Microsoft researchers have identified a Trojan designed to render ineffective the antivirus software on cloud networks predominantly used in China.
The Bohu Trojan, which targets machines running Windows, disrupts cloud-based antivirus software by installing a filter in between the hardware and the cloud service provider.
Jingli Li and Zhitao Zhou, writing for the Microsoft Malware Protection Center, describe the methods the Bohu Trojan uses to interfere with the antivirus functions:
- "Technique 1: Evade hash-based detection using file modifications. Bohu writes random junk data into the end of its key payload components to avoid hash-based detection commonly used by cloud-based antivirus technologies."
- "Technique 2: Prevent access to AV cloud servers by a SPI network filter. Bohu installs a Windows Sockets service provider interface (SPI) filter that blocks network traffic between the cloud security client and server."
- "Technique 3: Packet interception by NDIS filter driver. Bohu installs a Network Driver Interface Specification (NDIS) filter. The purpose of the driver is to prevent the antivirus client from uploading data to the server by looking for the server addresses in the IP datagram. The driver probes the data stream and find HTTP request keywords and cloud-server names of some of the major Chinese AV vendors, such as Kingsoft, Rising, and Qihoo. We have contacted the relevant vendors about this malware threat."
The Bohu Trojan is spread primarily through social engineering techniques, which the researchers describe as the use of tainted files with appealing names as well as offering a bogus video playback application.
Bohu is the first generation of malware that specifically targets cloud-based antivirus software, and has the ability to actively evade detection on infected networks.