Its not only Spam bot, but peace of malware that is
The DDoS capability was added almost six months ago via Necurs’ new Proxy module.
An underlying investigation of the module arranged it as an on-request intermediary server that could malicious traffic through infected hosts, by means of HTTP, SOCKSv4, and SOCKSv5 intermediary conventions.
Every DDoS record will easily breakable by A Necurs DDoS attack
In the event that Necurs could ever choose to utilize its bots for a DDoS assault, the size of such an assault would be past some other DDoS assault we’ve found before.
For most of its lifespan, the authors of the Necurs botnet have used it to send spam from infected hosts, usually carrying the Dridex banking trojan, and more recently the Locky ransomware.
“The proxy/DDoS module is quite old,” said MalwareTech, a security researcher that has tracked Necurs’ evolution for years. “I imagine it was put in as a potential revenue stream but then they found there was more money in spam.”
Outside a higher revenue stream the Necurs gang stands to earn from spam, we must also take into consideration other reasons why it’s highly unlikely that we’re going to see DDoS attacks from Necurs.
Necurs creators have put time and cash into building up an expert, very much oiled digital cyber-crime machine. There is no motivation to chance their unfaltering income stream only for running a DDoS-for-contract benefit from which they have just to lose.
Scientifically, it looks bad to pulverize three income streams (Dridex, Locky, and rentable spamming administration) only for making and supporting a DDoS booter benefit.
Start/initialization Module by
Once the module is loaded by the bot, it performs the following initialization actions:
- Parses the parameters and stores them in an internal list of C2 addresses;
- Fills a memory structure (see botsettings struct definition below) with:
- The BotID – Generated through gathering unique system characteristics;
- The internal IP address – Obtained by checking the outbound sockets IP address when connecting to google.com;
- The external IP address – Obtained trough HTTP from ipv4.icanhazip.com or checkip.dyndns.org;
- The available bandwidth – Obtained by measuring the download speed of the Windows 7 Service Pack 1 file from microsoft;
- The (socks/http) proxy service port – The port of the service listening on a random port above 1024;
- Checks if the system is behind NAT – By checking if the outbound socket IP is not a local address and that it matches the external IP;
- If the system is not behind NAT, the bot starts a SOCKS/HTTP proxy service listening on a random port above 1024.