A recent blog entry from the
Microsoft Malware Protection
Center details information about
a new malware (called Win32/
Bohu.A) which is specifically
designed to disable and mislead
cloud-based antivirus software.
Cloud-based antivirus software
differs from traditional antivirus
software in that the antivirus
client (running on the PC) sends
important threat data to a server
for backend analysis, and
subsequently receives further
detection and removal
instruction.
The Bohu Trojan originates in
China where there is a
predominate use of cloud-based
antivirus software. Once a
Windows based machine is
infected the malware installs
different network level filters to
disrupt and block the antivirus
client accessing the backend
antivirus services on the Internet.
As well as writing random data at
the end of its key payload
components to avoid hash-based
detection, Bohu also installs a
Windows Sockets service provider
interface (SPI) filter to block the
antivirus network traffic as well
as a Network Driver Interface
Specification (NDIS) filter. The
NDIS filter then stops the
antivirus client from uploading
data to the server by looking for
the server addresses in the data
packets.
VISIT OUR SITE
Home »
»
This Post is written by Roger Rocks, you can subscribe to receive more great content just like it.
0 comments:
Post a Comment
If you are asking some question on this comment
Click on subscribe by Email To Get the
Reply in Your Email Inbox.
Thanks For Reading.