Matt Richard security researcher from Facebook revealed that The Social Network has discovered at least ten more software applications using the Komodia library that allow Superfish adware traffic hijacking capabilities.
Komodia installs a self-signed root CA certificate that allows the library to eavesdrop HTTPS traffic through SSL Hijacking.
By analogy, Superfish uses the same private key across all clients, but in the case of the popular adware the root certificate appears be installed on more clients than those “behind the vulnerable DPI devices.”
Richard reported that the bogus digital certificates issued by Superfish to spy on Facebook used weak 1024-bit RSA keys and were signed by the universal root certificate.
“The fake Facebook entity certificates issued by Superfish used weak 1024-bit RSA keys and were directly signed by the universal root certificate with no intermediate certificates in the chain. In contrast to corporate firewalls that also install local root certificates into an employee’s machine for traffic filtering purposes, one of the characteristics of SSL interceptions performed by malware is that it is widespread across the world. ” states the post published by Facebook.
Richard avoided commenting motivations behind the SSL traffic interception operated by the different applications.
“We can’t say for certain what the intentions of these applications are, but none appear to explain why they intercept SSL traffic or what they do with data,”
The experts from Facebook analyzed the number of SSL connections intercepted by Superfish for Windows clients worldwide. Richard explained that also a strain of Trojan.Nurjax malware detected by experts at Symantec uses the Komodia library.
Richard confirmed that the same Komodia library was used by many other applications, the complete list of certificate issuers includes:
Richard explained that the Komodia library is quite easy to detect.
“In our research, we found that the software that installs the root CA contains a number of easily searchable attributes that enabled us to match up the certificates we see in the wild with the actual software. These functions, which are Windows PE exports, include ‘CertInstallAll’, ‘GetCertPEMDLL’, ‘InstallFirefoxDirectory’, ‘SetCertDLL’, and ‘SetLogFunctionDLL.’ Most of these libraries are designed to work on Windows 8 and will not install on older operating systems.” Richard said.
The experts at Facebook also provided a list of SHA1 hashes that could be used for the detection of malicious software in the wild, which contains the Komodia library:
0cf1ed0e88761ddb001495cd2316e7388a5e396e 473d991245716230f7c45aec8ce8583eab89900b fe2824a41dc206078754cc3f8b51904b27e7f725 70a56ae19cc61dd0a9f8951490db37f68c71ad66 ede269e495845b824738b21e97e34ed8552b838e b8b6fc2b942190422c10c0255218e017f039a166 42f98890f3d5171401004f2fd85267f6694200db 1ffebcb1b245c9a65402c382001413d373e657ad 0a9f994a54eaae64aba4dd391cb0efe4abcac227 e89c586019e259a4796c26ff672e3fe5d56870da
“We’re publishing this analysis to raise awareness about the scope of local SSL MITM software so that the community can also help protect people and their computers,” Richard wrote. “We think that shining the light on these practices will help the ecosystem better analyze and respond to similar situations as they occur.“
Lenovo, with the support of Microsoft and McAfee, has developed a removal tool to clean its laptop and delete the Superfish malware.
(Security Affairs – Lenovo, Superfish)