New DDoS capabilities uncovered in Necurs botnet
The Necurs botnet is one of the largest around at the moment and is principally known for sending spam including the Locky ransomware.
However, new research from BitSight's Anubis Labs has uncovered a new component being loaded in infected systems that allows it to use bots to enable proxy communications and perform DDoS attacks.
The module has a compilation date in August 2016, although there's no evidence that these new capabilities have yet been used in anger. A botnet the size of Necurs, if used for DDoS attacks, is likely to cause severe disruption wherever it hits, being very capable of crippling critical internet services.
The Mirai botnet, although several times smaller, delivered a major detrimental impact. If used to carry out a DDoS attack Necurs would definitely be capable of much more due to its sheer size.
Once installed it checks the system's internal and external IP addresses, measures the available bandwidth and looks to see if a NAT (Network Address Translation) service is in use. If there's no NAT, Necurs uses a SOCKS/HTTP proxy service and command, allowing the botnet's owners to use the compromised bots as proxies (via HTTP, SOCKSv4 and SOCKSv5 protocols), relaying connections through them.
"Although known mainly for its spam module, Necurs is a modular malware that can be used for many different purposes," the BitSight researchers conclude. "Although we have not seen Necurs being used to perform DDOS attacks, this capability is currently deployed in the infected systems and taking into account the size of the botnet it could produce a powerful attack."
You can find out more detail about the malware on the Anubis blog.