The Microsoft Malware Protection Center has been tracking a recent threat that attacks cloud-based antivirus technology provided by popular major antivirus software vendors in China. The malware is named Win32/Bohu (TrojanDropper:Win32/Bohu.A).

The Bohu malware is native to the China region. Bohu attracts user installation by social engineering techniques, for example, using attractive file names and dropping a fake video player named “Bohu high-definition video player”. The more interesting part of Bohu is that the malware blocks cloud-based services now commonly featured in major Chinese antivirus products. Specifically, Bohu uses a number of different techniques in order to attempt to thwart Cloud-based AV technologies.

Technique 1: Evade hash-based detection using file modifications. Bohu writes random junk data into the end of its key payload components to avoid hash-based detection commonly used by cloud-based antivirus technologies.

Technique 2: Prevent access to AV cloud servers by a SPI network filter. Bohu installs a Windows Sockets service provider interface (SPI) filter that blocks network traffic between the cloud security client and server. 

Technique 3: Packet interception by NDIS filter driver. Bohu installs a Network Driver Interface Specification (NDIS) filter. The purpose of the driver is to prevent the antivirus client from uploading data to the server by looking for the server addresses in the IP datagram. The driver probes the data stream and find HTTP request keywords and cloud-server names of some of the major Chinese AV vendors, such as Kingsoft, Rising, and Qihoo. We have contacted the relevant vendors about this malware threat.

Cloud-based virus detection generally works by client sending important threat data to the server for backend analysis, and subsequently acquiring further detection and removal instruction. The process can take seconds to minutes, and is designed to remove malware not handled by the traditional on-the-box signature approach. 

Bohu tries to sever the communication between cloud client and server, and constantly modify file content of its components, in order to evade detection from cloud-based scanning. Bohu is part of the first wave of malware that specifically targets cloud-based antivirus technology. 

Jingli Li, Zhitao Zhou
Microsoft Malware Protection Center