Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

One fish, two fish, superfish clones are everywhere - fixedByVonnie

One fish, two fish, superfish clones are everywhere

Posted on by vonnie No Comments ↓

Maniacal Malware is everywhere and it’s getting worse everyday.

Superfishy stuff going on

Earlier this week, I shared the Superfish situation and filled thousands of my readers with angst.  If you’re just getting up to speed on things, I need to drop a knowledge bomb on you: Malware is getting worse.

Superfish is the latest security thing to sweep the internet and has nothing to do with jumbo sushi or trophy bass fishing.  I wish it did because then we could all laugh.

The world just found out that the third largest computer manufacturer in the world (the largest in China) was bundling software that not only furtively tracked internet usage but also provided a door for hackers to step in between secure connections and read encrypted traffic.  Lenovo is now embroiled in a lawsuit in the California Southern District Court and a class action lawsuit being handled by NYC based law firm.

This is a pretty big freggin’ deal because Superfish completely nullifies the purpose of encrypted web communications.  It doesn’t matter if you’re logging into https://www.citibank.com/ or https://www.facebook.com/.

Browser Certificates

Since Superfish installs a fabricated root certificate in the Windows trusted root certification store, the green little padlock and all the security assurances you see online are futile.  An attacker can snoop on all your internet activities without your knowledge.  All he or she would need to do is join the same public network you’re on and open a protocol analyzer like Wireshark and start collecting packets.

Yup.

PrivDog is a DeadDog

But that’s not all, Privdog advertises itself as “a new layer of internet security”; however, if you download that mendacious application you’ll also install a villainous root certificate in your trusted certificate store.

Yesterday, PrivDog released a security advisory that looks so innocuous that an innocent bystander might not grasp the implications of the problem.

THe problem is that PrivDog installs a root certificate that forces your browser to wantonly accept any certificate regardless of validity!

This is worse than bad.  It’s egregious.  It’s unconscionable.  It’s immoral.

PrivDog attempts to alleviate the severity of the security threat by assuring the public that “the issue potentially affects a very limited number of websites” and “the potential issue has already been corrected”.

PrivDog Advisory

I don’t know who was responsible for the bullshitish language in its PR team but this message smells like a heaping mass of manure.  As I said earlier, this is an unforgivable mistake and a simple security advisory shouldn’t bring solace to anyone.

PrivDog should be completely self-effacing and explain the ramifications of the root certificate and then demonstrate genuine contrition by delineating how the problem happened and expounding on why it will never happen again.

Instead of seeing a heart felt apology from Privdog I see bullshit.  And I hate hate bullshit.

Download.com: delivering malware to millions daily!

But the bigger issue is that some of the largest software distribution sites, such as Download.com, are disseminating software that installs other invalid root certificates that expose your machine to the same SuperFishy vulnerabilities.

Top downloads on Download.com

For example, last week Download.com is showing us over half a million people downloaded KMPlayer.  Half a freggin’ million people.  If this is a monthly indicator we can surmise over 2 million people download this thing per month.

I joined the masses and installed it to see what would happen.

I breezed through the installation wizard (which is a very bad idea, I wrote about why in an earlier article) and eventually arrived at a screen about something called Wajam.

Hmm…

Do not install Wajam

If you read the little blurb it is clearly a harbinger of doom:

Wamjam may change your local proxy settings and use dll, cookies, pixels or other means to collect your IP address, URLS of the pages you visit and other information including the content of encrypted web pages to give you personal search results and show you advertising.

This little bit about “including the content of encrypted web pages” is completely absurd.  It’s almost risible.

It reminds me of those fatuous medicine infomercials where you see a felicitous couple skipping through the forest.  The sun is beaming, the leaves are dancing shadow patterns on the enchanted forest floor and the melodic piano rift in the background is positively soothing.

Then the host speaks in careful, therapeutic voice that reminds you of a close friend.  As the couple skips in slow motion through the thicket, the narrator begins listing all the benefits of the drug. But as the advertisement reaches the end, narration speeds up and a laundry list of side-effects are barfed which includes a whole bunch little things such as nausea, brain tumors, heart palpitations and – oh yeah – death.

It’s like Wamjam is saying, “Yeah, we’ll enhance your internet experience so Accept this offer! Oh and by the way, we’ll read all your encrypted data, Yeah, accept this offer! Accept this offer!  Accept this offer!”

Epoxy Proxies

Epoxy is that super strong adhesive that sticks to stuff and never lets go.  That’s what I feel the Wajam proxy does.  It installs itself in your Internet Settings, opens a proxy and then smuggles itself deep within your trusted root certificate store.

When I typed Windows Key + w and typed “Internet Settings” I saw that gooey epoxy proxy sticking to my browser settings.

Open Internet Options

In the Connections tab, click the LAN Settings button in the bottom right corner of the Local Area Network (LAN) Settings dialog box and choose the Advanced button to open your Proxy Settings.  For most people this should be blank.

A proxy means all your internet communications are being filtered through a service somewhere.  In my case, it’s being filtered through the host with IP address 127.0.0.1, which is me, my PC is the localhost.

So there’s a nosy proxy listening on port 51102 that is interacting will all network related communications on my PC.Internet Proxy Settings

You can see this a little deeper when you pop open an elevated command prompt and type:

netstat -abfo

Internetenhancer.exe

In the left column you can see the process name that’s listening on 51102: InternetEnhancer.exe.

This is the actual proxy.  But that’s only one half of the problem.  The truly sinister half is sitting in my “trusted” root certificate store.

Press the Windows Key + r and type “mmc”.  We’re going to add the Trusted Root Certificate Store snap-in so we can axe the invalid certificate.

Press Ctrl + m to open the Add or Remove Snap-in window.

Next, choose Certificates from the left pane and click the Add button in the middle pane so you can manage the certificate for your Computer account.

Viewing your Trusted Root Certificate Authorities

Click Next and then Finish to install the Snap-in on your local computer.

Setting up your MMC snapin to view the trusted root certificate authorities

Now you should see a list of Trusted Root Certification Authorities under the Certificates folder in the left pane.

A normal computer should have root certificates from Microsoft, Go Daddy, GlobalSign, DigiCert and Verisign.  Make sure your root certificate store is current and only has valid certs.

It should look something like my screenshot below:

Browser Certificates

But in my case, I caught a bad root certificate from Download.com.

WajaNEnhance_root_cer

Wajan Enhance Root Certificate

The list of nefarious root certificates is long but here are the biggies:

  • CE_UmbrellaCert
  • DO_NOT_TRUSTFiddler_root
  • Lookthisup
  • Rocket Tab
  • Sendori
  • Super Fish
  • System Alerts, LLC
  • Pando
  • Purelead
  • WajaNEnhance
  • Wajam

The Bottom Line

The best way to protect yourself from this sort of thing is to install software using Ninite, run a good antivirus program but also use discernment when fishing in the turbid waters of the internet.

What do you think of the spate of bad root certificates we’ve seen so far?  How do you feel about this?  Please let me know in the comments below!

</