You probably already heard about Superfish adware that was pre-installed on Lenovo PCs, if not you can read it here. In this blogpost I’m making an attempt to analyze it.
Here is the SHA1 hash of the analyzed sample (NSIS Installer): A502EA9FAE7E8FE64308088ECC585B45EAD76DA1 - VT link
SuperFish presents itself as “VisualDiscovery” software and it is based on the Komodia engine. Unfortunately Komodia’s site is offline now, but you might find some information on this backup.
The SuperFish or VisualDiscovery installer works only on Windows 8 or 2012 and does not install itself on Windows 7 or 8.1.
The NSIS installer drops all files to C:\Program Files\Lenovo\VisualDiscovery and afterward executes the following commands:
- run.exe 30000 VisualDiscovery.exe /Auto /Service
- run.exe 30000 C:\WINDOWS\system32\sc.exe start VisualDiscovery
- run.exe 30000 VDWFPInstaller.exe install
The first two commands are for registration and starting the VisualDiscovery service and the last command installs the driver.
VDWFPInstaller.exe
SHA1: B5D68FE790F0FD30198F7F6C19FA190F561F301E - VT link
This is a typical installer for drivers. However, there is one interesting thing inside - it contains code that detects various AV software and it checks if the installer is running inside a Virtual Machine.

VDWFP drivers
- VDWFP.sys SHA1: A756FEAA8E32FAE58DAA5FA8983AF810EAFBF038 - VT link
- VDWFP64.sys SHA1: C38BF92AA13F875862D7153A05D16DD8DC3D9180 - VT link
The drivers (and also other binaries) are signed with an expired certificate:

The driver contains the following PDB path:
1
|
|
This driver implements a connection redirector using Windows Filtering Platform (WFP) - MSDN. Every time a new connection is created the driver inspects it and decides wether this connection should be redirected to the proxy or not.
The configuration is stored in the following registry key:
1
|
|
Possible values:
- globalAppTable - applications to never intercept
- appTable - applications to intercept
- globalIpTable - IP addresses to never intercept
- ipTable - IP addresses to intercept
- globalPortTable - ports to intercept
- portTable - ports to never intercept
- andFlag
- portTableInverse
- ipTableInverse
- appTableInverse
Default values:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
|
1 2 3 4 5 6 7 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
|
The user-mode component
The two main parts of the user mode component are VisualDiscovery.exe and SuperfishCert.dll:
- VisualDiscovery.exe - SHA1: 343AF97D47582C8150D63CBCED601113B14FCCA6 - VT link
- SuperfishCert.dll - SHA1: EDE269E495845B824738B21E97E34ED8552B838E - VT link
However, the real payload of these two files is a Zlib-compressed and BlowFish encrypted. The same files after unpacking:
- VisualDiscovery.exe - SHA1: 50221C3B0AEDB5BC26C6A7684182417AC9BCC6E2 - VT link
- SuperfishCert.dll - SHA1: 1FFEBCB1B245C9A65402C382001413D373E657AD - VT link
The SuperfishCert.dll has an internal name KomodiaCertDLL.dll and was compiled on May 12 16:56:12 2014:

The main purpose of this DLL is to install supplied malicious certificate to various applications. This DLL does not contain the certificate itself.
The VisualDiscovery.exe service is the main component of this adware. The binary of this service is statically linked with OpenSSL 1.0.1h and contains private and public certificates:

Here is the whole certificate:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
|
The private key is encrypted with password “komodia”, but probably you already know it from this blog.
This service implements the proxy and performs a MITM-attack on encrypted connections going through it:

As is evident here, this software implements a pretty generic technique to intercept encrypted connections. Blacklisting the installed certificate is a good idea, but in newer versions it could just generate unique certificates for every new computer.
Purpose
Intercepting encrypted connections is definitely a bad thing. But what does this software actually do?
The main purpose is injecting javascript from the following URL to almost every HTML page, according to its settings:
1
|
|