The recently discovered Mylobot aggregates 9 sophisticated features, highlighting how advanced malware is becoming. Stealth capabilities make it difficult for security tools to detect and protection aspects preserve its functionality over time.
This combination of Mylobot features will likely appear more often in emerging malware:
- Anti-sandboxing features to thwart anti-virus defenses that isolates suspicious software
- Anti-debugging design to resist security researchers from them dissecting the malware and figuring out how it works and where it came from
- Encrypted files to keep details hidden from anti-malware tools, victims, and security researchers
- Reflective EXE, allows files to be directly run from memory, alleviating the need to store them on drives (where they could be detected)
- A delay mechanism which waits for two weeks before making contact with the attacker’s command and control servers
- Deactivates Windows Defender and Windows Update to protect from eviction and new patches
- Modifies access to firewall ports to maintain Internet connectivity
- Actively targets and deletes other installed malware to avoid competition and conflicts
- Designed to provide complete control of the system to the attacker, allowing deployment of other payloads in the future and exfiltration of sensitive data
We have seen all these capabilities in the past, but when they are woven together it becomes much more difficult to detect and eradicate infections. Expect these to become part of the basic feature set for the majority of next-generation malware packages. The battle of innovation between the attackers and defenders never ceases.