Overview
Lenovo Security Advisory: LEN-2015-010
Potential Impact: Man-in-the-Middle Attack
Severity: High
Chris Palmer, a developer working for Google on Chrome, discovered that Lenovo delivers notebooks with the adware “Superfish” pre-installed. Research shows that it’s being pre-installed since at least September 2014, where a forums post about Superfish appeared.
This software acts as an SSL man-in-the-middle in order to collect data and inject ads into websites. This is accomplished seamlessly because SuperFish installs its certificate as a root certificate in the Windows root certificate store. The SuperFish root certificate is installed without any restrictions. Any certificate SuperFish generates will be validated unquestionably, as if it were issued by Microsoft itself. The pre-installed certificate is the exact same on all systems as it seems.
This means that malicious software signed with a SuperFish-generated certificate will also be implicitly trusted by the operating system. Should the SuperFish private key be extracted, which has already happened, anyone would be able to intercept the communications or generate valid software signatures for these computers.
Affect
Inserting a certificate at the factory in turn undermines any VPN, database, and software update connections all only to insert ads on secure shopping websites, basically hijacking every SSL session the laptop makes.
This can easily give way to attackers looking to breach the systems using the security flaws opened up by the software.
Simple Test
If you see an image with “YES” written on it, you have a problem. Do the test with all browsers installed.
(If the browser asks you to confirm/trust/accept with a pop-up it’s good: you’re not affected. But for the future consider that answering yes to those pop-ups is dangerous: you are giving up the security of the connection.)
https://filippo.io/Badfish/
Advisory
This advisory only applies to Lenovo Notebook products. (ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.)
The following Lenovo notebooks may be affected:
Affected Products
The following Lenovo notebooks may be affected:

Certificate Extracted – by Erratasec
Erratasec extracted the certificate from the SuperFish adware and cracked the password (“komodia“) that encrypted it.
Due to this an attacker can intercept any encrypted communications of SuperFish’s victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot. 
Process
- Reverse engineered this by running the software in a debugger / IDApro, setting break point right after it decrypts itself.
- Set the right break point before it actually infects your machine.
- Ran this on a machine, infecting yourself, and run “procdump” in order to dump the process’s memory : procdump -am VisualDiscovery.exe super.dmp
- Ran strings program that extracts human readable strings out of a binary file, discarding the rest. strings super.dmp > super.txt
- Load the filetxt into a text editor and searched for the string “PRIVATE KEY”. It’s located several times in the memory dump.
- Created his own password hacking too and found the password in 10 seconds, “komodia”.
- Successfully decoded the certificate and now has the ability to perform Man-in-the-Middle attacks on people with Lenovo’s.
Remove Software
- Open the Windows Start menu or Start screen and search for Uninstall a program. Launch it.
- Right-click Superfish Inc VisualDiscovery and select Uninstall. When prompted, enter your administrator password.
Remove Certificate
- Open the Windows Start menu or Start screen and search for certmgr.msc. Right-click it and select Launch as Administrator.
- Click Trusted Root Certification Authorities and open Certificates. Scroll down or use find to get to the Superfish, Inc. certificate. Right-click it and select Delete.
Remove From Firefox
- Options/Preferences.
- Advanced, then Certificates.
- View Certificates.
- Look for Superfish, Delete or Distrust.