Saturday, December 14, 2024
HomeBotnetNecurs, the world's largest spam botnet with nearly 5 million infected bots...

Necurs, the world’s largest spam botnet with nearly 5 million infected bots launching DDoS attacks

Published on

SIEM as a Service

Necurs is a malware that is mainly known for sending large spams contains nearly 5 million infected bots, of which one million active each day.

Its not only Spam bot, but peace of malware that is composed of a main bot module Necurs usefulness is separated over a few modules that are stacked on tainted PCs continuously, just when required.

According to security researchers from threat intelligence company Anubis Networks, As indicated by the typical port 80 interchanges, a Necurs tainted framework was speaking with an arrangement of IPs on an alternate port utilizing, what had all the earmarks of being, an alternate convention.

- Advertisement - SIEM as a Service

The DDoS capability was added almost six months ago via Necurs’ new Proxy module.

The accompanying picture demonstrates a case of this system activity.

An underlying investigation of the module arranged it as an on-request intermediary server that could malicious traffic through infected hosts, by means of HTTP, SOCKSv4, and SOCKSv5 intermediary conventions.

Every DDoS record will easily breakable by A Necurs DDoS attack

In the event that Necurs could ever choose to utilize its bots for a DDoS assault, the size of such an assault would be past some other DDoS assault we’ve found before.

For most of its lifespan, the authors of the Necurs botnet have used it to send spam from infected hosts, usually carrying the Dridex banking trojan, and more recently the Locky ransomware.

“The proxy/DDoS module is quite old,” said MalwareTech, a security researcher that has tracked Necurs’ evolution for years. “I imagine it was put in as a potential revenue stream but then they found there was more money in spam.”

Outside a higher revenue stream the Necurs gang stands to earn from spam, we must also take into consideration other reasons why it’s highly unlikely that we’re going to see DDoS attacks from Necurs.

Necurs creators have put time and cash into building up an expert, very much oiled digital cyber-crime machine. There is no motivation to chance their unfaltering income stream only for running a DDoS-for-contract benefit from which they have just to lose.

Scientifically, it looks bad to pulverize three income streams (Dridex, Locky, and rentable spamming administration) only for making and supporting a DDoS booter benefit.

According to threat intelligence company Anubis Networks,

It seemed to be a simple SOCKS/HTTP proxy module, but as we looked at the commands the bot would accept from the C2 we realized that there was an additional command, that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop, in a way that could only be explained as a DDOS attack. This is particularly interesting considering the size of the Necurs botnets (the largest one, where this module was being loaded, has over 1 million active infections each 24 hours, A botnet this big can likely produce a very powerfull DDOS attack.

Start/initialization Module by Anubis Networks,

Once the module is loaded by the bot, it performs the following initialization actions:

  1. Parses the parameters and stores them in an internal list of C2 addresses;
  2. Fills a memory structure (see botsettings struct definition below) with:
  3. The BotID – Generated through gathering unique system characteristics;
  4. The internal IP address – Obtained by checking the outbound sockets IP address when connecting to google.com;
  5. The external IP address – Obtained trough HTTP from ipv4.icanhazip.com or checkip.dyndns.org;
  6. The available bandwidth – Obtained by measuring the download speed of the Windows 7 Service Pack 1 file from microsoft;
  7. The (socks/http) proxy service port – The port of the service listening on a random port above 1024;
  8. Checks if the system is behind NAT – By checking if the outbound socket IP is not a local address and that it matches the external IP;
  9. If the system is not behind NAT, the bot starts a SOCKS/HTTP proxy service listening on a random port above 1024.

Also Read :

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria...

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose...

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities...

FBI Seizes Rydox Marketplace, Arrests Key Administrators

The Federal Bureau of Investigation (FBI) announced the seizure of Rydox, an illicit online...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Hackers Exploit Docker Remote API Servers To Inject Gafgyt Malware

Attackers are exploiting publicly exposed Docker Remote API servers to deploy Gafgyt malware by...

Water Barghest Botnet Comprised 20,000+ IoT Devices By Exploiting Vulnerabilities

Water Barghest, a sophisticated botnet, exploits vulnerabilities in IoT devices to enlist them in...

Russia-Linked Hackers Attacking Governmental And Political Organizations

Two pro-Russian threat actors launched a distributed denial-of-service (DDoS) attack campaign against Japanese organizations...