The Bohu family of Trojans has recently earned some media attention. It’s a common malware family that is prevalent in Chinese-speaking part of the world, as can be seen in the spread of one variant, TROJ_FKEPLAYR.CH:
Recently, however, we’ve seen the Bohu family packaged with another malware family: the Goriadu family, which is used to hijack network traffic. In this particular attack, Goriadu malware was used to block the network traffic related to the in-the-cloud features of certain antivirus products.
TROJ_FKEPLAYR.CH drops a package which contains several malicious files. These are detected as TROJ_GORIADU.SMC , TROJ_GORIADU.SMM, and TROJ_GORIADU.SMX.
TROJ_GORIADU.SMM is the component responsible for hijacking the affected system’s network traffic. The targeted applications appear to be popular Chinese antivirus solutions. Trend Micro products and URLs are not on the list of targeted products and URLs.
In the past, many malware variants have blocked URLs related to antivirus companies. However, they usually did so fairly indiscriminately, blocking the entire domains of companies (i.e., for Trend Micro the entire trendmicro.com domain would be blocked.) However, this was fairly easy to detect.
Instead, TROJ_GORIADU.SMM’s blocking specifically targets “in the cloud” functionality by blocking only the servers used for these services. It does this by blocking very specific URLs, such that one could access the websites of the targeted products yet their “cloud” features would not work.
Trend Micro researchers are digging deeper into this issue. These particular behaviors meant to evade detection (appending of garbage code and blocking access to antivirus sites and related services) are definitely not unheard of but they do highlight the importance of protecting computers at all possible levels, such as the URL and file level.
Special thanks to Jamz Yaneza, Patrick Estavillo, Edgardo Diaz, Jr., Jasper Manuel and King Viray for contributing to this post.
Post from: TrendLabs | Malware Blog – by Trend Micro
Malware Targets Security Software in China and Taiwan
Full story: TrendLabs | Malware Blog – by Trend Micro
Related Posts
- Citrix targets laptop security with new virtualization software
Citrix's next version of XenDesktop will automatically encrypt corporate data on employee-owned laptops and include a bare-metal client hypervisor.
View full post on Computerworld Security News... - Testing reveals security software often misses new malware
New research has further confirmed the difficulties security software companies are having keeping up with an explosion in malicious software programs on the Internet.
View full post on Network Wor... - Testing Reveals Security Software Often Misses New Malware (PC World)
PC World - New research has further confirmed the difficulties security software companies are having keeping up with an explosion in malicious software programs on the Internet.
View full post on ... - New security software targets enterprise smartphones
A new client-server product uses a smartphone-based agent and server-based application to create and enforce security and management policies for four leading mobile operating systems.
View full po... - Internet Security Suite Software Review – Total Protection From Viruses, Spyware and Malware
Total Internet ProtectionThe internet super highway is full of all kind of viruses, malware, spyware, trojan horses and worms. You may not believe it and I’m quite sure the next time yo... - DLL-Based FAKEAV Returns In The Wild
In our previous FAKEAV whitepaper, we presented how Trend Micro researchers tracked down the evolution of FAKEAV and classified its development, behavior-wise, according to generations. One of the ear... - Facebook Events, Credits, and Passwords Being Used for Attacks
Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to repl... - Analysis of the New Adobe Flash Attacks
When Adobe warned customers earlier this week about a newly discovered vulnerability in the Flash Player software, company officials said that there were already attacks underway against the bug. Thos... - Improve your Security #4: Update your Software often
Every week or even day we see new vulnerabilities popping up in all software packages which we use daily: In the operating system (Windows, Mac, Linux), PDF Readers, Web browsers, Mail clients, Office... - Fake Security Software Websites – Still popular in 2011
Fake security software is a form of computer malware that misleads users into installing and potentially paying for fake security software. The sites convince users to download the malicious software ...
Posted on 22 January 2011. Tags: China, Malware, Security, Software, Taiwan, Targets
