Mylobot: The malware you would not want to pass on to your computer

Mylobot: 2017, security researchers discovered about 23.000 new malware samples every day, that is, 795 an hour.

If the number seems high to you, let's mention that the majority of these samples were variants of a few different malware. They had slightly different code, thus creating a "new" signature.

From time to time, however, new malware appears on the scene as well. Mylobot is one such example: it is new, extremely sophisticated and very dynamic.

What is Mylobot?

Mylobot is a type of malware botnet. The new malware was first spotted by Tom Nipravsky, security researcher at Deep Instinct. The researcher stated that "the combination and complexity of the techniques it contains were never known before".

In fact, the new malicious program has very sophisticated infection and jamming techniques in a package. Take a look:

Anti-virtual machine techniques (VM): Malware checks its local environment to discover virtual machines if it fails to run.
Anti Sandbox Techniques: Very similar to anti-VM techniques.
Anti-debugging techniques (Anti-debugging): For security researchers trying to see what the malware code contains.
Use encryption στα σημαντικά κομeyeα του κώδικα: για περαιτέρω προστασία του κώδικα του κακόβουλου λογισμικού.
Code injection techniques: Mylobot runs custom code that attacks systems by adding its code to system processes.
Hide Techniques: The attacker creates a new process in a state of inhibition, and then replaces it with the one he wants to hide.
Reflective EXE: EXE files run from memory, not from disk.
Delay mechanism: Malware remains inactive for 14 days before it starts connecting to command and control servers.

Sandboxing, anti-debugging and anti-VM techniques that attempt to stop any malware do not seem to be able to stop Mylobot. The exe reflexes that run from the operating memory make Mylobot virtually invisible as there is no direct disk activity that can detect any antivirus or antimalware.

According to Nipravsky from Threatpost:

The structure of the code itself is very complex (it is a multi-threaded malware where each thread is responsible for implementing different capabilities).

And:

Malware contains three layers of files, nested between them, each layer being responsible for running the next one. The last level uses the reflexive EXE technique.

Staying away from analytics and detection techniques, Mylobot can wait up to 14 days before trying to communicate with the command and control servers. When Mylobot connects, the botnet disables Windows Defender, Windows Update, and Windows Firewall spoolers.

One of Mylobot's most interesting and rare malware features is search and destruction.

Unlike other malware, when installed, Mylobot eliminates any other malware (if any else in the target system). Mylobot scans the malware system and when it finds a process it shuts down.

Nipravsky believes this feature has been added to stop ransomware-as-a-service and other malicious pay-to-play variants that can be hired by anyone on the internet.

Attackers compete against each other to have as many zombie computers as possible to increase the value of their bot for rent to other attackers.

What exactly does Mylobot do?

The main function of Mylobot is to deliver the system control to the attacker. From there, the attacker can access online credentials, system files, and more.

Mylobot has many interfaces with other botnets, such as DorkBot, Ramdo and the famous Locky network. If Mylobot acts as a conduit for all other botnets, the victim of that malware will not get through well.

How can you stay safe from Mylobot?

Bad news for the moment: Milobot is believed to infect systems for over two years. The command-control servers it uses first operated in November of 2015.

Thus, Milobot seems to have avoided too many researchers and security firms for some time before being discovered by Deep Instinct.

Unfortunately, today's anti-virus tools can't detect Mylobot - at least for now.

But now that there is a sample from Milobot, security firms will be able to have their digital signature to use it in the future for detection.

_____________________________

• Gmail Third Party Apps? You steal data, immediately remove access
• A new Google Earth tool measures the distance between two locations on Earth
• Android Files Go: send 100 photos to less than 5 seconds
• MintBox Mini 2 as small as possible with the last Mint 19
• StressPaint malware on Facebook: Attention is now being released.
• Tails 3.8: for your anonymous Internet browsing