Trojan Blocks Windows Connection To Cloud Antivirus

Enterprises are not the only ones interested in cloud security products, malware authors have their eyes on them, too. This is exemplified by the Bohu Trojan, which blocks connections from Windows machines to cloud anti-virus technologies to disable users’ defences.

The malware was first spotted by Microsoft researchers in China targeting popular anti-virus products there. According to Microsoft, the Trojan typically masquerades as a video player to trick users into downloading. Once on a computer, the malware intercepts and blocks traffic going to a number of anti-virus sites, including rsup10.rising.com.cn and down.360safe.com, Symantec found.

Severing The Server Connection

“Cloud-based virus detection generally works by client sending important threat data to the server for backend analysis and, subsequently, acquiring further detection and removal instruction,” Microsoft researchers Jingli Li and Zhitao Zhou explained in a blog post. “The process can take seconds to minutes and is designed to remove malware not handled by the traditional on-the-box signature approach. Bohu tries to sever the communication between cloud client and server, and constantly modify file content of its components, in order to evade detection from cloud-based scanning.”

After compromising a system, the Trojan creates and installs a number of files. It also installs a Network Driver Interface Specification (NDIS) filter, modifies the registry and writes random junk data into the end of its key payload components to dodge hash-based detection used by cloud-based anti-virus technologies.

According to Microsoft, Bohu blocks access to anti-virus cloud servers via a Windows Sockets service provider interface (SPI) filter that blocks network traffic between the cloud security client and server.

“The purpose of the [NDIS] driver is to prevent the antivirus client from uploading data to the server by looking for the server addresses in the IP datagram,” the Microsoft researchers said in their blog post. “The driver probes the data stream and find HTTP request keywords and cloud-server names of some of the major Chinese AV vendors, such as Kingsoft, Rising, and Qihoo. We have contacted the relevant vendors about this malware threat.”

In addition, Bohu modifies searches from sogou.com, and deletes cookies from Sogou, Baidu and Google as well.

Among the sites the malware blocks traffic to is geo.kaspersky.com. According to Kurt Baumgartner, senior malware researcher at Kaspersky Lab, some of the techniques the Trojan uses are old, and have been around more than a decade. Simple “morphing with junk data is not a new method,” he said, adding the Trojan’s behaviour makes it easier to detect by client-side behavioural protections.

“In combination with the other two techniques, it is clear that they are specifically targeting some of the newer cloud based technologies,” he added. “The other two methods are more difficult to pull off, reliably modifying NDIS for the malware’s cloud-severing purposes is not trivial. But it’s certainly not the first time that malware attempts to suffocate protective technologies’ access to the Internet.”