Trojan Bohu – The Nightmare of Cloud Antivirus System

It’s been a while since the cloud computing security services appeared for the first time as a magical security solution for computer users. If I remember, April 2009 is the moment when Panda Security announced the first Cloud Antivirus software, in Beta stage at that time, a free security solution that benefits of another technology developed by Panda, the Collective Intelligence. In a few words, it’s about a huge database built with results of analyzed samples received by Panda Security Labs during years, results that are accessible by all the users from the cloud automatically and almost instantly. To have an idea about the size of this database, consider that Panda analyzed hundreds of millions of samples until now, and the new samples are analyzed and classified in a few minutes.

In this way, in the moment when a new threat is identified, let’s say a possible new trojan or virus variant, named sometimes a zero-day malware, the signature and the disinfecting or removing instructions for that new trojan is automatically available for all the users of the cloud antivirus software, beating the common update technology of a classic antivirus.

Theoretically, this approach must lead to a lower computer resource(CPU and RAM memory) consumption, since the files analyzing job is passed to the Cloud servers. Maybe you will ask: What is the bandwidth consumed by this process of submitting files data to the servers, it must be huge? Well, it’s not the case, because the scanned files are not submitted to the servers in their integrity, instead hashes of files are submitted.

The hash of a file is like a signature or a fingerprint of a file but very little in size, it’s about a few bytes, so the Internet bandwidth is not affected significantly.

Although the software keeps a cached file with malware signatures on the local computer, a cloud antivirus is based on a client-server system and can benefits fully of its technology as far as there is a working Internet connection.

All good until now, when researchers from Microsoft discovered a new trojan, the so-called Trojan Bohu, originating from China, Taiwan more precisely, which seems to neutralize a cloud antivirus detection capabilities regarding the new threats, using several methods.

This trojan first appends several bytes of junk code to its body, making the antivirus detection using the hashes of files impossible and the reason is obvious, the hashes has been modified.

Secondly, the Bohu trojan installs a Network Driver Interface Specification (NDIS) driver and a Service Provider Interface(SPI) for monitoring and filtering the network traffic. When a connection attempt to a an IP or domain known to be used by the cloud antivirus will be detected, the HTTP requests for that IP will be blocked. Separately, the upload process of dubious files to the antivirus cloud servers is blocked.To accomplish this task, the trojan is looking for certain keywords in the HTTP requests, if a keyword is found then the subsequent communications with the sever are suppressed. The cloud antivirus will be unable to access the “cloud knowledge” and as a consequence the end users are not protected anymore for the newest threats. This trojan could be the start of a nightmare for the cloud antivirus system developers and a big threat to the technology itself, because it highlights the weaknesses of this security system.

I agree that using these methods, a classic antivirus can also be blocked to update itself, but for a cloud antivirus the connection with the servers is of an utmost importance, it is the heart of its technology.

The Bohu trojan is presented to the supposed victim as a high-definition video player or video codec, of course fake, tricking the user to install it in the computer, so the social engineering is used as method of infection.

During the installation process several files with semi-random names and .xml extension, together with an executable file are dropped in %Program Files%Baidu folder and using these files, a new executable file is generated also with random name, which is the actual body of the Baidu trojan.

For example, Rising AV detect it as:

Dropper.Win32.Bobohu.a

Kaspersky AV as:

Trojan-Dropper.Win32.NSIS.tw

and Microsoft as:

Trojan:Win32/Bohu.A!Installer

to name only a few of its given names.

This newly created trojan will drop other malware files, which are actually its components:

  • siglow.dll
  • siglow.sys
  • newnetgar.dll
  • spass.dll
  • dsetup.exe

… and will add a registry entry with a random name & value to run at computer start-up:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunrandomValue_here

Until now, only 3 antivirus software vendors were affected: Kingsoft, Rising and Qihoo, all from China.

Meanwhile, they solved the problem providing signatures and solutions to neutralize this trojan, but the problem is conceptual and can be resumed in a few words: there is not a 100% reliable solution to protect a computer as far as it goes online, only an up-to-date antivirus, an up-to-date system and the common sense are the things which can protect us. Maybe the last one is the most important, because the common sense tells us to do not install any software in the computer, without knowing its origins and its reputation.