One fish, two fish, superfish clones are everywhere

Maniacal Malware is everywhere and it’s getting worse everyday.

Superfishy stuff going on

Earlier this week, I shared the Superfish situation and filled thousands of my readers with angst.  If you’re just getting up to speed on things, I need to drop a knowledge bomb on you: Malware is getting worse.

Superfish is the latest security thing to sweep the internet and has nothing to do with jumbo sushi or trophy bass fishing.  I wish it did because then we could all laugh.

The world just found out that the third largest computer manufacturer in the world (the largest in China) was bundling software that not only furtively tracked internet usage but also provided a door for hackers to step in between secure connections and read encrypted traffic.  Lenovo is now embroiled in a lawsuit in the California Southern District Court and a class action lawsuit being handled by NYC based law firm.

This is a pretty big freggin’ deal because Superfish completely nullifies the purpose of encrypted web communications.  It doesn’t matter if you’re logging into https://www.citibank.com/ or https://www.facebook.com/.

Browser Certificates

Since Superfish installs a fabricated root certificate in the Windows trusted root certification store, the green little padlock and all the security assurances you see online are futile.  An attacker can snoop on all your internet activities without your knowledge.  All he or she would need to do is join the same public network you’re on and open a protocol analyzer like Wireshark and start collecting packets.

Yup.

PrivDog is a DeadDog

But that’s not all, Privdog advertises itself as “a new layer of internet security”; however, if you download that mendacious application you’ll also install a villainous root certificate in your trusted certificate store.

Yesterday, PrivDog released a security advisory that looks so innocuous that an innocent bystander might not grasp the implications of the problem.

THe problem is that PrivDog installs a root certificate that forces your browser to wantonly accept any certificate regardless of validity!

This is worse than bad.  It’s egregious.  It’s unconscionable.  It’s immoral.

PrivDog attempts to alleviate the severity of the security threat by assuring the public that “the issue potentially affects a very limited number of websites” and “the potential issue has already been corrected”.

PrivDog Advisory

I don’t know who was responsible for the bullshitish language in its PR team but this message smells like a heaping mass of manure.  As I said earlier, this is an unforgivable mistake and a simple security advisory shouldn’t bring solace to anyone.

PrivDog should be completely self-effacing and explain the ramifications of the root certificate and then demonstrate genuine contrition by delineating how the problem happened and expounding on why it will never happen again.

Instead of seeing a heart felt apology from Privdog I see bullshit.  And I hate hate bullshit.

Download.com: delivering malware to millions daily!

But the bigger issue is that some of the largest software distribution sites, such as Download.com, are disseminating software that installs other invalid root certificates that expose your machine to the same SuperFishy vulnerabilities.

Top downloads on Download.com

For example, last week Download.com is showing us over half a million people downloaded KMPlayer.  Half a freggin’ million people.  If this is a monthly indicator we can surmise over 2 million people download this thing per month.

I joined the masses and installed it to see what would happen.

I breezed through the installation wizard (which is a very bad idea, I wrote about why in an earlier article) and eventually arrived at a screen about something called Wajam.

Hmm…

Do not install Wajam

If you read the little blurb it is clearly a harbinger of doom:

Wamjam may change your local proxy settings and use dll, cookies, pixels or other means to collect your IP address, URLS of the pages you visit and other information including the content of encrypted web pages to give you personal search results and show you advertising.

This little bit about “including the content of encrypted web pages” is completely absurd.  It’s almost risible.

It reminds me of those fatuous medicine infomercials where you see a felicitous couple skipping through the forest.  The sun is beaming, the leaves are dancing shadow patterns on the enchanted forest floor and the melodic piano rift in the background is positively soothing.

Then the host speaks in careful, therapeutic voice that reminds you of a close friend.  As the couple skips in slow motion through the thicket, the narrator begins listing all the benefits of the drug. But as the advertisement reaches the end, narration speeds up and a laundry list of side-effects are barfed which includes a whole bunch little things such as nausea, brain tumors, heart palpitations and – oh yeah – death.

It’s like Wamjam is saying, “Yeah, we’ll enhance your internet experience so Accept this offer! Oh and by the way, we’ll read all your encrypted data, Yeah, accept this offer! Accept this offer!  Accept this offer!”

Epoxy Proxies

Epoxy is that super strong adhesive that sticks to stuff and never lets go.  That’s what I feel the Wajam proxy does.  It installs itself in your Internet Settings, opens a proxy and then smuggles itself deep within your trusted root certificate store.

When I typed Windows Key + w and typed “Internet Settings” I saw that gooey epoxy proxy sticking to my browser settings.

Open Internet Options

In the Connections tab, click the LAN Settings button in the bottom right corner of the Local Area Network (LAN) Settings dialog box and choose the Advanced button to open your Proxy Settings.  For most people this should be blank.

A proxy means all your internet communications are being filtered through a service somewhere.  In my case, it’s being filtered through the host with IP address 127.0.0.1, which is me, my PC is the localhost.

So there’s a nosy proxy listening on port 51102 that is interacting will all network related communications on my PC.Internet Proxy Settings

You can see this a little deeper when you pop open an elevated command prompt and type:

netstat -abfo

Internetenhancer.exe

In the left column you can see the process name that’s listening on 51102: InternetEnhancer.exe.

This is the actual proxy.  But that’s only one half of the problem.  The truly sinister half is sitting in my “trusted” root certificate store.

Press the Windows Key + r and type “mmc”.  We’re going to add the Trusted Root Certificate Store snap-in so we can axe the invalid certificate.

Press Ctrl + m to open the Add or Remove Snap-in window.

Next, choose Certificates from the left pane and click the Add button in the middle pane so you can manage the certificate for your Computer account.

Viewing your Trusted Root Certificate Authorities

Click Next and then Finish to install the Snap-in on your local computer.

Setting up your MMC snapin to view the trusted root certificate authorities

Now you should see a list of Trusted Root Certification Authorities under the Certificates folder in the left pane.

A normal computer should have root certificates from Microsoft, Go Daddy, GlobalSign, DigiCert and Verisign.  Make sure your root certificate store is current and only has valid certs.

It should look something like my screenshot below:

Browser Certificates

But in my case, I caught a bad root certificate from Download.com.

WajaNEnhance_root_cer

Wajan Enhance Root Certificate

The list of nefarious root certificates is long but here are the biggies:

  • CE_UmbrellaCert
  • DO_NOT_TRUSTFiddler_root
  • Lookthisup
  • Rocket Tab
  • Sendori
  • Super Fish
  • System Alerts, LLC
  • Pando
  • Purelead
  • WajaNEnhance
  • Wajam

The Bottom Line

The best way to protect yourself from this sort of thing is to install software using Ninite, run a good antivirus program but also use discernment when fishing in the turbid waters of the internet.

What do you think of the spate of bad root certificates we’ve seen so far?  How do you feel about this?  Please let me know in the comments below!

About

Connect with Vonnie on Twitter

Posted in Google Chrome, Internet Explorer 10, Internet Explorer 11, Internet Explorer 9, Mozilla Firefox, Opera, Safari, Web Browsers, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1 Tagged with: , , , ,