Charles Leaver – Using The Ziften App For Splunk Will Find Instances Of Superfish

Written By Ryan Hollman And Presented By Charles Leaver CEO Ziften

Background Information: Lenovo admitted to pre loading the Superfish adware on some customer PCs, and unhappy clients are now dragging the business to court on the matter said PCWorld. A proposed class action suit was filed late the previous week against Lenovo and Superfish, which charges both businesses with “deceptive” commercial practices and of making Lenovo PCs vulnerable from man in the middle attacks by pre loading the adware.

Having problems finding Superfish throughout your business? With the Ziften App for Splunk, you can find infected endpoints with an uncomplicated Splunk search. Merely search your Ziften data and filter for the keyword “superfish”. The query is just:

index= ziften superfish

 

fish1

 

The following image reveals the outcomes you would see in your Ziften App for Splunk if systems were contaminated. In this particular circumstance, we identified several systems contaminated with Superfish.
Fish2

 

 

The above results likewise make reference to the binary “VirtualDiscovery.exe”. As it turns out, this is the core procedure responsible for the infections. Together with the Superfish root certificate and VirtualDiscovery.exe binary, this software likewise sets the following to the system:

A pc registry entry in:

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeVisualDiscovery

INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can also be achieved on an endpoint straight from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is contaminated with Superfish, you will see outcomes just like the following image. If the system is clean, you will see no results.

 

fish3

 

Some analysts have stated that you can merely get rid of Superfish by getting rid of the root certificate shown above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This elimination procedure does not persist throughout reboots. Just getting rid of the root cert does not work as VirtualDiscovery.exe will reinstall the root cert after a system reboot.

The simplest way to remove Superfish from your system is to update Microsoft’s built in auto-virus product Windows Defender. Quickly after the public became aware of Superfish, Microsoft upgraded Windows Defender to remediate Superfish.

Other remediation methods exist, however upgrading Windows Defender is by far the simplest technique.

 

Leave a Reply

Your email address will not be published. Required fields are marked *