Cloud Antivirus Security Threatened By Bohu TrojanBy CIOinsight | Posted 01-20-2011
Enterprises are not the only ones interested in cloud security products.
Malware authors have their eyes on them too -- something exemplified by the Bohu Trojan, which blocks connections from Windows machines to cloud anti-virus technologies to disable users' defenses.
The malware was first spotted by Microsoft researchers in China targeting popular anti-virus products there. According to Microsoft, the Trojan typically masquerades as a video player to trick users into downloading. Once on a computer, the malware intercepts and blocks traffic going to a number of anti-virus sites, including rsup10.rising.com.cn and down.360safe.com, Symantec found.
"Cloud-based virus detection generally works by client sending important threat data to the server for backend analysis, and subsequently acquiring further detection and removal instruction," Microsoft researchers Jingli Li and Zhitao Zhou explained in a blog post. "The process can take seconds to minutes, and is designed to remove malware not handled by the traditional on-the-box signature approach. Bohu tries to sever the communication between cloud client and server, and constantly modify file content of its components, in order to evade detection from cloud-based scanning."
After compromising a system, the Trojan creates and installs a number of files. It also installs a Network Driver Interface Specification (NDIS) filter, modifies the registry and writes random junk data into the end of its key payload components to dodge hash-based detection used by cloud-based anti-virus technologies.
For more, read the eWeek article: Trojan Blocks Cloud Anti-virus Security Technology.