Kama Sutra PowerPoint named as one of the threats of the last three months, as new warnings made on malware that bypasses cloud-based anti-virus

News by Dan Raywood

The Kama Sutra virus has been named as one the largest threats of recent months.

The Kama Sutra virus has been named as one the largest threats of recent months.

In Cyberoam's 2010 internet threats trend report for Q4, the Trojan downloader associated with a Kama Sutra presentation titillated recipients into downloading a PowerPoint presentation of sexual positions, but left their PCs infected with a malicious code that opened a backdoor to viruses.

Abhilash Sonwane, VP of product management at Cyberoam, said: “It is one of the most dangerous attacks in recent times because once the virus infects your computer, it can be very difficult to remove it. Hackers would be then able to access all your personal files, execute any number of unwanted tasks and spy on your online activities.

“Our advice is be careful on what you click and do not download any file from unreliable sources. Also, keep your anti-virus program up-to-date and enabled in real-time protection mode.”

Graham Cluley, senior technology consultant at Sophos, warned of the threat last week, claiming that many hearts would race at the sight of a file called Real kamasutra.pps.exe.  He said that the PowerPoint slide deck (which ironically is itself ‘clean' from the malware point of view) is dropped onto your Windows PC as a decoy while malware silently installs onto your computer as AdobeUpdater.exe, alongside some other components (called jqa.exe and acrobat.exe).

“Because of this, when you click on the file you do get to see a real PowerPoint presentation, but in the background a backdoor Trojan called Troj/Bckdr-RFM is installed which allows hackers to gain remote access to your computer,” he said.

“Once they have broken into your computer, they can use it to relay spam around the world, steal your identity, spy on your activities, install revenue-generating adware or launch denial-of-service attacks.”

Fresh warnings have also been made on a new type of malware called Bohu that is attacking cloud-based anti-virus solutions in China. The Microsoft Malware Protection Center (MMPC) said that it has been tracking this threat, which it has named Win32/Bohu.

Jingli Li and Zhitao Zhou from the MMPC said that Bohu is native to the China region and attracts user installation by social engineering techniques, but that the more interesting part of it is that the malware blocks cloud-based services now commonly featured in major Chinese anti-virus products.

They said that Bohu uses three main techniques to bypass cloud-based anti-virus: by writing random junk data into the end of its key payload components to avoid hash-based detection commonly used by cloud-based anti-virus technologies; by installing a Windows Sockets service provider interface (SPI) filter that blocks network traffic between the cloud security client and server; and by installing a Network Driver Interface Specification (NDIS) filter that prevents the anti-virus client from uploading data to the server by looking for the server addresses in the IP datagram.

Li and Zhou said: “Cloud-based virus detection generally works by client sending important threat data to the server for backend analysis and subsequently acquiring further detection and removal instruction. The process can take seconds to minutes, and is designed to remove malware not handled by the traditional on-the-box signature approach.

“Bohu tries to sever the communication between cloud client and server, and constantly modify file content of its components, in order to evade detection from cloud-based scanning. Bohu is part of the first wave of malware that specifically targets cloud-based anti-virus technology.”

Alan Bentley, SVP international at Lumension, said: “Bohu is not just another piece of malware. It is the first designed to target anti-virus technology that is protecting the cloud. Add to that the fact that it is native to China and we are seeing yet another new wave of targeted cyber attacks.

“The security of information in the cloud has had a question mark over it for some time. This attack will only serve to fuel further concerns regarding the safety of storing information virtually.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews