Malware is a huge problem for computer users today as the threat posed by malicious software continues to increase.
Basically, botnet does many things such as DDoS attacks, steal data, and even installation ransomware based on the payload. Malware authors employed various advanced techniques to evade detection and prevent itself from Antivirus software.
According to an analysis posted on Tuesday by Tom Nipravsky, a security researcher for Deep Instinct, Mylobot’s bag of tricks is bursting at the seams. These include anti-VM, anti-sandbox and anti-debugging techniques; wrapping internal parts with an encrypted resource file; code injection; process hollowing (where an attacker creates a new process in a suspended state, and replaces its image with the one that is to be hidden); reflective EXE, which involves executing EXE files directly from memory, without having them on disk; and, it also has a delaying mechanism of 14 days before accessing its C&C servers.
“The structure of the code itself is very complex – it’s a multi-threaded malware where each thread is in charge of implementing different capability of the malware,” Nipravsky told Threatpost in an email interview. “The malware contains three layers of files, nested on each other, where each layer is in charge of executing the next one. The last layer is using [the Reflective EXE] technique.”
One of the things Mylobot does is to terminate and delete instances of other malware on infected machines. It searches for specific folders that other botnets use and deletes them. Deep Instinct believes Mylobot deletes other malware to infect more computers and make more money for the person or persons operating the botnet.
