Chinese Trojan blocks cloud-based security defences

Malcontent · #1 January 20th, 2011, 11:23 PM

http://www.theregister.co.uk/2011/01...usting_trojan/

Quote:

Miscreants have released a Trojan specially designed to disable cloud-based anti-virus security defences.

The Bohu blocks connections from infected Windows devices and cloud anti-virus services in place to protect them. Malware writers have long included routines to disable components of desktop anti-virus software packages or block access to anti-virus websites from infected machines.

Bohu - which was spotted by anti-virus researchers working for Microsoft in China - is hardwired to block access to cloud-based net services from Kingsoft, Qihoo, and Rising. All three firms are based in China.

funkydude · #2 January 20th, 2011, 11:26 PM

More detail: https://blogs.technet.com/b/mmpc/arc...the-cloud.aspx

Kernelwars · #3 January 21st, 2011, 12:20 AM

ah thanks for posting this..

I dont like to rely on antivirus for protection..I do have em but thats it..I believe that if you have a clean image to fall back you are good to go no matter what

IMO

drhu22 · #4 January 21st, 2011, 12:51 AM

Read this thread from #6 onwards

http://www.wilderssecurity.com/showt...ighlight=panda

#5 January 21st, 2011, 01:40 PM

https://www.infosecisland.com/blogvi...Antivirus.html

Quote:

"Technique 1: Evade hash-based detection using file modifications. Bohu writes random junk data into the end of its key payload components to avoid hash-based detection commonly used by cloud-based antivirus technologies."

Sm3K3R · #6 January 21st, 2011, 02:03 PM

So the cloud based detection has been nailed ?!

#7 January 21st, 2011, 04:48 PM

Of course!

drhu22 · #8 January 21st, 2011, 06:47 PM

Can anyone test this with immunet?

dr pan k · #9 January 22nd, 2011, 09:44 AM

not that i have tested it but for now it only "blocks" chinese vendors (rising,qihoo and kingsoft). the technology used by bohu can be easily implemented on other known malware pieces and trust me on this one, it will be within days or so.

actually lots of people were waiting for something like this to pop up for quite some time now

ps: on second read it probably interacts with norton and kaspersky too, at some extencion

Ibrad · #10 January 22nd, 2011, 11:48 AM

Interesting, everyone knew that malware like this would eventually come. However the cloud vendors will most likely push out a client side update that allows the engine to detect the threat without being on the cloud. The back and forth game continues.

#11 January 23rd, 2011, 05:04 AM

Quote:

Originally Posted by Ibrad

However the cloud vendors will most likely push out a client side update that allows the engine to detect the threat without being on the cloud. The back and forth game continues.

... and Bohu 2 will kill the cloud again and so on ...

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search