schrödinger

feed me, seymour

  • Necurs += DDoS
    World’s largest spam botnet (5 million bots) adds proxy module with DDoS features, but will it really be used that way?

    http://blog.anubisnetworks.com/blog/necurs-proxy-module-with-ddos-features

    Necurs is a malware that is mainly known for sending large spam campaigns, most notably the Locky ransomware. However, Recurs is not only a spambot, it is a modular piece of malware that is composed of a main bot module, a userland rootkit and it can dynamically load additional modules.

    [...]

    At first look, it seemed to be a simple SOCKS/HTTP proxy module, but as we looked at the commands the bot would accept from the C2 [port 5222] we realised that there was an additional command, that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop, in a way that could only be explained as a DDOS attack.

    [...]

    Please notice that we have not seen Recurs being used for DDOS attacks, we simply saw that it has that capability in one of the modules that it has been loading

    The rest of their post contains the results of a technical analysis of this module, detailing its C2 protocol, the SOCKS/HTTP proxy features, and the DDOS attack features.

    #DDoS #Necurs botnet

    • https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-adds-ddos-feature

      The sheer size of the Necurs botnet, even in its worst days, dwarfs all of today’s IoT botnets. The largest IoT botnet ever observed was Mirai Botnet #14 that managed to rack up around 400,000 bots towards the end of 2016.

      [...]

      “The proxy/DDoS module is quite old,” said MalwareTech, a security researcher that has tracked Necurs’ evolution for years. “I imagine it was put in as a potential revenue stream but then they found there was more money in spam.”

      Outside a higher revenue stream the Necurs gang stands to earn from spam, we must also take into consideration other reasons why it’s highly unlikely that we’re going to see DDoS attacks from Necurs.

      [...]

      Recurs’ authors have invested time and money into developing a professional, well-oiled cyber-crime machine. There is no reason to risk their steady revenue stream just for the sake of running a DDoS-for-hire service from which they have only to lose.

      Mathematically, it makes no sense to destroy three revenue streams (Dridex, Locky, and rentable spamming service) just for the sake of creating and supporting a DDoS booter service.