Finding Superfish Is Simple With The Ziften App For Splunk – Chuck Leaver

Written By Ryan Hollman And Presented By Chuck Leaver CEO Ziften

 

Background Information: Lenovo admitted to pre installing the Superfish adware on some client PCs, and dissatisfied customers are now dragging the business to court on the matter said PCWorld. A proposed class action suit was filed late the previous week against Lenovo and Superfish, which charges both companies with “deceptive” commercial practices and of making Lenovo PCs vulnerable from man in the middle attacks by pre installing the adware.

Having concerns finding Superfish throughout your enterprise? With the Ziften App for Splunk, you can discover contaminated endpoints with an uncomplicated Splunk search. Merely search your Ziften data and filter for the keyword “superfish”. The query is:

index= ziften superfish

 

fish1

 

 

 

 

 

 

The following image reveals the results you would see in your Ziften App for Splunk if systems were infected. In this specific circumstance, we detected several systems contaminated with Superfish.

 

Fish2

 

 

 

 

 

 

 

 

 

 

 

 

 

The above outcomes likewise refer to the binary “VirtualDiscovery.exe”. As it ends up, this is the core procedure responsible for the infections. In addition to the Superfish root certificate and VirtualDiscovery.exe binary, this software application also lays down the following to the system:

A registry entry in:

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeVisualDiscovery

INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can also be achieved on an endpoint straight from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is contaminated with Superfish, you will see outcomes much like the following image. If the system is clean, you will see no outcomes.

 

fish3

Some analysts have actually mentioned that you can merely remove Superfish by removing the root certificate shown above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This removal treatment does not continue across reboots. Just eliminating the root cert does not work as VirtualDiscovery.exe will reinstall the root cert after a system reboot.

The most basic method to get rid of Superfish from your system is to upgrade Microsoft’s integrated AV software Windows Defender. Quickly after the public became aware of Superfish, Microsoft upgraded Windows Defender to remediate Superfish.

Other removal methods exist, however updating Windows Defender is by far the easiest method.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>