VirTool:WinNT/Koobface.gen!E is a generic detection of a kernel-mode device driver component used by other malware to intercept and manipulate DNS queries, TCP/UDP connections, and other traffic. The malware can redirect DNS results and block network connections and traffic.
Installation
VirTool:WinNT/Koobface.gen!E may be dropped and installed by other malware. In the wild,
TrojanProxy:Win32/Koobface.gen!K has been observed to drop and install it. In this example VirTool:WinNT/Koobface.gen!E was dropped as the file '
<system folder>\drivers\mrxoko.sys' and installed as a system device service named
'ql600oko'.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Intercepts network traffic
VirTool:WinNT/Koobface.gen!E creates the devices 'TcpFilter<random letters>' and 'UdpFilter<random letters>' and attaches itself to the IPv4/IPv6 TCP and UDP protocol drivers to intercept the input/output request packets.
It also intercepts all TCP/UDP traffic, such as sent and received data.
VirTool:WinNT/Koobface.gen!E also creates a random device name (such as
'EsetDevice<random letters>')
to receive configuration data from other Koobface components, such as
TrojanProxy:Win32/Koobface.gen!K, which is then used to redirect and block specific DNS queries and network traffic.
Note: The Domain Name System (DNS) is used (among other things) to map domain names to IP addresses - that is, to map human-readable domain names to machine-readable IP addresses. When a user attempts to visit a particular URL, a browser uses DNS servers to find the correct IP address of the requested domain. When a user is directed to a malicious server that is not part of the authoritative Domain Name System, or queries to the DNS servers are intercepted (as in this case), an attacker can provide incorrect IP addresses at their choice to map to particular domain names, thus directing the user to possibly bogus or malicious sites without the affected user's knowledge.
Analysis by Shawn Wang
