The analysis of SuperFish adware

You probably already heard about Superfish adware that was pre-installed on Lenovo PCs, if not read it here. In this blogpost I’m making an attempt to analyze it.

Here is SHA1 hash of analyzed sample (NSIS Installer): A502EA9FAE7E8FE64308088ECC585B45EAD76DA1 - VT link

The SuperFish presents itself as “VisualDiscovery” software and it is based on Komodia engine. Unfortunately Komodia’s site is offline now, but you might find some information on this backup.

The SuperFish or VisualDiscovery installer works only on Windows 8 or 2012 and does not install itself on Windows 7 or 8.1.

The NSIS installer drops all files to C:\Program Files\Lenovo\VisualDiscovery and afterward executes following commands:

• run.exe 30000 VisualDiscovery.exe /Auto /Service
• run.exe 30000 C:\WINDOWS\system32\sc.exe start VisualDiscovery
• run.exe 30000 VDWFPInstaller.exe install

First two commands are for registration and starting the VisualDiscovery service. Last command installs driver.

VDWFPInstaller.exe

SHA1: B5D68FE790F0FD30198F7F6C19FA190F561F301E - VT link

This is a typical installer for drivers. However, there is one interesting thing inside - it contains code that detects various AV software and it checks if the installer is running inside Virtual Machine.

VDWFP drivers

• VDWFP.sys SHA1: A756FEAA8E32FAE58DAA5FA8983AF810EAFBF038 - VT link
• VDWFP64.sys SHA1: C38BF92AA13F875862D7153A05D16DD8DC3D9180 - VT link

The drivers (and also other binaries) are signed with expired certificate:

The driver contains following PDB path:

1	c:\dev\outsourcing\Superfish\WFP\Driver\Win8Release\x86\VDWFP.pdb

This driver implements connect redirector by using Windows Filtering Platform (WFP) - MSDN. Every time when new connection is created the driver inspects this connection and decides if this connection should be redirected to proxy according to the configuration.

The configuration is stored in following registry key:

1	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VDWFP

Possible values:

• globalAppTable - applications to never intercept
• appTable - applications to intercept
• globalIpTable - IP addresses to never intercept
• ipTable - IP addresses to intercept
• globalPortTable - ports to intercept
• portTable - ports to never intercept
• andFlag
• portTableInverse
• ipTableInverse
• appTableInverse

Default values:

globalAppTable default values (applications to never intercept)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41

afterfx.exe alg.exe avastsvc.exe avgmfapx.exe avguard.exe avp.exe avwebgrd.exe ccapp.exe ccsvchst.exe coreserviceshell.exe csrss.exe dllhost.exe ekrn.exe fxssvc.exe locator.exe lsass.exe mozybackup.exe msdtc.exe msiexec.exe msmpeng.exe msvsmon.exe rps.exe searchindexer.exe smss.exe smsvchost.exe snmptrap.exe spoolsv.exe sppsvc.exe svchost.exe tmproxy.exe tpautoconnsvc.exe tpvcgateway.exe trustedinstaller.exe ui0detect.exe vds.exe visualdiscovery.exe vmtoolsd.exe vssvc.exe wbengine.exe wmiapsrv.exe wmpnetwk.exe

appTable default values (applications to intercept)

1 2 3 4 5 6 7

chrome.exe firefox.exe iexplore.exe maxthon.exe opera.exe safari.exe webkit2webprocess.exe

globalIpTable default values (IP addresses to never intercept)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

66.70.34.101 66.70.34.103 66.70.34.105 66.70.34.111 66.70.34.113 66.70.34.115 66.70.34.117 66.70.34.119 66.70.34.121 66.70.34.123 66.70.34.125 66.70.34.127 66.70.34.129 66.70.34.251 66.70.34.95 66.70.34.97

The user-mode component

Two main parts of user mode component are VisualDiscovery.exe and SuperfishCert.dll:

• VisualDiscovery.exe - SHA1: 343AF97D47582C8150D63CBCED601113B14FCCA6 - VT link
• SuperfishCert.dll - SHA1: EDE269E495845B824738B21E97E34ED8552B838E - VT link

However, the real payload of these two files is Zlib-compressed and encrypted with BlowFish crypto algorithm. The same files after unpacking:

• VisualDiscovery.exe - SHA1: 50221C3B0AEDB5BC26C6A7684182417AC9BCC6E2 - VT link
• SuperfishCert.dll - SHA1: 1FFEBCB1B245C9A65402C382001413D373E657AD - VT link

The SuperfishCert.dll has an internal name KomodiaCertDLL.dll and compiled on May 12 16:56:12 2014:

The main purpose of this DLL is to install supplied malicious certificate to various applications. This DLL does not contain the certificate itself.

The service VisualDiscovery.exe is the main component of this adware. The binary of this service is statically linked with OpenSSL 1.0.1h and contains private and public certificates:

Here is whole certificate:

SuperFish certificates

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

-----BEGIN ENCRYPTED PRIVATE KEY----- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIDHHhyAEZQoICAggA MBQGCCqGSIb3DQMHBAiHEg+MCYQ30ASCAoDEvGvFRHvtWOb5Rc0f3lbVKqeUvWSz xQn+rZELHnwb6baolmbFcsi6XkacVzL/EF7Ll4de/CSQ6pZZCCvfDzov0mPOuGve SAe7hbAcol7+JWVfzbnVTblPf0i7mwSvK61cKq7YfcKJ2os/uJGpeX9zraywWyFx f+EdTr348dOez8uHkURyY1cvSHsIdITALkChOonAYT68SVighTeB6xOCwfmsHx+X 3Qbhom2YCIxfJiaAoz2/LndCpDaEfOrVrxXFOKXrIbmeDEyjDQj16AVni9uuaj7l NiO3zrrqxsfdVINPaAYRKQnS102jXqkH01z72c/MpMMC6dwZswF5V3R7RSXngyBn 1GLxVFHKR753Gt0IDag13Bd8Jt890/v0tE0Kx66jCkRGn+VCq6+bsnh7VpTH/cG5 dlFnv56lv2leknu5ghdJHX8YQ6HjnioaaheLA+ORAxqAlD8Itt1/pRBOOMSkutdz d1px9dB2ZBpSoRAOcBwU5aFaw9uu+tXyzrPM3tZomu8ryQYMNlmVgPNDJOz6jPJi jaZHWTS7U6j370oH/B0KTUG/ybrJGFnOmPP4h2u/ugG75EkfotURsvbrWuetQhOi TCH+9nbIcT3pxnTXqI2IRHZXMturQ+6fqlJF3bb9bWarMBuC3KgprqyqXxeM0Sqg VlyKLWwAuMf2Ec7t7ujqaNmVgv6bpwHEbR6njIi7lC7j4w6D2YQ8vacgvS3MB/K0 SX54HNVBVuXhAixPtYJ6tOBGm7QFAKaXju0PJ+AljnMEsHRekOs2u42OHBXEWDE8 VHw7/lTXWsJkBcQM+g/svyqV4xKHDAixPms2SUwJyKjvEgV+CQok4F/T -----END ENCRYPTED PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIC9TCCAl6gAwIBAgIJANL8E4epRNznMA0GCSqGSIb3DQEBBQUAMFsxGDAWBgNV BAoTD1N1cGVyZmlzaCwgSW5jLjELMAkGA1UEBxMCU0YxCzAJBgNVBAgTAkNBMQsw CQYDVQQGEwJVUzEYMBYGA1UEAxMPU3VwZXJmaXNoLCBJbmMuMB4XDTE0MDUxMjE2 MjUyNloXDTM0MDUwNzE2MjUyNlowWzEYMBYGA1UEChMPU3VwZXJmaXNoLCBJbmMu MQswCQYDVQQHEwJTRjELMAkGA1UECBMCQ0ExCzAJBgNVBAYTAlVTMRgwFgYDVQQD Ew9TdXBlcmZpc2gsIEluYy4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOjz Shh2Xxk/sc9Y6X9DBwmVgDXFD/5xMSeBmRImIKXfj2r8QlU57gk4idngNsSsAYJb 1Tnm+Y8HiN/+7vahFM6pdEXY/fAXVyqC4XouEpNarIrXFWPRt5tVgA9YvBxJ7SBi 3bZMpTrrHD2g/3pxptMQeDOuS8Ic/ZJKocPnQaQtAgMBAAGjgcAwgb0wDAYDVR0T BAUwAwEB/zAdBgNVHQ4EFgQU+5izU38URC7o7tUJml4OVoaoNYgwgY0GA1UdIwSB hTCBgoAU+5izU38URC7o7tUJml4OVoaoNYihX6RdMFsxGDAWBgNVBAoTD1N1cGVy ZmlzaCwgSW5jLjELMAkGA1UEBxMCU0YxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJV UzEYMBYGA1UEAxMPU3VwZXJmaXNoLCBJbmMuggkA0vwTh6lE3OcwDQYJKoZIhvcN AQEFBQADgYEApHyg7ApKx3DEcWjzOyLi3JyN0JL+c35yK1VEmxu0Qusfr76645Oj 1IsYwpTws6a9ZTRMzST4GQvFFQra81eLqYbPbMPuhC+FCxkUF5i0DNSWi+kczJXJ TtCqSwGl9t9JEoFqvtW+znZ9TqyLiOMw7TGEUI+88VAqW0qmXnwPcfo= -----END CERTIFICATE-----

The private key is encrypted with password “komodia”, but probably you already know it from this blog.

This service implements proxy and performs MITM-attack on encrypted connections that go through the proxy:

As you can see this piece software implements pretty generic technique to intercept encrypted connections. Blacklisting of installed certificate is a good idea, but actually in next versions it could just generate unique certificate for every new computer.

Purpose

Intercepting encrypted connections is definitely a bad thing. But what this software actually does?

The main purpose is injecting javascript from following URL to almost every HTML page according to settings:

1	https://www.best-deals-products.com/ws/sf_main.jsp?dlsource=hdrykzc