Threat behavior
VirTool:WinNT/Koobface.P is a device driver used by variants of
Win32/Koobface to divert web traffic to a web search hijacker component.
Installation
VirTool:WinNT/Koobface.P is installed in the Windows system folder as:
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It adds the following registry keys and entries so that it starts at kernel initialization:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\swe
Sets value: "Type"
With data: "0x00000001"
Sets value: "Start"
With data: "0x00000001"
Sets value: "ErrorControl"
With data: "0x00000001"
Sets value: "ImagePath"
With data: "<system>\drivers\swe.sys"
Sets value: "DisplayName"
With data: "swe"
Sets value: "Group"
With data: "PNP_TDI"
Payload
Diverts web traffic
VirTool:WinNT/Koobface.P diverts web traffic to a Win32/Koobface component that hijacks web searches that are performed on well-known search engines. When users clicks on the search results, they are redirected to a third-party search engine that shows a list of sites that may or may not be related to the actual search keywords. This suggests that Koobface is part of a referral program for a pay-per-click scheme that pays for traffic to be directed to websites.
Additional information
Analysis by Gilou Tenebro
Prevention
