Threat behavior
VirTool:WinNT/Koobface.gen!F is a detection for a driver component that is used by other malware to redirect TCP connections to specified addresses.
Installation
VirTool:WinNT/Koobface.gen!F may be dropped and installed by other Koobface components.
In the wild, TrojanDropper:Win32/Koobface.N has been observed to drop and install it. Typically, it may be dropped as '<system folder>\drivers\wzs.sys'.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Intercepts network traffic
VirTool:WinNT/Koobface.gen!F attaches itself onto the IPv4/IPv6 TCP protocol drivers as a TDI filter driver to intercept the inbound/outbound traffic.
The TDI filter driver includes the code to:
- Deny the connection to a specified remote host/port
- Deny the connection from a specified remote host/port
- Redirect the traffic to another host/port
In the wild, under the instruction of TrojanProxy:Win32/Koobface.gen!Q, VirTool:WinNT/Koobface.gen!F has been observed to redirect the outgoing HTTP traffic through the Koobface proxy port, for example port 8085.
Analysis by Chun Feng
Prevention
