tao Posted February 27, 2017 Share Posted February 27, 2017 The Necurs botnet has resurfaced, with some new tricks. Notably, it’s taking a page from Mirai, and setting itself up to act as infrastructure for DDoS attacks. According to Anubis Networks, the bot showed up about six months ago communicating with a set of IPs on a different port that the usual port 80. It also uses what appears to be a different protocol. It’s also loading a new module—indicating that it can add new capabilities at any time. “Necurs is a malware that is mainly known for sending large spam campaigns, most notably the Locky ransomware,” said Anubis, in an analysis. “However, Necurs is not only a spambot, it is a modular piece of malware that is composed of a main bot module, a userland rootkit and it can dynamically load additional modules (besides the spam module).” While decrypting the C2 communication of the a Necurs bot, Anubis observed a request to load two different modules, each with a different parameter list. The first one was the spam module for which Necurs is most known, and the parameters are the C2 addresses from which it can receive new spam campaigns. The second one was an unknown module that seemed responsible for the communications Anubis saw to the new port. Upon examination, the firm discovered that the new module issued commands that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop, in a way that could only be explained as a DDsS attack. “This is particularly interesting considering the size of the Necurs botnets (the largest one, where this module was being loaded, has over 1 million active infections each 24 hours),” the company noted. “A botnet this big can likely produce a very powerful DDsS attack.” < Here > Link to comment Share on other sites More sharing options...
tao Posted February 27, 2017 Author Share Posted February 27, 2017 Also: < Here > by Kaspersky Lab. Link to comment Share on other sites More sharing options...
straycat19 Posted February 27, 2017 Share Posted February 27, 2017 Too bad neither site shows a map of the infection and what countries it is primarily in according to their data. I haven't seen any sign of the botnet or any of its infections. There is a map available at Maltech of the current infection and I found one from last summer also. Comparing the two maps it would appear that the botnet is dying off, not expanding. Current Infections Infections June 2016 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.