By Ryan Holeman

Finding Superfish with Ziften App for Splunk

Backgound: According to PCWorld, Lenovo admitted to pre-loading the Superfish adware on some consumer PCs, and unhappy customers are now dragging the company to court on the matter. A proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with “fraudulent” business practices and of making Lenovo PCs susceptible from man in the middle attacks by pre-loading the adware.

Having issues finding Superfish across your enterprise? With the Ziften App for Splunk, you can find infected endpoints with a straightforward Splunk search. Simply search your Ziften data and filter for the keyword “superfish”. The query is as follows:

index=ziften superfish

fish1

The following image shows the results you would see in your Ziften App for Splunk if systems were infected. In this particular instance, we detected multiple systems infected with Superfish.

Fish2

The above results also make reference to the binary “VirtualDiscovery.exe”. As it turns out, this is the core process responsible for the infections. Along with the Superfish root certificate and VirtualDiscovery.exe binary, this software also lays down the following to the system:

A registry entry in:

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeVisualDiscovery

INI and log files in:

%SystemRoot%SysWOW64VisualDiscovery.ini

%SystemRoot%SysWOW64VisualDiscoveryOff.ini

%SystemRoot%System32VisualDiscoveryOff.ini

%TEMP%VisualDiscoveryr.log

Manual detection of Superfish can also be done on an endpoint directly from powershell with the following:

dir cert: -r |where Subject -match “superfish”

If the system is infected with Superfish, you will see results similar to the following image. If the system is clean, you will see no results.

fish3

Some researches have stated that you can simply remove Superfish by removing the root certificate shown above with a powershell command such as:

dir cert: -r | where subject -match “superfish” | Remove-Item

This removal procedure does not persist across reboots. Simply removing the root cert does not work as VirtualDiscovery.exe will reinstall the root cert after a system reboot.

The simplest way to remove Superfish from your system is to update Microsofts built in AV product Windows Defender. Shortly after the public became aware of Superfish, Microsoft updated Windows Defender to remediate Superfish.

Other remediation methods exists, but updating Windows Defender is by far the simplest method. If you are interested in other methods, Lenovo has released source code and tools for doing so. They can be found here:

http://support.lenovo.com/en/product_security/superfish_uninstall

For more information on Superfish or recently discovered variants, please follow the references listed below:

A great post on dissecting Superfish:

http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html?m=1

Lenovos technical details and source code for removal:

https://github.com/lenovo-inc/superfishremoval/

Facebook research on Superfish variants:

https://m.facebook.com/notes/protect-the-graph/windows-ssl-interception-gone-wild/1570074729899339

A Livehacker post on Superfish variants:

http://lifehacker.com/the-other-superfish-like-malware-you-should-check-your-1687699988

Get the General Here