14 DAY TRIAL // A newly discovered piece of malware specifically targets cloud-based antivirus services and blocks AV products from communicating with the vendor's servers.
Dubbed Bohu by Microsoft, the malware originated in China and particularly targets the cloud servers of Chinese antivirus vendors Kingsoft, Rising, and Qihoo.
Its authors use the common "required codec" social engineering technique to distribute the malware and infect computers.
They advertise video files with attractive names, but when users try to view them, they claim a program called "Bohu high-definition video player" is required.
Once on the computer, the malware attempts to evade cloud antivirus detection which relies on calculating file hashes and checking them against the vendor's threat database.
Bohu achieves this goal by writing junk data at the end of its key components, making their hash unique for each infection.
The second step of its payload is to block access to the cloud antivirus servers. "Bohu installs a Windows Sockets service provider interface (SPI) filter that blocks network traffic between the cloud security client and server," Microsoft's security researchers explain.
In addition, the malware also installs a Network Driver Interface Specification (NDIS) filter which prevents uploading data to remote servers based on keywords and server names in HTTP requests.
Bohu is the first threat to specifically target the cloud anti-virus technology that many security vendors rely on to detect the latest threats.
The cloud antivirus model offers an advantage because it allows products to use the vendor's threat data in real time, resulting in quicker responses. In comparison, traditional signatures take time to write and deploy.
Furthermore, malware scan performance can be significantly improved because it's quicker to calculate a hash, send it to the server and receive a response, than to analyze the code locally.
Malware like Bohu is proof that cybercriminals keep up with the latest anti-malware technologies and make significant efforts to thwart them.