Necurs Botnet Gets Proxy Module with DDOS Capabilities

Discussion in 'News Archive' started by MalwareTips Bot, Feb 24, 2017.

  1. MalwareTips Bot

    MalwareTips Bot MT Robot
    Staff Member Content Creator

    Apr 21, 2016
    Massive Necurs botnet, known for sending large spam campaigns, including the Locky ransomware that's been infecting countless computers, might soon be turned into a DDOS tool.

    According to a new study from AnubisNetworks Labs, Necurs is not just a spambot, it's a modular piece of malware composed of the main bot module, a userland rootkit and it can dynamically load additional modules.

    "About six months ago we noticed that besides the usual port 80 communications, a Necurs infected system was communicating with a set of IPs on a different port using, what appeared to be, a different protocol," researchers explain.

    While decrypting the C2 communications of the Necurs bot, a request to load two different modules was noticed, each with different parameters. One was the regular spam module Necurs is known for, while the second was one unknown until then. Noticed in September 2016, the module might have been around since August based on a timestamp on the compilation. It is possible, however, that another version had been deployed previously and gone unnoticed.

    After a bit of work on this particular module, researchers realized there was a command that would cause te bot to start making HTTP or UDP requests to an arbitrary target in an endless loop - a DDOS attack.

    Read more: Necurs Botnet Gets Proxy Module with DDOS Capabilities
    Vasudev, harlan4096 and silversurfer like this.
Similar Threads Forum Date
Necurs Botnet Fuels Massive Year-End Ransomware Attacks Security News Jan 2, 2018
Necurs Botnet Returns to Top 10 Malware List Security News Dec 12, 2017
Malware Alert Necurs botnet malspam delivering a new Ransomware via fake scanner /copier messages Security News Nov 23, 2017