21 Jan 2011

Bohu Trjoan bypasses clouds

Microsoft researchers have identified the Bohu Trojan as being able to block cloud-based technologies from functioning. The Trojan spreads through social engineering techniques by using tainted files with appealing names. The malware was first spotted in China and acts as a video player to trick users into downloading.

After downloading, the malware inserts files and a Network Driver Interface Specification. The Bohu Trojan blocks the access to anti virus cloud servers through a Windows Socket service provider interface.

“Cloud-based virus detection generally works by client sending important threat data to the server for backend analysis, and subsequently acquiring further detection and removal instruction,” said Microsoft researchers Jingli Li and Zhitao Zhou. “Bohu tries to sever the communication between cloud client and server, and constantly modify file content of its components, in order to evade detection from cloud-based scanning.”

The Bohu Trojan is the first generation of malware that specifically targets cloud-based anti virus software. The techniques the Trojan uses are old, and its behavior is easy to detect by client-side protections. Last year saw the amount of malware double from 2009.