Chuck Leaver – Discover Superfish With The Ziften Application For Splunk

Written By Ryan Hollman And Presented By Chuck Leaver CEO Ziften

 

Background Details: Lenovo admitted to pre loading the Superfish adware on some consumer PCs, and unhappy consumers are now dragging the business to court on the matter stated PCWorld. A proposed class action suit was filed late last week against Lenovo and Superfish, which charges both businesses with “deceitful” business practices and of making Lenovo PCs susceptible from man in the middle attacks by pre installing the adware.

Having issues discovering Superfish across your business? With the Ziften App for Splunk, you can find contaminated endpoints with a simple Splunk search. Merely browse your Ziften data and filter for the keyword “superfish”. The query is as follows:

index= ziften superfish

 

fish1

 

The following image reveals the results you would see in your Ziften App for Splunk if systems were infected. In this particular circumstance, we spotted several systems infected with Superfish.

 

Fish2

 

 

The above outcomes likewise make reference to the binary “VirtualDiscovery.exe”. As it turns out, this is the core procedure responsible for the infections. Along with the Superfish root certificate and VirtualDiscovery.exe binary, this software likewise lays down the following to the system:

A computer registry entry in:

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeVisualDiscovery

INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can likewise be done on an endpoint straight from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is infected with Superfish, you will see outcomes similar to the following image. If the system is tidy, you will see no results.

fish3

Some analysts have stated that you can merely eliminate Superfish by getting rid of the root certificate shown above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This removal procedure does not persist across reboots. Just removing the root cert does not work as VirtualDiscovery.exe will reinstall the root cert after a system reboot.

The simplest way to get rid of Superfish from your system is to upgrade Microsoft’s integrated autovirus software Windows Defender. Shortly after the general public became aware of Superfish, Microsoft upgraded Windows Defender to remediate Superfish.

Other remediation techniques exist, however updating Windows Defender is without a doubt the most basic method.