Superfish Root Certificate Used to Sign Malware

The recent issue with the Superfish VisualDiscovery software installing a root certificate on some Windows 8/8.1 systems shipped by Lenovo was generally reported to facilitate man-in-the-middle attacks for SSL connections. The properties of that certificate, however, allow it to be used for any digital-signing purposes, including signing files and malware.

On February 26, McAfee Global Threat Intelligence cloud detection provided coverage for a file carrying a digital certificate claiming to be signed by Microsoft Corporation but that chained to the same Superfish, Inc. root certificate installed on some Lenovo systems:

Superfish 1

The fake Microsoft Corporation file certificate chains directly to the Superfish, Inc. root certificate and is validated if the root certificate is present:

Superfish 2

The Superfish, Inc. certificate is a self-signed root certificate for which the private keys were easily recovered from the installed Superfish files, enabling anyone to recreate their own signed components that would validate to the root certificate.

The Intended Purposes property value of the Superfish root certificate is set to <All>, which means the root certificate can sign anything, including files (code signing), SSL (server authentication), email (secure email), etc., giving this root certificate wide authority on the system containing it.

Superfish 3

On February 22, McAfee released detection and removal of the Superfish VisualDiscovery application and the root certificate it installs in McAfee DAT release 7718.

McAfee is updating detection of this malware signed by the Superfish, Inc. root certificate as Trojan RDN/Downloader.a!ur in the McAfee DAT release 7727.

Details of the VisualDiscovery detection by McAfee can be found on our consumer online Virus Information Library:

The post Superfish Root Certificate Used to Sign Malware appeared first on McAfee.