What is Mylobot and how does this malware work?

In 2017, security researchers discovered about 23,000 malware samples per day, ie about 795 malware generated every hour. It may sound horrible but in fact most of these templates are variants of existing malware, it only uses different code to create a 'new' signature. However, recently a new, very sophisticated malware is called Mylobot.

What is Mylobot?

Mylobot is a botnet malware that contains a large amount of malicious intent. Tom Nipravsky, a security researcher for Deep Instinct, was the first to discover this malware.

What is Mylobot and how does this malware work? Picture 1

This malicious software incorporates a series of complex infection techniques and obfuscation technique in a powerful package. Here are the techniques used in Mylobot:

1. Anti-virtual machine (VM) technology : This malicious software checks the computer environment to find signs of using virtual machines. If you find any indication that the user is using a virtual machine, it will not run.
2. Anti-sandbox technique : Very similar to anti-virtual machine techniques.

See also: 7 best Sandbox applications for Windows 10

1. Anti-debugging technique : Prevent security researchers from working effectively on malware samples by changing the behavior of a certain debug program.
2. Pack the internal parts with an encrypted resource file : Protect the internal code of malware by encryption.
3. Code injection : Mylobot runs custom code to attack the system, infecting this code into processes to access and interrupt routine operations.
4. Empty handling : An attacker creates a new process in a suspended state, then replaces it with a hidden process.
5. Reflective EXE technique : Run EXE file from memory instead of on disk.
6. Delay mechanism : Malware delay 14 days before connecting to the control server and commands.

Mylobot does a lot of techniques to hide itself.

Anti-sandbox techniques, anti-blocking and anti-virtual machines try to prevent malware from being detected while scanning with anti-malware software, as well as prevent researchers from securing malware separation on the computer. Virtual or sandbox environment for analysis and research.

Mylobot uses Reflective EXE to make it even more difficult to detect because it does not work directly on the drive, so anti-virus or anti-malware software cannot be analyzed.

Nipravsky wrote on a post: 'Its code structure is very complex, this is a multithreaded malware, each thread is responsible for implementing different malware capabilities'. And also mentioned: 'This malware contains three file layers, which are nested, in which each class is responsible for executing the next part. The last class uses the Reflective EXE technique ".

Along with anti-analysis and anti-detection techniques, Mylobot can delay 14 days and then contact the control server and its commands. When Mylobot makes a connection, the botnet will turn off Windows Defender and Windows Update, and close some Windows Firewall ports.

Mylobot searches and kills other types of malware

One of the interesting and rare features of this Mylobot malware is that it has the ability to search and destroy other malware. Unlike other malicious software, Mylobot is willing to destroy these types of malware if present on the system. It scans the system's Application Data folder to find common malware files and folders. If you find any file or process specifically Mylobot will 'kill' it.

So what exactly does Mylobot do?

The main function of Mylobot is to control the system, from which an attacker has access to online login information, file system, etc. The level of damage depends on the attacker of the system. It can cause great damage especially when penetrating the corporate environment.

Mylobot also links to other botnets like DorkBot, Ramdo and Locky 'infamous' networks. If Mylobot acts as a 'conduit' for botnets and other types of malware, this is truly a disaster.

How to fight Mylobot

The bad news is that Mylobot has been infecting systems for more than two years. The control server and its command were first found in November 2015. Mylobot has eluded all other researchers and security companies for a long time before being discovered by Deep Instinct's deep learning tool deep learning.

Common anti-virus and anti-malware tools cannot resist Mylobot at least during this time. Now there is a model of Mylobot, so many researchers and security companies can use it to find ways to combat this malware.

In the meantime, you should check the list of computer antivirus and security tools. Although these tools cannot destroy Mylobot, they can prevent other malware. Also you can refer to the article Removing the original malware (malware) on a Windows 10 computer.

See more:

1. 9 things to do when detecting a computer infected with malware
2. How many types of malware do you know and how to prevent them?
3. 10 typical malware types