TrojanProxy:Win32/Koobface.AL is a trojan that hijacks web search results. When users click on a result, they are diverted to a third-party search engine that may not display correct search results.
Installation
TrojanProxy:Win32/Koobface.AL is installed in the Windows system folder as:
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It also adds the following registry value as a marker of successful installation:
In subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
Sets value: "c"
With data: "c"
TrojanProxy:Win32/Koobface.AL drops and runs the following batch file:
The batch file contains commands that attempt to do the following:
- Run the network shell utility to add a program exception in the Windows Firewall for the malware service's host process
- Run the network shell utility to add a port exception in the Windows Firewall for TCP port 8087
- Add the malware service to the Windows registry so that it can be set to run automatically at every startup:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sswe
Sets value: "ErrorControl"
With data: "0x00000001"
Sets value: "failureactions"
With data: "00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000"
Sets value: "ImagePath"
With data: "<system>\svchost.exe -k sswe"
Sets value: "ObjectName"
With data: "LocalSystem"
Sets value: "Start"
With data: "0x00000002"
Sets value: "Type"
With data: "0x00000120"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sswe\parameters
Sets value: "servicedll"
With data: "<system>\swe.dll"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
Sets value: "sswe"
With data: "sswe"
Payload
Redirects user searches
TrojanProxy:Win32/Koobface.AL looks for web sessions involving these search engines:
- ask
- bing
- google
- search.aol
- search.live
- search.msn
- search.mywebsearch
- search.yahoo
When it sees a query being made to any the search engines above, it forwards the search keywords to a remote server through a GET request. In this example, it connects to the following IP address:
The remote server responds with a referrer and an arbitrary number of URLs that are used in subsequent posts that redirects the user to affiliate sites.
Once a user clicks on a search result, TrojanProxy:Win32/Koobface.AL responds with an HTML file that directs the user to website that appears to be a third-party search engine. It displays a list of websites that are related to the search keywords. However, there are times when the results shown are not related to the actual search keywords at all.
Performs commands on the computer
TrojanProxy:Win32/Koobface.AL may perform any of the following command:
/install - attempts to install itself as a service
/reboot - attempts to reboot the computer
Analysis by Gilou Tenebro
