Necurs Botnet Gets Proxy Module with DDOS Capabilities

Discussion in 'News Archive' started by MalwareTips Bot, Feb 24, 2017.

  1. MalwareTips Bot

    MalwareTips Bot MT Robot
    Staff Member

    Apr 21, 2016
    Likes Received:
    Massive Necurs botnet, known for sending large spam campaigns, including the Locky ransomware that's been infecting countless computers, might soon be turned into a DDOS tool.

    According to a new study from AnubisNetworks Labs, Necurs is not just a spambot, it's a modular piece of malware composed of the main bot module, a userland rootkit and it can dynamically load additional modules.

    "About six months ago we noticed that besides the usual port 80 communications, a Necurs infected system was communicating with a set of IPs on a different port using, what appeared to be, a different protocol," researchers explain.

    While decrypting the C2 communications of the Necurs bot, a request to load two different modules was noticed, each with different parameters. One was the regular spam module Necurs is known for, while the second was one unknown until then. Noticed in September 2016, the module might have been around since August based on a timestamp on the compilation. It is possible, however, that another version had been deployed previously and gone unnoticed.

    After a bit of work on this particular module, researchers realized there was a command that would cause te bot to start making HTTP or UDP requests to an arbitrary target in an endless loop - a DDOS attack.

    Read more: Necurs Botnet Gets Proxy Module with DDOS Capabilities
    Vasudev, harlan4096 and silversurfer like this.
Other threads that you may like Forum Date
New Spam Campaign via Necurs Botnet Tries to Manipulate the Stock Market Latest Security News Mar 21, 2017
Malware Alert New massive spam wave spreads Locky – is Necurs botnet back? News Archive Jun 24, 2016
Necurs is back News Archive Feb 26, 2017