0xEBFE

Blog about life.

The analysis of SuperFish adware

You probably already heard about Superfish adware that was pre-installed on Lenovo PCs, if not you can read it here. In this blogpost I’m making an attempt to analyze it.

Here is the SHA1 hash of the analyzed sample (NSIS Installer): A502EA9FAE7E8FE64308088ECC585B45EAD76DA1 - VT link

SuperFish presents itself as “VisualDiscovery” software and it is based on the Komodia engine. Unfortunately Komodia’s site is offline now, but you might find some information on this backup.

The SuperFish or VisualDiscovery installer works only on Windows 8 or 2012 and does not install itself on Windows 7 or 8.1.

The NSIS installer drops all files to C:\Program Files\Lenovo\VisualDiscovery and afterward executes the following commands:

  • run.exe 30000 VisualDiscovery.exe /Auto /Service
  • run.exe 30000 C:\WINDOWS\system32\sc.exe start VisualDiscovery
  • run.exe 30000 VDWFPInstaller.exe install

The first two commands are for registration and starting the VisualDiscovery service and the last command installs the driver.

VDWFPInstaller.exe

SHA1: B5D68FE790F0FD30198F7F6C19FA190F561F301E - VT link

This is a typical installer for drivers. However, there is one interesting thing inside - it contains code that detects various AV software and it checks if the installer is running inside a Virtual Machine.

VDWFP drivers
  • VDWFP.sys SHA1: A756FEAA8E32FAE58DAA5FA8983AF810EAFBF038 - VT link
  • VDWFP64.sys SHA1: C38BF92AA13F875862D7153A05D16DD8DC3D9180 - VT link

The drivers (and also other binaries) are signed with an expired certificate:

The driver contains the following PDB path:

1
c:\dev\outsourcing\Superfish\WFP\Driver\Win8Release\x86\VDWFP.pdb

This driver implements a connection redirector using Windows Filtering Platform (WFP) - MSDN. Every time a new connection is created the driver inspects it and decides wether this connection should be redirected to the proxy or not.

The configuration is stored in the following registry key:

1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VDWFP

Possible values:

  • globalAppTable - applications to never intercept
  • appTable - applications to intercept
  • globalIpTable - IP addresses to never intercept
  • ipTable - IP addresses to intercept
  • globalPortTable - ports to intercept
  • portTable - ports to never intercept
  • andFlag
  • portTableInverse
  • ipTableInverse
  • appTableInverse

Default values:

globalAppTable default values (applications to never intercept)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
afterfx.exe
alg.exe
avastsvc.exe
avgmfapx.exe
avguard.exe
avp.exe
avwebgrd.exe
ccapp.exe
ccsvchst.exe
coreserviceshell.exe
csrss.exe
dllhost.exe
ekrn.exe
fxssvc.exe
locator.exe
lsass.exe
mozybackup.exe
msdtc.exe
msiexec.exe
msmpeng.exe
msvsmon.exe
rps.exe
searchindexer.exe
smss.exe
smsvchost.exe
snmptrap.exe
spoolsv.exe
sppsvc.exe
svchost.exe
tmproxy.exe
tpautoconnsvc.exe
tpvcgateway.exe
trustedinstaller.exe
ui0detect.exe
vds.exe
visualdiscovery.exe
vmtoolsd.exe
vssvc.exe
wbengine.exe
wmiapsrv.exe
wmpnetwk.exe
appTable default values (applications to intercept)
1
2
3
4
5
6
7
chrome.exe
firefox.exe
iexplore.exe
maxthon.exe
opera.exe
safari.exe
webkit2webprocess.exe
globalIpTable default values (IP addresses to never intercept)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
66.70.34.101
66.70.34.103
66.70.34.105
66.70.34.111
66.70.34.113
66.70.34.115
66.70.34.117
66.70.34.119
66.70.34.121
66.70.34.123
66.70.34.125
66.70.34.127
66.70.34.129
66.70.34.251
66.70.34.95
66.70.34.97
The user-mode component

The two main parts of the user mode component are VisualDiscovery.exe and SuperfishCert.dll:

  • VisualDiscovery.exe - SHA1: 343AF97D47582C8150D63CBCED601113B14FCCA6 - VT link
  • SuperfishCert.dll - SHA1: EDE269E495845B824738B21E97E34ED8552B838E - VT link

However, the real payload of these two files is a Zlib-compressed and BlowFish encrypted. The same files after unpacking:

  • VisualDiscovery.exe - SHA1: 50221C3B0AEDB5BC26C6A7684182417AC9BCC6E2 - VT link
  • SuperfishCert.dll - SHA1: 1FFEBCB1B245C9A65402C382001413D373E657AD - VT link

The SuperfishCert.dll has an internal name KomodiaCertDLL.dll and was compiled on May 12 16:56:12 2014:

The main purpose of this DLL is to install supplied malicious certificate to various applications. This DLL does not contain the certificate itself.

The VisualDiscovery.exe service is the main component of this adware. The binary of this service is statically linked with OpenSSL 1.0.1h and contains private and public certificates:

Here is the whole certificate:

SuperFish certificates
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIDHHhyAEZQoICAggA
MBQGCCqGSIb3DQMHBAiHEg+MCYQ30ASCAoDEvGvFRHvtWOb5Rc0f3lbVKqeUvWSz
xQn+rZELHnwb6baolmbFcsi6XkacVzL/EF7Ll4de/CSQ6pZZCCvfDzov0mPOuGve
SAe7hbAcol7+JWVfzbnVTblPf0i7mwSvK61cKq7YfcKJ2os/uJGpeX9zraywWyFx
f+EdTr348dOez8uHkURyY1cvSHsIdITALkChOonAYT68SVighTeB6xOCwfmsHx+X
3Qbhom2YCIxfJiaAoz2/LndCpDaEfOrVrxXFOKXrIbmeDEyjDQj16AVni9uuaj7l
NiO3zrrqxsfdVINPaAYRKQnS102jXqkH01z72c/MpMMC6dwZswF5V3R7RSXngyBn
1GLxVFHKR753Gt0IDag13Bd8Jt890/v0tE0Kx66jCkRGn+VCq6+bsnh7VpTH/cG5
dlFnv56lv2leknu5ghdJHX8YQ6HjnioaaheLA+ORAxqAlD8Itt1/pRBOOMSkutdz
d1px9dB2ZBpSoRAOcBwU5aFaw9uu+tXyzrPM3tZomu8ryQYMNlmVgPNDJOz6jPJi
jaZHWTS7U6j370oH/B0KTUG/ybrJGFnOmPP4h2u/ugG75EkfotURsvbrWuetQhOi
TCH+9nbIcT3pxnTXqI2IRHZXMturQ+6fqlJF3bb9bWarMBuC3KgprqyqXxeM0Sqg
VlyKLWwAuMf2Ec7t7ujqaNmVgv6bpwHEbR6njIi7lC7j4w6D2YQ8vacgvS3MB/K0
SX54HNVBVuXhAixPtYJ6tOBGm7QFAKaXju0PJ+AljnMEsHRekOs2u42OHBXEWDE8
VHw7/lTXWsJkBcQM+g/svyqV4xKHDAixPms2SUwJyKjvEgV+CQok4F/T
-----END ENCRYPTED PRIVATE KEY----- 
-----BEGIN CERTIFICATE-----
MIIC9TCCAl6gAwIBAgIJANL8E4epRNznMA0GCSqGSIb3DQEBBQUAMFsxGDAWBgNV
BAoTD1N1cGVyZmlzaCwgSW5jLjELMAkGA1UEBxMCU0YxCzAJBgNVBAgTAkNBMQsw
CQYDVQQGEwJVUzEYMBYGA1UEAxMPU3VwZXJmaXNoLCBJbmMuMB4XDTE0MDUxMjE2
MjUyNloXDTM0MDUwNzE2MjUyNlowWzEYMBYGA1UEChMPU3VwZXJmaXNoLCBJbmMu
MQswCQYDVQQHEwJTRjELMAkGA1UECBMCQ0ExCzAJBgNVBAYTAlVTMRgwFgYDVQQD
Ew9TdXBlcmZpc2gsIEluYy4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOjz
Shh2Xxk/sc9Y6X9DBwmVgDXFD/5xMSeBmRImIKXfj2r8QlU57gk4idngNsSsAYJb
1Tnm+Y8HiN/+7vahFM6pdEXY/fAXVyqC4XouEpNarIrXFWPRt5tVgA9YvBxJ7SBi
3bZMpTrrHD2g/3pxptMQeDOuS8Ic/ZJKocPnQaQtAgMBAAGjgcAwgb0wDAYDVR0T
BAUwAwEB/zAdBgNVHQ4EFgQU+5izU38URC7o7tUJml4OVoaoNYgwgY0GA1UdIwSB
hTCBgoAU+5izU38URC7o7tUJml4OVoaoNYihX6RdMFsxGDAWBgNVBAoTD1N1cGVy
ZmlzaCwgSW5jLjELMAkGA1UEBxMCU0YxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJV
UzEYMBYGA1UEAxMPU3VwZXJmaXNoLCBJbmMuggkA0vwTh6lE3OcwDQYJKoZIhvcN
AQEFBQADgYEApHyg7ApKx3DEcWjzOyLi3JyN0JL+c35yK1VEmxu0Qusfr76645Oj
1IsYwpTws6a9ZTRMzST4GQvFFQra81eLqYbPbMPuhC+FCxkUF5i0DNSWi+kczJXJ
TtCqSwGl9t9JEoFqvtW+znZ9TqyLiOMw7TGEUI+88VAqW0qmXnwPcfo=
-----END CERTIFICATE-----

The private key is encrypted with password “komodia”, but probably you already know it from this blog.

This service implements the proxy and performs a MITM-attack on encrypted connections going through it:

As is evident here, this software implements a pretty generic technique to intercept encrypted connections. Blacklisting the installed certificate is a good idea, but in newer versions it could just generate unique certificates for every new computer.

Purpose

Intercepting encrypted connections is definitely a bad thing. But what does this software actually do?

The main purpose is injecting javascript from the following URL to almost every HTML page, according to its settings:

1
https://www.best-deals-products.com/ws/sf_main.jsp?dlsource=hdrykzc