Chuck Leaver – With The Ziften App For Splunk You Can Detect Superfish

Written By Ryan Hollman And Presented By Chuck Leaver CEO Ziften

 

Background Details: Lenovo confessed to pre installing the Superfish adware on some client PCs, and dissatisfied clients are now dragging the business to court on the matter stated PCWorld. A proposed class action suit was submitted late the previous week against Lenovo and Superfish, which charges both businesses with “deceptive” business practices and of making Lenovo PCs susceptible from man in the middle attacks by pre installing the adware.

Having problems finding Superfish across your enterprise? With the Ziften App for Splunk, you can discover infected endpoints with a straightforward Splunk search. Just search your Ziften data and filter for the keyword “superfish”. The query is just:

index= ziften superfish

 

fish1

 

The following image reveals the results you would see in your Ziften App for Splunk if systems were contaminated. In this specific instance, we spotted numerous systems infected with Superfish.

 

Fish2

 

 

The above results likewise make reference to the binary “VirtualDiscovery.exe”. As it ends up, this is the core process responsible for the infections. Along with the Superfish root certificate and VirtualDiscovery.exe binary, this software application also lays down the following to the system:

A computer system registry entry in:

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeVisualDiscovery

INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can also be done on an endpoint straight from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is contaminated with Superfish, you will see results much like the following image. If the system is tidy, you will see no results.

 

fish3

Some analysts have actually specified that you can simply eliminate Superfish by eliminating the root certificate shown above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This removal procedure does not continue across reboots. Simply getting rid of the root cert does not work as VirtualDiscovery.exe will re-install the root cert after a reboot of the system.

The simplest way to remove Superfish from your system is to update Microsoft’s built in autovirus product Windows Defender. Shortly after the general public became aware of Superfish, Microsoft updated Windows Defender to remediate Superfish.

Other removal methods exist, however upgrading Windows Defender is without a doubt the most basic technique.

 

~leaverchuck1


No Responses Yet to “Chuck Leaver – With The Ziften App For Splunk You Can Detect Superfish”

Leave a Reply