The Necurs botnet has learned a new trick. Instead of spewing spam delivering Locky ransomware, the notorious botnet is now capable of launching DDoS attacks.
According to BitSight’s Anubis Labs, the malware was modified in September to include a module that adds DDoS capabilities and new proxy command-and-control communication functions. Necurs is the malware that makes up the botnet that goes by the same name and is currently active on one million Windows PCs, according to researcher Tiago Pereira, threat intel researcher with Anubis Labs.
“Necurs is a modular malware that can be used for many different purposes. What’s new with the sample we found is the addition of a module that adds SOCKS/HTTP proxy and DDoS capabilities to this malware,” he said.
About six months ago, Pereira said, Anubis Labs noticed that beside the usual port 80 communications, a Necurs-infected system was communicating with a set of IPs through a different port using, what appeared to be, a different protocol.
When Anubis Labs researchers reverse engineered the sample of the Necurs malware, they noticed what appeared to be a simple SOCKS/HTTP proxy module for communications between it and the command-and-control server.
“As we looked at the commands the bot would accept from the C2, we realized that there was an additional command, that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop, in a way that could only be explained as a DDoS attack,”
Researchers are careful to point out the DDoS function has not been utilized by those behind the Necurs botnet at this time.
Botnet owners use the compromised bots as proxies (HTTP, SOCKSv4 and SOCKSv5 protocols), relaying connections through them in two modes of operation (direct proxy and proxy backconnect), according to the report.
“There are also three types of messages (or commands) sent by the C2 to the bot, that can be distinguished,” Pereira said. Those commands include Start Proxybackconnect, Sleep and Start DDoS, he said.
Breaking it down even further, the Start DDoS attack command includes two possible modes: HTTPFlood and UDPFlood. The Necurs bot will start an HTTP flood attack against the target if the first bytes of the message payload are the string “http:/”. If the first bytes of the message payload are not the string “http:/”, the bot will start an UDP flood attack against the target.
“Given the size of the Necurs botnets (more than one million IP/24 hours in the largest botnet), even the most basic techniques should produce a very powerful attack,” Pereira wrote.
“The HTTP attack works by starting 16 threads that perform an endless loop of HTTP requests… The UDP flood attack works by repeatedly sending a random payload with size between 128 and 1024 bytes,” according to the report.