or with only agreed-upon software if it was indeed installed by the vendor.

Make sure your defense systems stay up-to-date, human and mechanical. Security vendors take this issue seriously and are adding defenses against Superfish certificates. Expect them to expand those defenses as researchers identify other certificates, and enhance your user training to include a focus on those security warnings that pop up from the browser periodically. Explore examples of what a user might see. Enterprises can tightly control the installation of software on company-issued equipment to prevent things such as adware getting in later. The bring-your-own-device environment complicates matters, but requiring up-to-date defenses on any device connecting to your network falls into the category of “prudence.”

For Windows administrators, the “certutil.exe” Windows utility program can manipulate Windows key stores to allow scripts to identify and remove other risky certificates. Firefox has its own certificate store and tools. The Network Security Services Tools’ certutil.exe program provides a similar functionality to the Windows tool of the same name. Some endpoint management systems can help. Scan your systems for weak certificates from any other source, get rid of the ones you can’t positively identify and update the rest to more secure parameters and passphrases.

In addition, expect researchers to identify more systems intercepting secure sessions. The original Superfish furor brought this issue to the front pages, getting people interested in taking a look at the situation. With reports about an in-flight Wi-Fi service possibly intercepting secure connections, you can bet enterprise IT departments everywhere are paying attention.

This situation does reinforce the importance of due diligence before allowing new software into your enterprise, even peripherally. The adware applications don’t have to get into your network to cause problems if the certificates get inside. The exploitation window should be closing for these particular certificates now that they’re public and security vendors are adding defenses. Keep in mind that there will probably be more and new fake root CA certificates and new actors trying to smuggle them onto your users’ systems.

Superfish says it really doesn’t see a problem. As of Friday, Feb. 20, the chief executive officer of Superfish still insisted his company’s products “posed no security risk.” It may be more worrisome if that’s true than otherwise. If other companies out there feel the same way, the world faces more problems of this sort. It appears that Superfish, at least, remains unrepentant.

More from X-Force

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today