Komodia.com, home to the SSL interception module at the heart of the Superfish adware dustup, is currently under a distributed denial-of-service attack.
As of 2 p.m. Eastern time, its home page had been replaced with a notice that the site was offline because it was under attack.
“Some people say it’s not DDOS but a high volume of visitors, at the logs it showed [thousands] of connections from repeating IPs,” the notice said.
The attack may be an outcome of last week’s disclosure that Superfish, pre-installed on new Lenovo laptops between September 2014 and this January, put users’ sensitive transactions at risk to man-in-the-middle attacks.
Komodia’s SSL Digester, a self-proclaimed “SSL hijacker SDK,” is used by Superfish, which analyzes images on a website and serves up ads for products similar to the respective images. Komodia decrypts SSL traffic and does so without triggering a browser-based certificate warning. This enables Superfish, which uses the library, to sit in a man-in-the-middle position and see all traffic leaving the machine beyond online advertisements, putting banking, email and other private transactions at risk.
Late last week, researchers uncovered that the Komodia library installs a self-signed root certificate. That same cert, protected by the same password, was shipped on all Lenovo machines. Researcher Rob Graham of Errata Security cracked that password late last week and published details. Attackers can use that information to read traffic that’s supposed to be protected, carrying out a man-in-the-middle attack.
Shortly thereafter, researchers with Facebook’s Security Team reported that it had discovered more than a dozen other software applications using the Komodia library in question, along with a list of certificate issuers. That list includes:
- CartCrunch Israel LTD
- WiredTools LTD
- Say Media Group LTD
- Over the Rainbow Tech
- System Alerts
- ArcadeGiant
- Objectify Media Inc
- Catalytix Web Services
- OptimizerMonitor
“Initial open source research of these applications reveals a lot of adware forum posts and complaints from people. All of these applications can be found in VirusTotal and other online virus databases with their associated Komodia DLL’s,” said Matt Richard, threats researcher at Facebook. “We can’t say for certain what the intentions of these applications are, but none appear to explain why they intercept SSL traffic or what they do with data.”
Richard said the list represents certs on more than 1,000 systems on applications including games, popup generators, or behavior such as Superfish’s.
“What all of these applications have in common is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases they are difficult to remove,” said Richard, adding that the SSL proxies aren’t likely to adopt advanced protections such as certificate pinning or forward secrecy.
“Some of these deficiencies can be detected by anti-virus products as malware or adware, though from our research, detection successes are sporadic,” Richard said.
Facebook said that the installer for the root CA includes a number of attributes that make it easy to detect, adding that most are designed to work with newer versions of Windows and won’t install on older versions.
