Experts discovered other applications using the same Superfish Komodia library

Pierluigi Paganini February 24, 2015

Experts at Facebook have discovered at least ten more applications using the Komodia library that allows Superfish adware traffic hijacking capabilities.

Matt Richard security researcher from Facebook revealed that The Social Network has discovered at least ten more software applications using the Komodia library that allow Superfish adware traffic hijacking capabilities.

Komodia installs a self-signed root CA certificate that allows the library to eavesdrop HTTPS traffic through SSL Hijacking.

Richard explained that Facebook and the Carnegie Mellon University started in 2012 an initiative to “measure how prevalent SSL MITM was in the wild”.

The researchers involved in the project discovered “certain deep packet inspection (DPI) devices were using the same private key across devices, which can be exploited by an attacker with the capacity to extract the key from any single device.”

By analogy, Superfish uses the same private key across all clients, but in the case of the popular adware the root certificate appears be installed on more clients than those “behind the vulnerable DPI devices.”

Richard reported that the bogus digital certificates issued by Superfish to spy on Facebook used weak 1024-bit RSA keys and were signed by the universal root certificate.

“The fake Facebook entity certificates issued by Superfish used weak 1024-bit RSA keys and were directly signed by the universal root certificate with no intermediate certificates in the chain. In contrast to corporate firewalls that also install local root certificates into an employee’s machine for traffic filtering purposes, one of the characteristics of SSL interceptions performed by malware is that it is widespread across the world. ” states the post published by Facebook.

Richard avoided commenting motivations behind the SSL traffic interception operated by the different applications.

“We can’t say for certain what the intentions of these applications are, but none appear to explain why they intercept SSL traffic or what they do with data,”

The experts from Facebook analyzed the number of SSL connections intercepted by Superfish for Windows clients worldwide. Richard explained that also a strain of Trojan.Nurjax malware detected by experts at Symantec uses the Komodia library.

Superfish cerificates diffusion

Richard confirmed that the same Komodia library was used by many other applications, the complete list of certificate issuers includes:

  • CartCrunch Israel LTD
  • WiredTools LTD
  • Say Media Group LTD
  • Over the Rainbow Tech
  • System Alerts
  • ArcadeGiant
  • Objectify Media Inc
  • Catalytix Web Services
  • OptimizerMonitor

Richard explained that the Komodia library is quite easy to detect.

“In our research, we found that the software that installs the root CA contains a number of easily searchable attributes that enabled us to match up the certificates we see in the wild with the actual software. These functions, which are Windows PE exports, include ‘CertInstallAll’, ‘GetCertPEMDLL’, ‘InstallFirefoxDirectory’, ‘SetCertDLL’, and ‘SetLogFunctionDLL.’ Most of these libraries are designed to work on Windows 8 and will not install on older operating systems.” Richard said.

The experts at Facebook also provided a list of SHA1 hashes that could be used for the detection of malicious software in the wild, which contains the Komodia library:

0cf1ed0e88761ddb001495cd2316e7388a5e396e
473d991245716230f7c45aec8ce8583eab89900b
fe2824a41dc206078754cc3f8b51904b27e7f725
70a56ae19cc61dd0a9f8951490db37f68c71ad66
ede269e495845b824738b21e97e34ed8552b838e
b8b6fc2b942190422c10c0255218e017f039a166
42f98890f3d5171401004f2fd85267f6694200db
1ffebcb1b245c9a65402c382001413d373e657ad
0a9f994a54eaae64aba4dd391cb0efe4abcac227
e89c586019e259a4796c26ff672e3fe5d56870da

We’re publishing this analysis to raise awareness about the scope of local SSL MITM software so that the community can also help protect people and their computers,” Richard wrote. “We think that shining the light on these practices will help the ecosystem better analyze and respond to similar situations as they occur.

Lenovo, with the support of Microsoft and McAfee, has developed a removal tool to clean its laptop and delete the Superfish malware.

Pierluigi Paganini

(Security Affairs –  Lenovo, Superfish)



you might also like

leave a comment