Necurs Botnet Gets Proxy Module with DDOS Capabilities

Bot

AI-powered Bot
Thread author
Apr 21, 2016
4,371
Massive Necurs botnet, known for sending large spam campaigns, including the Locky ransomware that's been infecting countless computers, might soon be turned into a DDOS tool.

According to a new study from AnubisNetworks Labs, Necurs is not just a spambot, it's a modular piece of malware composed of the main bot module, a userland rootkit and it can dynamically load additional modules.

"About six months ago we noticed that besides the usual port 80 communications, a Necurs infected system was communicating with a set of IPs on a different port using, what appeared to be, a different protocol," researchers explain.

While decrypting the C2 communications of the Necurs bot, a request to load two different modules was noticed, each with different parameters. One was the regular spam module Necurs is known for, while the second was one unknown until then. Noticed in September 2016, the module might have been around since August based on a timestamp on the compilation. It is possible, however, that another version had been deployed previously and gone unnoticed.

After a bit of work on this particular module, researchers realized there was a command that would cause te bot to start making HTTP or UDP requests to an arbitrary target in an endless loop - a DDOS attack.


Read more: Necurs Botnet Gets Proxy Module with DDOS Capabilities
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top