Trojan Bohu, the first attack against the cloud antivirus system

When it appears for the first time in 2009, the concept of an antivirus software using the cloud computing, seemed to be like a magical powerful solution for all the computers users concerned by their computer security. In a cloud based antivirus, a good part of files processing job is transferred to the server, resulting a light computer resources usage and theoretically a better protection when an user are facing with a new zero-day threat, the scanning services running on the server find the best solution to protect the user against it, and automatically that new threat “signature” is available to all the users from the cloud, including the disinfection or computer safeguard instructions. The goals of a cloud antivirus is in a few words, a real-time protection against zero-day malware and less usage of  computer local resources, CPU and RAM memory.

However, for a cloud antivirus to work properly, an Internet connection is of the utmost importance, even if these antiviruses are caching the virus signatures in a local folder, the communication with the server is compulsory in order to accomplish its main goal: the protection against zero-day malware.

It must be mentioned that a lot other antivirus companies starts to use the cloud computing analysis for their software.

A new trojan virus named Bohu is emanating from the Taiwan(China) space, and has amongst the other common features of a trojan, a new feature to perturb the proper operations of a cloud antivirus software. The trojan Bohu authors chooses a common method to spread it, as a high definition video player, obviously fake or urging the users to download and install a fake video codec.

The trojan tries to escape undetected by a cloud antivirus adopting several strategies :

  • A cloud antiviruse submit to the server a file hash and wait for the response to determine if the file has malicious code inside or it is harmless. Altering the file hash by appending several junk bytes to its components, the trojan body and its components can circumvent the analysis of the cloud antivirus engine.
  • By installing a Network Driver Interface Specification (NDIS) driver monitor the network interface trying to detect and block the communications with the antivirus cloud servers, preventing the upload of dubious files for analysis to the server . This is achieved by looking for servers names or IPs or some specific keywords in the HTML requests. A NDIS driver can be very powerful, it is used for example in firewalls for filtering and block malicious traffic.
  • The Bohu trojan installs also a SPI(Service Provider Interface) with the same purpose as the above one, to block the traffic between the client  and the server of a cloud security service.

Until now,  was noticed 3 affected antivirus companies, all from China: Kingsoft, Rising, and Qihoo.

The trojan creates an installation folder with Baidu name under Program files and drop there several files with semi-random names like:

  • wsof6.xml
  • u0001.xml
  • v0001.xml
  • msfsv.exe

Using the executable form the installation folder in our example msfsv.exe and the dropped files data, the trojan build a random name executable example setup270543.exe which is actually detected as Trojan:win32/Bohu.

Bohu trojan is not using cutting-edge technologies to infect a computer, for example using a fake video player or fake driver to infect a computer or appending random junk data to the files to avoid antivirus detection are old methods used by the malware creators, but it must be mentioned as a first attack against cloud computing security services.

Infection with the bohu trojan can be simple avoided by following the 2 basics security advices :

  • Use an up-to-date antivirus, preferably with a firewall incorporated or at least use the Windows default firewall;
  • Don’t cede to the idea to download and install a video player or video codec with the unknown reputation, even if the porn video files are promised;

Keep safe !

Posted in Thoughts.

One Response

Leave a Reply