PCs sold by Lenovo between September 2014 and January 2015 came pre-installed with Superfish VisualDiscovery, a piece of malware claiming to improve users’ Internet experience by adding visual results to Google search and other websites. But in reality, the main purpose of the software was to add third-party advertisements.
Superfish installs its own Certification Authority (CA) on the local device, and adds a trusted root CA certificate to the local machine certificate store, so that encrypted web traffic can be intercepted to insert adverts. This is necessary because many sites, including Google, use HTTPS by default.
While this is worrying in itself, Lenovo admitted that it was possible for a hacker to recover the private key from the software, enabling man-in-the-middle attacks by generating a certificate for a spoof website that is automatically trusted by any system where Superfish is installed.
In addition to common protection measures like antivirus and endpoint firewalls, here are four ways you can prevent malware similar to Superfish from infecting your systems.
1. Install a Clean Windows Image
Even if your organization doesn’t have its own custom Windows image, don’t rely on the configuration provided by PC manufacturers. The only way to be sure there’s no malware installed on the device out-of-the-box is to wipe the disk and reload Windows from scratch.
2. Remove Administrative Privileges
Superfish installs a certificate in the local machine Trusted Root Certification Authorities certificate store. That means the certificate is available globally to all users of the device, and is inherited by the current user Trusted Root Certification Authorities certificate store. To install a certificate in the local machine Trusted Root Certification Authorities certificate store, users must have administrative privileges on the PC.
3. Monitor Certificate Stores
While Superfish requires access to the local machine certificate store to install a certificate from its own certification authority, there’s no reason why a malicious process couldn’t add a trusted root CA to the current user store. While this can be prevented using application control (see below), you could monitor PCs to check for changes to the certificate stores that might indicate a malware infection.
It’s easy to search for the Superfish certificate using the PowerShell Get-ChildItem cmdlet, because we know the thumbprint of the certificate:
Get-ChildItem -Recurse cert: |where {$_.Thumbprint -eq ‘c864484869d41d2b0d32319c5a62f9315aaf2cbd’}
Alternatively, you can go straight for the kill and remove the certificate if present using the Remove-Item cmdlet:
Remove-Item -Path cert:LocalMachinerootc864484869d41d2b0d32319c5a62f9315aaf2cbd
PowerShell Remoting makes it easy to run the above cmdlets across all devices on your network, and you could write a script to monitor for known certificates, such as the one used by Superfish, or to monitor for changes to a known configuration.
4. Application Control
Some applications maintain their own certificate stores, such as popular browser Firefox and email client Thunderbird, so ultimately you need to determine which apps are allowed to run on your devices. AppLocker is built in to Windows 7 (and later), and can be used to create whitelists of applications and processes approved by your IT department, while blocking all others.