Necurs botnet

Necurs, the world's largest spam botnet with nearly 5 million infected bots, of which one million active each day, has added a new module that can be used for launching DDoS attacks.

Like most of today's top-tier malware families, Necurs' functionality is broken down across several modules that are loaded on infected computers in real-time, only when needed.

DDoS feature hidden in the Necurs Proxy module

According to security researchers from threat intelligence company Anubis Networks, the DDoS capability was added almost six months ago via Necurs' new Proxy module.

First detections put this module on the map in September 2016, but binary compilation dates reveal the module might have first shipped out starting on August 23, 2016.

An initial analysis of the module classified it as an on-demand proxy server that could relay malicious traffic through infected hosts, via HTTP, SOCKSv4, and SOCKSv5 proxy protocols.

The DDoS functionality only recently came to light after Anubis researchers noticed some weird traffic coming out of computers infected with Necurs going to the command and control server on port 5222, alongside the classic port 80, used to manage the other modules.

A subsequent investigation of the Proxy module revealed that besides the traffic relay features, this module could receive commands that instructed bots to issue a constant flood of HTTP or UDP requests aimed at a specific target.

A Necurs DDoS attack would easily break every DDoS record

It is worth mentioning that at the time of this article no DDoS attack has ever been attributed to the Necurs botnet. If Necurs would ever decide to use its bots for a DDoS attack, the scale of such an attack would be beyond any other DDoS attack we've seen in the past.

The sheer size of the Necurs botnet, even in its worst days, dwarfs all of today's IoT botnets. The largest IoT botnet ever observed was Mirai Botnet #14 that managed to rack up around 400,000 bots towards the end of 2016.

On the other hand, Necurs reached these massive numbers by infecting classic desktop computers. The botnet grew so big because it was never used for disruptive DDoS attacks that usually tend to get the attention of law enforcement agencies, who then coordinate takedown attempts.

For most of its lifespan, the authors of the Necurs botnet have used it to send spam from infected hosts, usually carrying the Dridex banking trojan, and more recently the Locky ransomware.

DDoS feature unlikely to be ever deployed

It is currently a mystery why Necurs operators decided to add a DDoS feature to their botnet, but according to different people, this decision doesn't make any sense.

"The proxy/DDoS module is quite old," said MalwareTech, a security researcher that has tracked Necurs' evolution for years. "I imagine it was put in as a potential revenue stream but then they found there was more money in spam."

Outside a higher revenue stream the Necurs gang stands to earn from spam, we must also take into consideration other reasons why it's highly unlikely that we're going to see DDoS attacks from Necurs.

DDoS brings the wrong type of attention

First and foremost, DDoS attacks devour botnets. They obliterate them. DDoS features they tend to make computers lag, which slowing down due to the constant stream of traffic originating from the network interface.

There's no clearer sign that your computer is infected with malware than a slow moving-PC, which usually leads to users investigating what's wrong.

Additionally, DDoS botnets also tend to get the attention of law enforcement authorities. For example, just two days ago, UK police arrested a suspect behind the infamous Mirai Botnet #14, which we've just mentioned a few paragraphs above.

If there's two things malware authors don't want is a user poking around for malware and law enforcement going after their C&C servers.

DDoS attacks tend to grab both kinds of attention, so that's why in recent years we've seen DDoS botnets move to smart/IoT devices instead of focusing on infecting regular computers.

Spam is more lucrative, brings in less attention

On the other hand, spam is easier to deal with. You send a few messages, and then allow the infected computer to "cool down," so anti-spam filters won't pick up the victim's IP and add it to spam blacklist.

Necurs' authors have invested time and money into developing a professional, well-oiled cyber-crime machine. There is no reason to risk their steady revenue stream just for the sake of running a DDoS-for-hire service from which they have only to lose.

Mathematically, it makes no sense to destroy three revenue streams (Dridex, Locky, and rentable spamming service) just for the sake of creating and supporting a DDoS booter service.

Financially, this also doesn't make any much sense as the average price for a DDoS attack has been going down for years, according to this Dell report.

The DDoS feature looks like a test, not a for-profit option

All in all, this DDoS feature looks like a test which the Necurs crew forgot to remove from their module. The same opinion is shared by Andy Shoemaker, founder and CEO of NimbusDDoS, a vendor of DDOS simulation and testing services.

"I think the DDoS functionality may not be for direct financial benefit through extortion," he said. "The motivation could be different and the functionality reserved for lower risk scenarios, perhaps to attack other hackers."

"What doesn't seem to be in place is any mention of a mechanism to provide fine grained control of the attack," Shoemaker added. "A botnet for hire generally has logic to provide a certain volume of traffic from a subset of botnet nodes. With Necurs my understanding is that this is not in place. With that functionality missing it would be difficult to monetize the botnets DDoS capabilities."