HomeCommunitySecurity Blog

Security Blog

 

"Anti-Anti-Virus" Bohu Attacks Cloud-based AV

Posted By Netgear Threat Lab at 5:39 PM, May 27, 2011

Cloud anti-virus refers to the use of the "Cloud" for the purpose of stopping viruses. In recent years, a number of security vendors have deployed cloud-based AV solutions. In this type of infrastructure, virus data from the client is uploaded to the cloud server for analysis. The server(s) in the cloud will then report the results back to the client. Compared with the traditional use of local virus databases for virus detection, this technique is faster and more efficient.

Starting this year, a virus tailored to bypass "cloud antivirus" was found - the Bohu virus.

Bohu originates from China, and uses various social engineering techniques to disguise and spread itself. For example, it will be disguised as a "bohu HD player" software to entice users to download and install it.

Once users install the virus program, Bohu utilizes a number of techniques to disrupt and take down cloud-based AV:

1. Bohu will install Windows Sockets service provider interface (SPI) filter, and use this filter to prevent data transfer between the cloud server and clients.

2. Bohu will install Network Driver Interface Specification (NDIS) filter, using this filter, Bohu can detect network traffic, blocking HTTP request packets which contain specific domain names or keywords.

3. Bohu randomly inserts garbage code in its program to circumvent the Hash-based anti-virus detection.

While cloud-based anti-virus has its advantages, and more and more vendors adopt "Cloud AV"as part of their "cloud security " strategy, Bohu reminds us that  relying on cloud AV alone is far from secure and that a multi-layered approach with local and cloud AV is recommended.

Posted by: Netgear Threat Lab at 5:39 PM
Categories: Malware

No TrackBacks

TrackBack URL: http://prosecure.netgear.com/cgi-bin/mt/mt-tb.cgi/121

Comments