The Necurs botnet has the potential and the capability to convert into a distributed denial of service (DDoS) attack tool, researchers said.
Necurs, known for sending spam campaigns, is not just a spambot, it’s a piece of malware consisting of the main bot module, a rootkit and it can dynamically load additional modules.
“About six months ago we noticed that besides the usual port 80 communications, a Necurs infected system was communicating with a set of IPs on a different port using, what appeared to be, a different protocol,” AnubisNetworks Labs researchers said in a blog post.
While decrypting the C2 communications of the Necurs bot, researchers found a request to load two different modules, each with different parameters.
One was the regular spam module Necurs usually has, while the second remained unknown until then. Noticed in September 2016, the module might have been around since August based on a timestamp on the compilation. It is possible, however, another version had been deployed previously and gone unnoticed.
After a bit of work on this particular module, researchers found there was a command that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop — a DDoS attack.
“This is particularly interesting considering the size of the Necurs botnets (the largest one, where this module was being loaded, has over 1 million active infections each 24 hours). A botnet this big can likely produce a very powerful DDoS attack,” the researchers said. In fact, Necurs is a much larger botnet than Mirai, which caused severe damage.
The module contains two basic DDoS attack modes that don’t have special features like origin IP address spoofing or amplification techniques. The HTTP attack works by starting 16 threads that perform an endless loop of requests.
Researchers have not seen Necurs in DDoS attack mode, but it does have the capacity for a massive strike.