Bohu Trojan is Designed to Disable Cloud Antivirus

Thursday, January 20, 2011



Microsoft researchers have identified a Trojan designed to render ineffective the antivirus software on cloud networks predominantly used in China.

The Bohu Trojan, which targets machines running Windows, disrupts cloud-based antivirus software by installing a filter in between the hardware and the cloud service provider.

Jingli Li and Zhitao Zhou, writing for the Microsoft Malware Protection Center, describe the methods the Bohu Trojan uses to interfere with the antivirus functions:

  • "Technique 1: Evade hash-based detection using file modifications. Bohu writes random junk data into the end of its key payload components to avoid hash-based detection commonly used by cloud-based antivirus technologies."
  • "Technique 2: Prevent access to AV cloud servers by a SPI network filter. Bohu installs a Windows Sockets service provider interface (SPI) filter that blocks network traffic between the cloud security client and server."
  • "Technique 3: Packet interception by NDIS filter driver. Bohu installs a Network Driver Interface Specification (NDIS) filter. The purpose of the driver is to prevent the antivirus client from uploading data to the server by looking for the server addresses in the IP datagram. The driver probes the data stream and find HTTP request keywords and cloud-server names of some of the major Chinese AV vendors, such as Kingsoft, Rising, and Qihoo. We have contacted the relevant vendors about this malware threat."

The Bohu Trojan is spread primarily through social engineering techniques, which the researchers describe as the use of tainted files with appealing names as well as offering a bogus video playback application.

Bohu is the first generation of malware that specifically targets cloud-based antivirus software, and has the ability to actively evade detection on infected networks.


Possibly Related Articles:
Cloud Security
Antivirus Microsoft Trojans malware Windows Cloud Computing Headlines Bohu
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.