You probably already heard about Superfish adware that was pre-installed on Lenovo PCs, if not you can read it here. In this blogpost I’m making an attempt to analyze it.

Here is the SHA1 hash of the analyzed sample (NSIS Installer): A502EA9FAE7E8FE64308088ECC585B45EAD76DA1 - VT link

SuperFish presents itself as “VisualDiscovery” software and it is based on the Komodia engine. Unfortunately Komodia’s site is offline now, but you might find some information on this backup.

The SuperFish or VisualDiscovery installer works only on Windows 8 or 2012 and does not install itself on Windows 7 or 8.1.

The NSIS installer drops all files to C:\Program Files\Lenovo\VisualDiscovery and afterward executes the following commands:

run.exe 30000 VisualDiscovery.exe /Auto /Service

run.exe 30000 C:\WINDOWS\system32\sc.exe start VisualDiscovery

run.exe 30000 VDWFPInstaller.exe install

The first two commands are for registration and starting the VisualDiscovery service and the last command installs the driver.

VDWFPInstaller.exe

SHA1: B5D68FE790F0FD30198F7F6C19FA190F561F301E - VT link

This is a typical installer for drivers. However, there is one interesting thing inside - it contains code that detects various AV software and it checks if the installer is running inside a Virtual Machine.

VDWFP drivers

The drivers (and also other binaries) are signed with an expired certificate:

The driver contains the following PDB path:

1 c:\dev\outsourcing\Superfish\WFP\Driver\Win8Release\x86\VDWFP.pdb

This driver implements a connection redirector using Windows Filtering Platform (WFP) - MSDN. Every time a new connection is created the driver inspects it and decides wether this connection should be redirected to the proxy or not.

The configuration is stored in the following registry key:

1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VDWFP

Possible values:

globalAppTable - applications to never intercept

appTable - applications to intercept

globalIpTable - IP addresses to never intercept

ipTable - IP addresses to intercept

globalPortTable - ports to intercept

portTable - ports to never intercept

andFlag

portTableInverse

ipTableInverse

appTableInverse

Default values:

globalAppTable default values (applications to never intercept) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 afterfx.exe alg.exe avastsvc.exe avgmfapx.exe avguard.exe avp.exe avwebgrd.exe ccapp.exe ccsvchst.exe coreserviceshell.exe csrss.exe dllhost.exe ekrn.exe fxssvc.exe locator.exe lsass.exe mozybackup.exe msdtc.exe msiexec.exe msmpeng.exe msvsmon.exe rps.exe searchindexer.exe smss.exe smsvchost.exe snmptrap.exe spoolsv.exe sppsvc.exe svchost.exe tmproxy.exe tpautoconnsvc.exe tpvcgateway.exe trustedinstaller.exe ui0detect.exe vds.exe visualdiscovery.exe vmtoolsd.exe vssvc.exe wbengine.exe wmiapsrv.exe wmpnetwk.exe

appTable default values (applications to intercept) 1 2 3 4 5 6 7 chrome.exe firefox.exe iexplore.exe maxthon.exe opera.exe safari.exe webkit2webprocess.exe

globalIpTable default values (IP addresses to never intercept) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 66.70.34.101 66.70.34.103 66.70.34.105 66.70.34.111 66.70.34.113 66.70.34.115 66.70.34.117 66.70.34.119 66.70.34.121 66.70.34.123 66.70.34.125 66.70.34.127 66.70.34.129 66.70.34.251 66.70.34.95 66.70.34.97

The user-mode component

The two main parts of the user mode component are VisualDiscovery.exe and SuperfishCert.dll:

However, the real payload of these two files is a Zlib-compressed and BlowFish encrypted. The same files after unpacking:

The SuperfishCert.dll has an internal name KomodiaCertDLL.dll and was compiled on May 12 16:56:12 2014:

The main purpose of this DLL is to install supplied malicious certificate to various applications. This DLL does not contain the certificate itself.

The VisualDiscovery.exe service is the main component of this adware. The binary of this service is statically linked with OpenSSL 1.0.1h and contains private and public certificates:

Here is the whole certificate:

SuperFish certificates 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 -----BEGIN ENCRYPTED PRIVATE KEY----- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIDHHhyAEZQoICAggA MBQGCCqGSIb3DQMHBAiHEg+MCYQ30ASCAoDEvGvFRHvtWOb5Rc0f3lbVKqeUvWSz xQn+rZELHnwb6baolmbFcsi6XkacVzL/EF7Ll4de/CSQ6pZZCCvfDzov0mPOuGve SAe7hbAcol7+JWVfzbnVTblPf0i7mwSvK61cKq7YfcKJ2os/uJGpeX9zraywWyFx f+EdTr348dOez8uHkURyY1cvSHsIdITALkChOonAYT68SVighTeB6xOCwfmsHx+X 3Qbhom2YCIxfJiaAoz2/LndCpDaEfOrVrxXFOKXrIbmeDEyjDQj16AVni9uuaj7l NiO3zrrqxsfdVINPaAYRKQnS102jXqkH01z72c/MpMMC6dwZswF5V3R7RSXngyBn 1GLxVFHKR753Gt0IDag13Bd8Jt890/v0tE0Kx66jCkRGn+VCq6+bsnh7VpTH/cG5 dlFnv56lv2leknu5ghdJHX8YQ6HjnioaaheLA+ORAxqAlD8Itt1/pRBOOMSkutdz d1px9dB2ZBpSoRAOcBwU5aFaw9uu+tXyzrPM3tZomu8ryQYMNlmVgPNDJOz6jPJi jaZHWTS7U6j370oH/B0KTUG/ybrJGFnOmPP4h2u/ugG75EkfotURsvbrWuetQhOi TCH+9nbIcT3pxnTXqI2IRHZXMturQ+6fqlJF3bb9bWarMBuC3KgprqyqXxeM0Sqg VlyKLWwAuMf2Ec7t7ujqaNmVgv6bpwHEbR6njIi7lC7j4w6D2YQ8vacgvS3MB/K0 SX54HNVBVuXhAixPtYJ6tOBGm7QFAKaXju0PJ+AljnMEsHRekOs2u42OHBXEWDE8 VHw7/lTXWsJkBcQM+g/svyqV4xKHDAixPms2SUwJyKjvEgV+CQok4F/T -----END ENCRYPTED PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIC9TCCAl6gAwIBAgIJANL8E4epRNznMA0GCSqGSIb3DQEBBQUAMFsxGDAWBgNV BAoTD1N1cGVyZmlzaCwgSW5jLjELMAkGA1UEBxMCU0YxCzAJBgNVBAgTAkNBMQsw CQYDVQQGEwJVUzEYMBYGA1UEAxMPU3VwZXJmaXNoLCBJbmMuMB4XDTE0MDUxMjE2 MjUyNloXDTM0MDUwNzE2MjUyNlowWzEYMBYGA1UEChMPU3VwZXJmaXNoLCBJbmMu MQswCQYDVQQHEwJTRjELMAkGA1UECBMCQ0ExCzAJBgNVBAYTAlVTMRgwFgYDVQQD Ew9TdXBlcmZpc2gsIEluYy4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOjz Shh2Xxk/sc9Y6X9DBwmVgDXFD/5xMSeBmRImIKXfj2r8QlU57gk4idngNsSsAYJb 1Tnm+Y8HiN/+7vahFM6pdEXY/fAXVyqC4XouEpNarIrXFWPRt5tVgA9YvBxJ7SBi 3bZMpTrrHD2g/3pxptMQeDOuS8Ic/ZJKocPnQaQtAgMBAAGjgcAwgb0wDAYDVR0T BAUwAwEB/zAdBgNVHQ4EFgQU+5izU38URC7o7tUJml4OVoaoNYgwgY0GA1UdIwSB hTCBgoAU+5izU38URC7o7tUJml4OVoaoNYihX6RdMFsxGDAWBgNVBAoTD1N1cGVy ZmlzaCwgSW5jLjELMAkGA1UEBxMCU0YxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJV UzEYMBYGA1UEAxMPU3VwZXJmaXNoLCBJbmMuggkA0vwTh6lE3OcwDQYJKoZIhvcN AQEFBQADgYEApHyg7ApKx3DEcWjzOyLi3JyN0JL+c35yK1VEmxu0Qusfr76645Oj 1IsYwpTws6a9ZTRMzST4GQvFFQra81eLqYbPbMPuhC+FCxkUF5i0DNSWi+kczJXJ TtCqSwGl9t9JEoFqvtW+znZ9TqyLiOMw7TGEUI+88VAqW0qmXnwPcfo= -----END CERTIFICATE-----

The private key is encrypted with password “komodia”, but probably you already know it from this blog.

This service implements the proxy and performs a MITM-attack on encrypted connections going through it:

As is evident here, this software implements a pretty generic technique to intercept encrypted connections. Blacklisting the installed certificate is a good idea, but in newer versions it could just generate unique certificates for every new computer.

Purpose

Intercepting encrypted connections is definitely a bad thing. But what does this software actually do?

The main purpose is injecting javascript from the following URL to almost every HTML page, according to its settings: