Lenovo pre-installed advertising malware on laptops


A Lenovo laptop my gf bought last year was nearly as bad. No Superfish, plenty of other stuff that was flagged as malware when I googled it.

From my review to Amazon on the product:

"Wajam was the most egregious example. If software shows up on “how to remove spyware” instruction lists (http://www.2-spyware.com/remove-wajam.html) then should you really be putting it on virgin machines fresh from the factory?

Then there’s Astromenda (http://malwaretips.com/blogs/remove-astromenda-virus/), VuuPC (http://www.pcthreat.com/parasitebyid-44261en.html), something to do with “Kale Media”, and something called the “Maxthon Cloud browser” that I don’t trust an inch."


I’d recommend to everyone out there, when you are buying a computer, find a hole in the wall where the person at the desk seems to know absolutely nothing out running a business, and you’ll know you’ve found a person who really knows something about computers and can sell you a competently built machine with the parts you need for your purposes.


InfoSec Taylor Swift has some good tweets on the matter. Apparently the malware not only pushes ads and general nastiness, but apparently leaks a private key that allows attackers to pose as Microsoft and issue updates to infected computers. Yikes!


Well, not so much with laptops, unfortunately. There are a few places that do custom builds, but they’re few and far between. And generally can’t compete, price-wise, with the big guns.

The best option, amazingly enough, is to buy your laptop directly from the Microsoft store (at least in North America, I can’t speak for the rest of the world). Their “signature edition” laptops come pre-installed with Windows. Just windows. No bloatware, no malware (as long as you don’t consider Windows malware, har har), just a plain vanilla Windows install. It’s quite refreshing. And their prices are almost always cheaper than buying from the manufacturer directly, though you don’t have the same customization options. I was very tempted to pick up a Lenovo Y50 from them recently, actually, though I ended up going with an ultrabook instead.


Hmmm… seems this only applies to the consumer models.

I’ve used the business models for home use for ages (notably the 11" thinkpad line) and have had no issues.

It’s still very worrying though.

I use a Lenovo laptop (Yoga 2) as my main out-of-home-office machine. I haven’t ever bothered to check the bloatware, and I just use AVG as my antivirus. Anyone know what malware to check for or how best to remove it?

It’s called Superfish, you can get rid of it by un-installing it, and it’s not malware, it’s just unsecured and can open up your system to other malware.

The bigger piece of malware is Internet explorer.


Why do so many decent hardware manufacturers make such a mess of software (Sony, Samsung, Lenovo, etc…)? It drives me nuts. I feel sorry for the hardware designers who see all their good work destroyed by the marketing dept.

I bought my Thinkpad blank, installed Linux, and haven’t looked back. My phone is now so full of crapware there is no room left for apps I want to install (thanks Samsung). So now I have to root my phone to keep it usable? sigh.


Ouch. My Lenovo laptop never ran windows. I booted first to a Debian install disk and wiped the whole drive. The install was pretty much painless and it runs absolutely solid. Great hardware.


Heh. Yep. Get an HTC phone and you can factory-unlock the bootloader. The One runs CyanogenMod pretty well. I don’t have any crapware on my phone.


Computer professional specializing in malware/virus infection here. My comments on this, and what others in this thread have said:

First, all new pre-built computers come loaded with crap, and the very first thing you need to do is either (a) do a fresh install from a clean MSDN disk; or (b) uninstall the garbage software, and then install anti-virus and anti-malware software and scan your machine.

Anti-virus: If your system came with McAfee, uninstall that and get something else. In my experience McAfee is worse than most of the free options out there. If you’re willing to pay (and I suggest you do), get Kaspersky (suggested) or Norton (good lately, but not as good a track record as Kaspersky). For free AV options, I typically just go with AVG. (BTW, never try run two AV programs at once - they won’t play nice together.)

Anti-spyware: Malwarebytes and Spybot. Go ahead and install both on your system - they won’t interfere with each other.

Last comment is not spyware/virus related, but just a good idea for new laptops: If you’re running Windows 8, go and download ClassicShell. It puts back all sorts of usable features into Win8 that were in Win7 and got removed. (Start button/etc.)


So I’ve got a Lenovo Ideapad, 5 or 6 years old at this point (or more?) and I can’t get Malwarebytes to run. It’s installed, but it gives me an error if I try to run it or if I try to uninstall it. It tells me that a file is read-only. Any ideas?

Yeah I guess my question was really if Superfish is something that appears in the installed programs list or if it’s something hidden or named something else - for instance my system has ten apps listed with Lenovo as the publisher, presumably to handle the advanced features of the Yoga. There are probably a dozen more apps that came pre-installed, most of which I recognize but some of which I don’t (Superfish isn’t on the list). None are obviously bad, and I assume them to be benign. But obviously I can’t assume that any more…

I might be more tinfoil-hat than normal but I have not booted a desktop/laptop with factory supplied OS since my second TRS-80. Even if helping someone with a new computer back when I would assist ms-win users I would wipe the OEM install and do a fresh OS install form a msft disk without the universal OEM crapware dragging everything down.
For my own machines I would just order a system with the crappiest drive and get a good one(especially when WD Scorpios were the best), then give away or wipe and use the OEM externally.
(edit)I really suggest MS-win users trying something easy like Ubuntu or Mint if you fear malware and crapware, if you really need a ms-win program just load an instance of VirtualBox with whatever OS including win installed, runs good and has decent 3d accel if you have a good vid card.


Money. Consumer-level PCs/laptops are generally low-margin, high-volume products. So they can make up some of that by bundling crap that unscrupulous software companies install.

Dell and HP seemed to be in competition to see who could make their machines more useless directly out of the box.


I always wipe new systems and do a fresh OS install. It’s the only assurance of not having junk hidden away somewhere.


If it has a pre-installed certificate that allows it to decrypt and inspect secured web traffic, I think it meets most practical definitions of malware, whatever it’s actually doing with the data. User fires up web browser, connects to bank, verifies that web browser interface shows a secure connection from them to the bank, and they don’t actually have one.

The fact that the eavesdropper says “honest, we’ll only use our access to insert adds” doesn’t make it OK. Do they have to meet the same security regulations as the expected endpoint of the connection? Is, for example, the OCC monitoring their hiring practices to make sure they don’t hire a Dev who will use this access to steal?

This kind of MITM inspection is pretty questionable when your employer installs it on a company system without disclosure (Websense). Getting it from a hardware vendor is really vile.


Aw, crap. It uses a completely un-scoped fake root certificate. Sniffing SSL/TLS traffic isn’t the worst of it. Any malicious person with access to that company’s resources could create, for example, fake software updates that checked out as coming directly from Microsoft. When folks buy a ThinkPad are any of them aware of how much of their life they’re handing over to these folks?

Aaand… the pathetically weak password protecting the cert is already cracked, giving p0wnzorship of these laptops to any random stranger, not just Superfish employees. Gaah, this is vile.


If you got your Yoga 2 sometime between Sept 2014 and now, you may have a problem. You can test your machine for Superfish here. (Or, just browse to an https site and check the cert; if it’s signed by Superfish, you’re a winner!) This ArsTechnica article is a good explainer; the comments describe a few manual removal methods.

(ETA two things: Initially Lenovo tried to poo-poo the security risks; the company doubled down even after the sly cert’s private key was cracked…but now saner heads have prevailed, and Lenovo promises to build a complete removal tool [tho no schedule for its release]. Secondly, Ars has posted an article giving step-by-step, illustrated instructions for removing the adware and all traces of the sly cert.)