When You Use The Ziften App For Splunk You Can Easily Find Superfish – Charles Leaver

By | October 6, 2015

Written By Ryan Hollman And Presented By Charles Leaver CEO Ziften

Background Info: Lenovo admitted to pre installing the Superfish adware on some consumer PCs, and dissatisfied customers are now dragging the company to court on the matter said PCWorld. A proposed class action law suit was filed late last week against Lenovo and Superfish, which charges both businesses with “deceitful” commercial practices and of making Lenovo PCs prone from man in the middle attacks by pre loading the adware.

Having issues discovering Superfish across your enterprise? With the Ziften App for Splunk, you can discover contaminated endpoints with an uncomplicated Splunk search. Merely browse your Ziften data and filter for the keyword “superfish”. The query is:

index= ziften superfish

 

fish1

 

The following image reveals the outcomes you would see in your Ziften App for Splunk if systems were infected. In this particular instance, we identified several systems infected with Superfish.

 

Fish2

 

The above results likewise make reference to the binary “VirtualDiscovery.exe”. As it ends up, this is the core process responsible for the infections. Along with the Superfish root certificate and VirtualDiscovery.exe binary, this software application also sets the following to the system:

A pc registry entry in:

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeVisualDiscovery

INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can likewise be achieved on an endpoint straight from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is contaminated with Superfish, you will see results much like the following image. If the system is clean, you will see no results.

 

fish3

 

 

Some analysts have actually stated that you can just eliminate Superfish by eliminating the root certificate shown above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This removal treatment does not continue throughout reboots. Just getting rid of the root cert does not work as VirtualDiscovery.exe will reinstall the root cert after a system reboot.

The simplest method to eliminate Superfish from your system is to update Microsoft’s integrated autovirus product Windows Defender. Quickly after the public became aware of Superfish, Microsoft upgraded Windows Defender to remediate Superfish.

Other removal methods exist, however upgrading Windows Defender is by far the most basic method.

 

Leave a Reply

Your email address will not be published. Required fields are marked *