Update on Superfish/Komodia Malware – How to find and remove it

As we get more details about the ugly Superfish debacle, it’s become apparent that the impact of this malware extends further than a limited amount of laptops compromised by a manufacturer (Lenovo) eager to monetize customer’s screen space.

Lenovo says it only wanted to “enhance the online shopping experience” for its users. (Of course, as many of us have learned, if it “enhances the online experience” it should immediately raise security suspicions). The other two companies involved are search startup Superfish (whose eponymous software is the malware in question), and a software “solution provider” Komodia.

Superfish used one of Komodia’s software development kit, which is clearly identified as an SSL Hijacker, in its adware. Lenovo factory-installed the Superfish “visual search” app on a dozen models of its machines so that its users got to see more ads.  The words “value-add” were, of course, tossed around a lot.

Evil intent or incompetence? Seems to be a mix of both. Many consumer devices have razor thin profit margins, so manufacturers install bloatware to increase profits. A few pennies for every bit of bloat on every machine bolsters the bottom-line nicely. We doubt that Lenovo intended to compromise the security of the entire system with Superfish, but the company should have obviously done due diligence on the code of anything it pre-installs, particularly snoopy products that serve up ads.

There are a couple of legitimate users for an SSL Hijacker – anonymous browsing and parental control are two that immediately come to mind. But an SSL hijacker has no place in a well-intentioned piece of adware.

Sadly, as more security researchers look into the situation, Komodia’s tech is showing up in a growing number of products, including anti-adware (Lavasoft’s Ad-Aware Web Companion; more on this here) and parental control software (Qustodio).

Security researcher Hanno Böck discovered Komodia code in the latest version of PrivDog, and Ars Technica points out that the CEO of PrivDog creator AdTrustMedia is Melih Abdulhayoglu, who also happens to be CEO of Comodo Security, respected antivirus providers and one of the main certificate-issuing authorities.

According to Matt Richard, a Threats Researcher on the Facebook Security Team, more than a dozen software applications other than Superfish use Komodia code:

  • ArcadeGiant
  • CartCrunch Israel LTD
  • Catalytix Web Services
  • Objectify Media Inc
  • OptimizerMonitor
  • Over the Rainbow Tech
  • Say Media Group LTD
  • System Alerts
  • Trojan.Nurjax
  • WiredTools LTD

Security researchers continue to dissect apps looking for Komodia code.

What to do? Consumers may want to check their systems for the presence of Komodia code here. If found, consider using Microsoft’s Windows Defender to remove it. See this article for further details.

For the more complicated environment of a business network, a BAI Security Compromise Assessment will search for anomalies on all endpoints in real time, using nonintrusive forensic software that detects Komodia code along with other, equally malicious malware. Find out more here.

Posted in BAI Security Blog, Malware and tagged , .

Leave a Reply

Your email address will not be published. Required fields are marked *