The Bohu Trojan has been seen attempting to block cloud-based technologies in anti-virus products.
Enterprises are not the only ones interested in cloud security products.
Malware authors have their eyes on them too - something exemplified
by the Bohu Trojan, which blocks connections from Windows machines to
cloud anti-virus technologies to disable users' defenses.
The malware was first spotted by Microsoft researchers in China
targeting popular anti-virus products there. According to Microsoft,
the Trojan typically masquerades as a video player to trick users into
downloading. Once on a computer, the malware intercepts and blocks
traffic going to a number of anti-virus sites, including
rsup10.rising.com.cn and down.360safe.com, Symantec found
"Cloud-based virus detection generally works by client sending
important threat data to the server for backend analysis, and
subsequently acquiring further detection and removal instruction,"
Microsoft researchers Jingli Li and Zhitao Zhou explained in a blog post
"The process can take seconds to minutes, and is designed to remove
malware not handled by the traditional on-the-box signature
approach. Bohu tries to sever the communication between cloud
client and server, and constantly modify file content of its
components, in order to evade detection from cloud-based scanning."
After compromising a system, the Trojan creates and installs a
number of files. It also installs a Network Driver Interface
Specification (NDIS) filter, modifies the registry and writes random
junk data into the end of its key payload components to dodge
hash-based detection used by cloud-based anti-virus technologies
According to Microsoft, Bohu blocks access
to anti-virus cloud servers via a Windows Sockets service
provider interface (SPI) filter that blocks network traffic
between the cloud security client and server.
"The purpose of the [NDIS] driver is to prevent the antivirus
client from uploading data to the server by looking for the server
addresses in the IP datagram," the Microsoft researchers said in their
blog post. "The driver probes the data stream and find HTTP request
keywords and cloud-server names of some of the major Chinese AV
vendors, such as Kingsoft, Rising, and Qihoo. We have contacted the
relevant vendors about this malware threat."
In addition, Bohu modifies searches from sogou.com, and deletes cookies from Sogou, Baidu and Google as well.
Among the sites the malware blocks traffic to is geo.kaspersky.com.
According to Kurt Baumgartner, senior malware researcher at
Kaspersky Lab, some of the techniques the Trojan uses are old, and have
been around more than a decade. Simple "morphing with junk data is not
a new method," he said, adding the Trojan's behavior makes it easier to
detect by client-side behavioral protections.
"In combination with the other two techniques, it is clear that they
are specifically targeting some of the newer cloud based technologies,"
he added. "The other two methods are more difficult to pull off,
reliably modifying NDIS for the malware's cloud-severing purposes is
not trivial. But it's certainly not the first time that malware
attempts to suffocate protective technologies' access to the Internet."