The last time we wrote about the Necurs botnet was in January, when it was used in Locky ransomware distribution operations.
Necurs has been primarily used to spread spam emails in order to infect user systems. The botnet usually infected systems with ransomware. Around June 1st, 2016, the botnet virtually stopped all its activities. The inactions of Necurs marked a decrease in malicious email spam. Later in 2016, Necurs was back once again.
Interestingly, while Necurs was pulled from the malware scene, there was a significant decrease in spam campaigns. Moreover, the botnet was down for some time because its authors were aiming at making it more sophisticated. As it was frequently used, more and more security measures were able to detect and neutralize it.
Necurs Botnet Going DDoS?
What is happening with Necurs botnet now? According to a new study carried out by AnubisNetworks Lab, Necurs is more than a spambot. The botnet is a modular piece of malware made of the main bot module and a userland rootkit. Apparently, Necurs can dynamically load additional modules, too. To come to this conclusion the researchers made some quite intriguing observations.
“About six months ago we noticed that besides the usual port 80 communications, a Necurs infected system was communicating with a set of IPs on a different port using, what appeared to be, a different protocol,” the team of researchers said.
The team noticed a request to load two different modules while decrypting the command & control communications of the botnet. One of the modules was meant for spam, while the other one, a proxy module, hadn’t been known until that moment. The second module was caught in September 2016, but it may have been around earlier than that.
After some careful research it was established that there was a command that would trigger the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop. In other words, this description fits a DDoS attack.
“This is particularly interesting considering the size of the Necurs botnets (the largest one, where this module was being loaded, has over 1 million active infections each 24 hours). A botnet this big can likely produce a very powerful DDOS attack,” the researchers explained.