It’s a scary time to be a Windows user. Lenovo was bundling HTTPS-hijacking Superfish adware, Comodo ships with an even worse security hole called PrivDog, and dozens of other apps like LavaSoft are doing the same. It’s really bad, but if you want your encrypted web sessions to be hijacked just head to CNET Downloads or any freeware site, because they are all bundling HTTPS-breaking adware now.
The Superfish fiasco began when researchers noticed that Superfish, bundled on Lenovo computers, was installing a fake root certificate into Windows that essentially hijacks all HTTPS browsing so that the certificates always look valid even if they aren’t, and they did it in such an insecure way that any script kiddie hacker could accomplish the same thing.
And then they are installing a proxy into your browser and forcing all of your browsing through it so they can insert ads. That’s right, even when you connect to your bank, or health insurance site, or anywhere that should be secure. And you would never know, because they broke Windows encryption to show you ads.
But the sad, sad fact is that they aren’t the only ones doing this — adware like Wajam, Geniusbox, Content Explorer, and others are all doing the exact same thing, installing their own certificates and forcing all your browsing (including HTTPS encrypted browsing sessions) to go through their proxy server. And you can get infected with this nonsense just by installing two of the top 10 apps on CNET Downloads.
The bottom line is that you can no longer trust that green lock icon in your browser’s address bar. And that’s a scary, scary thing.
How HTTPS-Hijacking Adware Works, and Why It’s So Bad
As we’ve shown before, if you make the huge gigantic mistake of trusting CNET Downloads, you could already be infected with this type of adware. Two of the top ten downloads on CNET (KMPlayer and YTD) are bundling two different types of HTTPS-hijacking adware, and in our research we found that most other freeware sites are doing the same thing.
Note: the installers are so tricky and convoluted that we aren’t sure who is technically doing the “bundling,” but CNET is promoting these apps on their home page, so it’s really a matter of semantics. If you’re recommending that people download something that is bad, you are equally at fault. We’ve also found that many of these adware companies are secretly the same people using different company names.
Based on the download numbers from the top 10 list on CNET Downloads alone, a million people are infected every month with adware that is hijacking their encrypted web sessions to their bank, or email, or anything that should be secure.
If you made the mistake of installing KMPlayer, and you manage to ignore all of the other crapware, you’ll be presented with this window. And if you accidentally click Accept (or hit the wrong key) your system will be pwned.
If you ended up downloading something from an even more sketchy source, like the download ads in your favorite search engine, you’ll see a whole list of stuff that isn’t good. And now we know that many of them are going to completely break HTTPS certificate validation, leaving you completely vulnerable.
Once you get yourself infected with any one of these things, the first thing that happens is that it sets your system proxy to run through a local proxy that it installs on your computer. Pay special attention to the “Secure” item below. In this case it was from Wajam Internet “Enhancer,” but it could be Superfish or Geniusbox or any of the others that we’ve found, they all work the same way.
When you go to a site that should be secure, you’ll see the green lock icon and everything will look perfectly normal. You can even click on the lock to see the details, and it will appear that everything is fine. You’re using a secure connection, and even Google Chrome will report that you are connected to Google with a secure connection. But you aren’t!
System Alerts LLC is not a real root certificate and you are actually going through a Man-in-the-Middle proxy that is inserting ads into pages (and who knows what else). You should just email them all your passwords, it would be easier.
Once the adware is installed and proxying all of your traffic, you’ll start to see really obnoxious ads all over the place. These ads display on secure sites, like Google, replacing the actual Google ads, or they show up as popups all over the place, taking over every site.
Most of this adware shows “ad” links to outright malware. So while the adware itself might be a legal nuisance, they enable some really, really bad stuff.
They accomplish this by installing their fake root certificates into the Windows certificate store and then proxying the secure connections while signing them with their fake certificate.
If you look in the Windows Certificates panel, you can see all sorts of completely valid certificates… but if your PC has some type of adware installed, you’re going to see fake things like System Alerts, LLC, or Superfish, Wajam, or dozens of other fakes.
Even if you’ve been infected and then removed the badware, the certificates might still be there, making you vulnerable to other hackers that might have extracted the private keys. Many of the adware installers don’t remove the certificates when you uninstall them.
They’re All Man-in-the-Middle Attacks and Here’s How They Work
If your PC has fake root certificates installed in the certificate store, you are now vulnerable to Man-in-the-Middle attacks. What this means is if you connect to a public hotspot, or somebody gets access to your network, or manages to hack something upstream from you, they can replace legitimate sites with fake sites. This might sound far-fetched, but hackers have been able to use DNS hijacks on some of the biggest sites on the web to hijack users to a fake site.
Once you are hijacked, they can read every single thing that you submit to a private site — passwords, private information, health information, emails, social security numbers, banking information, etc. And you’ll never know because your browser will tell you that your connection is secure.
This works because public key encryption requires both a public key and a private key. The public keys are installed in the certificate store, and the private key should be only known by the website you are visiting. But when attackers can hijack your root certificate and hold both the public and private keys, they can do anything they want.
In the case of Superfish, they used the same private key on every computer that has Superfish installed, and within a few hours, security researchers were able to extract the private keys and create websites to test whether you are vulnerable, and prove that you could be hijacked. For Wajam and Geniusbox, the keys are different, but Content Explorer and some other adware also uses the same keys everywhere, which means this problem is not unique to Superfish.
It Gets Worse: Most of This Crap Disables HTTPS Validation Entirely
Just yesterday, security researchers discovered an even bigger problem: All of these HTTPS proxies disable all validation while making it look like everything is just fine.
That means that you can go to an HTTPS website that has a completely invalid certificate, and this adware will tell you that the site is just fine. We tested the adware that we mentioned earlier and they are all disabling HTTPS validation entirely, so it doesn’t matter if the private keys are unique or not. Shockingly bad!
Anybody with adware installed is vulnerable to all sorts of attacks, and in many cases continue to be vulnerable even when the adware is removed.
You can check if you are vulnerable to Superfish, Komodia, or invalid certificate checking using the test site created by security researchers, but as we’ve demonstrated already, there is a lot more adware out there doing the same thing, and from our research, things are going to continue to get worse.
Protect Yourself: Check the Certificates Panel and Delete Bad Entries
If you are worried, you should check your certificate store to make sure that you don’t have any sketchy certificates installed that could later be activated by somebody’s proxy server. This can be a little complicated, because there’s a lot of stuff in there, and most of it is supposed to be there. We also don’t have a good list of what should and should not be there.
Use WIN + R to pull up the Run dialog, and then type “mmc” to pull up a Microsoft Management Console window. Then use File -> Add/Remove Snap-ins and select Certificates from the list on the left, and then add it to the right side. Make sure to select Computer account on the next dialog, and then click through the rest.
You’ll want to go to Trusted Root Certification Authorities and look for really sketchy entries like any of these (or anything similar to these)
- Rocket Tab
- Super Fish
- DO_NOT_TRUSTFiddler_root (Fiddler is a legitimate developer tool but malware has hijacked their cert)
- System Alerts, LLC
Right-click and Delete any of those entries that you find. If you saw something incorrect when you tested Google in your browser, make sure to delete that one too. Just be careful, because if you delete the wrong things here, you’re going to break Windows.
We’re hoping that Microsoft releases something to check your root certificates and make sure that only good ones are there. Theoretically you could use this list from Microsoft of the certificates required by Windows, and then update to the latest root certificates, but that’s completely untested at this point, and we really don’t recommend it until somebody tests this out.
Next, you’re going to need to open your web browser and find the certificates that are probably cached there. For Google Chrome, go to Settings, Advanced Settings, and then Manage certificates. Under Personal, you can easily click the Remove button on any bad certificates…
But when you go to Trusted Root Certification Authorities, you’re going to have to click Advanced and then uncheck everything that you see to stop giving permissions to that certificate…
But that’s insanity.
Go to the bottom of the Advanced Settings window and click on Reset settings to completely reset Chrome to defaults. Do the same for whatever other browser you are using, or completely uninstall, wiping all settings, and then install it again.
If your computer has been affected, you’re probably better off doing a completely clean install of Windows. Just make sure to backup your documents and pictures and all of that.
So How Do You Protect Yourself?
It’s nearly impossible to completely protect yourself, but here are a few common-sense guidelines to help you out:
- Check the Superfish / Komodia / Certification validation test site.
- Enable Click-To-Play for plugins in your browser, which will help protect you from all of those zero-day Flash and other plugin security holes there are.
- Be really careful what you download and try to use Ninite when you absolutely must.
- Pay attention to what you are clicking any time you click.
- Consider using Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) or Malwarebytes Anti-Exploit to protect your browser and other critical applications from security holes and zero-day attacks.
- Make sure all of your software, plugins, and anti-virus stays updated, and that includes Windows Updates as well.
But that’s an awful lot of work for just wanting to browse the web without being hijacked. It’s like dealing with the TSA.
The Windows ecosystem is a cavalcade of crapware. And now the fundamental security of the Internet is broken for Windows users. Microsoft needs to fix this.