NEWS FROM THE LAB - Friday, January 28, 2011

Securing Cloud-Based Security Posted by Mika @ 14:07 GMT

Cloud-based antivirus solutions work. We know this because virus writers are trying to fight back.

There have been articles [1] [2] written lately about Backdoor:W32/Bohu.A. Bohu has raised interest as it incorporates two different techniques for evading detection:

  1.  Appending garbage data to the end of a file
  2.  Preventing access to av vendor servers

These are not new techniques. It's true that if a system is already infected with Bohu, access to servers of several antivirus vendors is blocked. This is a problem, but it is not a problem to cloud-based solutions only. Exactly the same attack has been seen over and over again to try to prevent traditional antivirus from getting updates.

We've done a lot of work in creating technology that allows us to stay connected to our clients, even if malware tries aggressively to prevent it.

Image: Screenshot of the media player Backdoor:W32/Bohu.A installs as a decoy.

Writing random garbage to the end of the file does change the full file hash and hence it will evade detection that is based on full file hashes. That does not mean that cloud-based security does not work, though. It means that modern security products should not be based only on full file hashes.

Actually, this kind of an evasion mechanism can be turned against the malware. As an example, F-Secure DeepGuard 3 is based on reputation of applications and other objects. If DeepGuard detects an object that is very uncommon it will be tagged as "suspicious". So, basically DeepGuard detects files that have random garbage appended to the end since that is what they are — garbage.

The arms race between security products and bad guys continues.