Locked and Loaded: Huge Botnet Updated for DDoS

The Necurs botnet has been updated to support denial of service attacks, Anubis Networks reports,

In-brief: Researchers at Anubis Networks claim that Necurs, one of the world’s largest botnets, has added a feature for launching denial of service attacks. 

One of the globe’s largest networks of infected systems (or “botnets”) is now equipped with features that will allow it to launch denial of service attacks that could dwarf anything seen to date, the security Anubis Networks, a division of BitSight Technologies.

Research by Anubis found that the Necurs botnet, a global network of more than one million machines infected with the Necurs malware added a module in recent months that permits it to launch distributed denial of service (or DDoS) attacks against designated targets. The botnet has mostly been used for distribution of spam email to date and has not be enlisted to launch DDoS attacks, according to a post by the Anubis Labs team.

Necurs is a so-called “rootkit,” or back door program that gives remote attackers control over systems on which it has been installed. The software has been documented since 2014 and spreads via infected email attachments. It is often installed as a secondary program by other “downloader” programs, according to an analysis by Trend Micro. To date, Necurs has been employed almost exclusively to send out spam email messages. However, the software is modular and supports other features, as well, Anubis notes.  In addition to the root kit functionality, Necurs modules include a domain generating algorithm and a command and control (or C2), Anubis notes.

However, a module added in late August appears to provide DDoS attack features to the botnet, Anubis researchers said. Reverse engineering of the module identified commands used to send HTTP or UDP requests to arbitrary Internet addresses in an endless loop – typical denial of service activity.

DDoS features are not uncommon in botnet malware. Indeed, denial of service attacks are one of the main ways to make money off of botnets. What is different is the size of the Necurs botnets compared with others, including the recent Mirai botnet that took down managed DNS provider DYN. Mirai, which launched the largest denial of service attacks on record, topped out at around 200,000 infected hosts. But research by BitSight puts the number of nodes in the Necurs botnet at more than 650,000 as of June, 2016. The number may be smaller now, but an infection map currently puts the number of Necurs hosts at 208,000 – almost three times the size of the Mirai botnet (77,000 hosts).

Anubis noted that the DDoS features in the Necurs malware are “very basic” and lack more advanced features like spoofing the origin IP address or DDoS amplification. However, the size of the botnet makes such features less necessary. “Given the size of the Necurs botnets,… even the most basic techniques should produce a very powerful attack,” Anubis said.