Freely subscribe to our NEWSLETTER

The dangers to this new variant are the same as the original Mylobot malware, in that it spreads quickly and can remotely be installed onto all computers running Windows. It disables Windows Defender, which is what opened the computers up to future attacks and weaknesses of this variant in the first place. The purpose of the malware is command and control of infected devices, it gives the ability to add payloads for other purposes such as banking Trojans, keyloggers and DDoS.

SAM was able to detect the variant as its platform protects and receives data directly from the router. Unlike other solutions that discover attacks on the end-point devices, SAM’s technology receives data from the router itself, and therefore is able to get a broad view of all the devices infected.

SAM registered ones of the domains that they were using (they were using 1,500 hard coded random domains, most were not registered). This gave SAM access to the scale of the methods they were using, i.e. SAM received over 50,000 unique IPs. Through SAM’s device catalog the company identified the devices that were used to send the DNS requests from the domains and identified that they were all PC’s running Windows.

Through SAMs heatmap, the company was able to identify the top 10 countries affected by this malware, which includes Russia, Vietnam, Indonesia, India, Turkey, Argentina, Venezuela, Iran, Thailand and Kazakhstan.

SAM’s map further shows the infected devices which had different numbers from the original report. This further shows the continuation and growth of the virus. Through the ISPs, SAM sent a forensic utility to all infected customers to find the virus in order to detect and block it.