Windows SSL Interception Gone Wild
Protect the Graph
This week researchers found that newer Lenovo laptops shipped with pre-installed software made by Superfish. The discovery is the latest reminder that our collective security depends on one another more than ever. As the news quickly rippled out, our Threat Infrastructure team at Facebook began performing an analysis of the details. Given our strong belief in the value of openness in security and learning from one another, we summarized some of our findings below to help guide future research on the subject.
It's not uncommon for OEMs to ship devices with a number of pre-installed applications. The difference with Superfish is the software's ability to intercept people's connections to websites secured with SSL and then inspect the content. Superfish uses a third party library from a company named Komodia to modify the Windows networking stack and install a new root Certificate Authority (CA), allowing Superfish to impersonate any SSL-enabled site. The new root CA undermines the security of web browsers and operating systems, putting people at greater risk. The stated reason for this inspection functionality is to enable the Superfish Visual Search capability that looks at people's search queries and makes suggestions based on proprietary processes. 
Despite the frequency of secure communications inspection by companies like anti-virus software makers, whose products must sit in the middle of connections to provide their service, we see several reasons to be concerned about this practice in the case of Superfish and others. Chief among those is privacy—the Superfish software can see all of the computer user's activity, including banking, email and Facebook traffic. The second problem is the use and installation of a new root CA, especially when that root CA is the same across many different computers. By reusing the same certificate, a bad actor could potentially obtain that CA file and perform “man-in-the-middle” (MITM) attacks on untrusted networks like public WiFi, set up authentic-looking phishing pages, or sign software that makes people vulnerable to other malicious code as they browse the internet. In this case, the certificate used by the Superfish software is relatively easy to extract. Although we are not aware of anyone abusing this certificate in the wild, it's a real risk and would be hard to detect.
In 2012, we started a project with researchers from Carnegie Mellon University to measure how prevalent SSL MITM was in the wild (https://www.linshunghuang.com/papers/mitm.pdf). At the time, one example we observed was that certain deep packet inspection (DPI) devices were using the same private key across devices, which can be exploited by an attacker with the capacity to extract the key from any single device (Tor report: https://blog.torproject.org/blog/security-vulnerability-found-cyberoam-dpi-devices-cve-2012-3372). Superfish is similar in that it uses the same private key across all clients, but it's more dangerous because its root certificate is installed on significantly more clients than those behind the vulnerable DPI devices.
With Superfish, we found that the affected OS platforms were limited to Windows—likely due to the fact that the SSL interception library is platform-specific. Roughly 70% of infected people we researched were using Chrome, 27% were using Internet Explorer, and 3% were using Opera. Interestingly, we observed only a tiny percentage of infected people on Firefox. Firefox uses its own NSS root store for SSL certificate verification, which is separate from the operating system's root store used by IE and Chrome, thus it's possible that the software was inconsistent in injecting its root into the NSS root store, but we're still investigating.
The fake Facebook entity certificates issued by Superfish used weak 1024-bit RSA keys and were directly signed by the universal root certificate with no intermediate certificates in the chain. In contrast to corporate firewalls that also install local root certificates into an employee's machine for traffic filtering purposes, one of the characteristics of SSL interceptions performed by malware is that it is widespread across the world. The figure below shows the percentage of SSL connections intercepted by Superfish for Windows clients in each country.
We've observed more than a dozen other software applications using the Komodia library, and many of these applications appear to be suspicious. Here is a list of the certificate issuers we observed:
Initial open source research of these applications reveals a lot of adware forum posts and complaints from people. All of these applications can be found in VirusTotal and other online virus databases with their associated Komodia DLL's. We can’t say for certain what the intentions of these applications are, but none appear to explain why they intercept SSL traffic or what they do with data. 
Although this list is not exhaustive, it represents certificates seen in more than 1,000 systems on the internet at any given point in time. Some of these applications appear as games, while others seem to generate popups based on your search behavior or claim to perform a specific function like Superfish's Visual Search. What all of these applications have in common is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases they are difficult to remove. Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by anti-virus products as malware or adware, though from our research, detection successes are sporadic.
We also see software that is much more aggressively categorized as malware using Komodia's libraries. We found one application detected by Symantec as "Trojan.Nurjax" that has about 1/3 the install base of Superfish and uses the root CA name "NJax Intermediate SSL." The Symantec writeup can be found here: http://www.symantec.com/security_response/writeup.jsp?docid=2014-121000-1027-99&tabid=2.
From a technical perspective, the Komodia library is easy to detect. In our research, we found that the software that installs the root CA contains a number of easily searchable attributes that enabled us to match up the certificates we see in the wild with the actual software. These functions, which are Windows PE exports, include “CertInstallAll”, “GetCertPEMDLL”, “InstallFirefoxDirectory”, “SetCertDLL”, and “SetLogFunctionDLL.” Most of these libraries are designed to work on Windows 8 and will not install on older operating systems. Hopefully this information will give some good leads to researchers for further investigation.
Facebook is actively working with our anti-virus partners to find and remove instances of malware we detect when people visit our service. We're publishing this analysis to raise awareness about the scope of local SSL MITM software so that the community can also help protect people and their computers. We think that shining the light on these practices will help the ecosystem better analyze and respond to similar situations as they occur. For more information and resources about how to scan your system for malware, see https://www.facebook.com/help/320234818071511/.
Here is a list of SHA1 hashes we used in our research:
Matt Richard is a Threats Researcher on the Facebook Security Team.
Allison Carver
*nix + ff ftw
Paul George Grecu
#superfish https://twitter.com/FiloSottile/status/568804580743614465
Kane York
Hello, could you publish the certificate fingerprints of the other issuers that you observed doing interception? Thanks.
Lee Colleton
Not entirely unrelated: Why does Facebook suggest "Facebook Messenger" when I search for #TextSecure ?
Simon Waters
Firefox lacks a XSS auditor like Chrome and IE, NoScript tries to fix this kind of. I use Firefox on Debian, but it isn't a panacea. Also on Windows and OSX some tools use the included password management APIs, I vaguely recall Chrome on Linux does something daft for cookie encryption because it lacks similar API. Security is hard.
Marc Rogers
Hey Matt - two things - There were a bunch of folks involved in the Superfish / Komodia research. It would be cool if you cited them in your continuing research.

Separately there is now a detector for the Superfish / Komodia certificates. It can be found here: https://filippo.io/Badfish/
Coleman Kane
Great write-up, Matt. Conveniently this will be a nice example to use when I get to the PKI auth part of my class.
Mohamed Abdel Aty
komedia website says " Site is offline due to DDOS with the recent media attention."

i sense a lawsuit in progress :)
Firas Salem
In case it helps, I've published a small hard disk scanner based on the above SHA1 hashes. Blog post here:: http://hexatomium.github.io/2015/02/23/komodia-sha1-fast-finder/
Norbert Bob Gostischa
You seem to have overlooked Comodo's Dragon Privdog which some consider worse than Superfish: http://www.ghacks.net/2015/02/23/privdog-is-superfish-all-over-again/
Jon-Finngard Moe
Good post. from my experience with different ssl mitm software i agree that their main technical issue is lack of support for modern https features and cipher suites. However. This is even more so the case with corporate firewalls and secure web gateways. I disagree with your statement that corporations install their firewall's root ca in browsers. Common practise is to assign the firewall as a sub ca for microsoft ad. Minimizing the need for certificate distribution.