Massive Necurs botnet, known for sending large spam campaigns, including the Locky ransomware that's been infecting countless computers, might soon be turned into a DDOS tool.
According to a new study from AnubisNetworks Labs, Necurs is not just a spambot, it's a modular piece of malware composed of the main bot module, a userland rootkit and it can dynamically load additional modules.
"About six months ago we noticed that besides the usual port 80 communications, a Necurs infected system was communicating with a set of IPs on a different port using, what appeared to be, a different protocol," researchers explain.
While decrypting the C2 communications of the Necurs bot, a request to load two different modules was noticed, each with different parameters. One was the regular spam module Necurs is known for, while the second was one unknown until then. Noticed in September 2016, the module might have been around since August based on a timestamp on the compilation. It is possible, however, that another version had been deployed previously and gone unnoticed.
After a bit of work on this particular module, researchers realized there was a command that would cause te bot to start making HTTP or UDP requests to an arbitrary target in an endless loop - a DDOS attack.Massive in size, massive in impact
"This is particularly interesting considering the size of the Necurs botnets (the largest one, where this module was being loaded, has over 1 million active infections each 24 hours). A botnet this big can likely produce a very powerful DDOS attack," researchers note. In fact, Necurs is a much larger botnet than Mirai, and given the damage done by that particular tool, we can only imagine the impact this one would have if deployed.
The module contains two basic DDOS attack modes that don't have special features like origin IP address spoofing or amplification techniques. The HTTP attack works by starting 16 threads that perform an endless loop of requests.
Researchers have not seen Necurs being used for DDOS attacks, simply that it has the capability in one of the modules that it has been loading. That, however, is just as worrying.