Thursday, January 20, 2011

Chinese Malware Takes Aim at the Cloud-based AV

Via Microsoft MMPC Blog -

The Microsoft Malware Protection Center has been tracking a recent threat that attacks cloud-based antivirus technology provided by popular major antivirus software vendors in China. The malware is named Win32/Bohu (TrojanDropper:Win32/Bohu.A).

The Bohu malware is native to the China region. Bohu attracts user installation by social engineering techniques, for example, using attractive file names and dropping a fake video player named “Bohu high-definition video player”. The more interesting part of Bohu is that the malware blocks cloud-based services now commonly featured in major Chinese antivirus products. Specifically, Bohu uses a number of different techniques in order to attempt to thwart Cloud-based AV technologies.


Cloud-based virus detection generally works by client sending important threat data to the server for backend analysis, and subsequently acquiring further detection and removal instruction. The process can take seconds to minutes, and is designed to remove malware not handled by the traditional on-the-box signature approach.

Bohu tries to sever the communication between cloud client and server, and constantly modify file content of its components, in order to evade detection from cloud-based scanning. Bohu is part of the first wave of malware that specifically targets cloud-based antivirus technology.

No comments:

Post a Comment