- Apr 21, 2016
- 4,371
Massive Necurs botnet, known for sending large spam campaigns, including the Locky ransomware that's been infecting countless computers, might soon be turned into a DDOS tool.
According to a new study from AnubisNetworks Labs, Necurs is not just a spambot, it's a modular piece of malware composed of the main bot module, a userland rootkit and it can dynamically load additional modules.
"About six months ago we noticed that besides the usual port 80 communications, a Necurs infected system was communicating with a set of IPs on a different port using, what appeared to be, a different protocol," researchers explain.
While decrypting the C2 communications of the Necurs bot, a request to load two different modules was noticed, each with different parameters. One was the regular spam module Necurs is known for, while the second was one unknown until then. Noticed in September 2016, the module might have been around since August based on a timestamp on the compilation. It is possible, however, that another version had been deployed previously and gone unnoticed.
After a bit of work on this particular module, researchers realized there was a command that would cause te bot to start making HTTP or UDP requests to an arbitrary target in an endless loop - a DDOS attack.
Read more: Necurs Botnet Gets Proxy Module with DDOS Capabilities
According to a new study from AnubisNetworks Labs, Necurs is not just a spambot, it's a modular piece of malware composed of the main bot module, a userland rootkit and it can dynamically load additional modules.
"About six months ago we noticed that besides the usual port 80 communications, a Necurs infected system was communicating with a set of IPs on a different port using, what appeared to be, a different protocol," researchers explain.
While decrypting the C2 communications of the Necurs bot, a request to load two different modules was noticed, each with different parameters. One was the regular spam module Necurs is known for, while the second was one unknown until then. Noticed in September 2016, the module might have been around since August based on a timestamp on the compilation. It is possible, however, that another version had been deployed previously and gone unnoticed.
After a bit of work on this particular module, researchers realized there was a command that would cause te bot to start making HTTP or UDP requests to an arbitrary target in an endless loop - a DDOS attack.
Read more: Necurs Botnet Gets Proxy Module with DDOS Capabilities