Find Superfish With The Ziften App For Splunk – Chuck Leaver

Written By Ryan Hollman And Presented By Chuck Leaver CEO Ziften

Background Details: Lenovo confessed to pre installing the Superfish adware on some consumer PCs, and unhappy consumers are now dragging the company to court on the matter said PCWorld. A proposed class action suit was submitted late the previous week against Lenovo and Superfish, which charges both companies with “deceptive” business practices and of making Lenovo PCs susceptible from man in the middle attacks by pre installing the adware.

Having concerns finding Superfish throughout your enterprise? With the Ziften App for Splunk, you can discover contaminated endpoints with an uncomplicated Splunk search. Simply browse your Ziften data and filter for the keyword “superfish”. The query is just:

index= ziften superfish

 

 

fish1

The following image reveals the results you would see in your Ziften App for Splunk if systems were contaminated. In this specific circumstance, we discovered several systems infected with Superfish.

 

 

Fish2

 

 

The above outcomes likewise refer to the binary “VirtualDiscovery.exe”. As it turns out, this is the core process responsible for the infections. Along with the Superfish root certificate and VirtualDiscovery.exe binary, this software likewise puts down the following to the system:

A computer registry entry in:

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeVisualDiscovery

INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can also be achieved on an endpoint directly from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is contaminated with Superfish, you will see results similar to the following image. If the system is tidy, you will see no outcomes.

fish3

Some researchers have actually mentioned that you can just eliminate Superfish by getting rid of the root certificate revealed above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This removal treatment does not persist throughout reboots. Just eliminating the root cert does not work as VirtualDiscovery.exe will re-install the root cert after a reboot of the system.

The simplest method to get rid of Superfish from your system is to update Microsoft’s integrated autovirus software Windows Defender. Shortly after the general public became aware of Superfish, Microsoft upgraded Windows Defender to remediate Superfish.

Other remediation techniques exist, however updating Windows Defender is by far the easiest technique.

 

Leave a Reply

Your email address will not be published. Required fields are marked *