Developers of the Nercus botnet malware have loaded it with a new component that will give it the capability of executing DDoS attacks, according to a recent research from BitSight’s Anubis.
The malware was apparently modified in September 2016 with a DDoS facility and a new set of control-and-command communication functions, and is now a threat to more than one million Windows PCs it is installed in.
Necurs is a collection of malware that provides attackers remote access and control of the system that the malware has been installed in.
It was first documented in 2014, and has since spread to PCs of multiple unsuspecting users across the planet through infected email attachments.
According to Trend Micro, the modular malware is installed by other download applications as a secondary program and is mainly used by marketers to broadcast spam email messages.
Other features supported include a command and control and a domain-generating algorithm.
Up until the September discovery, security researchers were mainly concerned about the malware injecting Locky ransomware into victims’ PCs, but now face a fresh and even tougher challenge thanks to the new addition.
A DDoS attack launched through a botnet malware the size of Necurs, it is believed, is capable of causing tremendous damage to the extent of being able to completely cripple certain internet services.
It checks the system’s external and internal IP addresses, once installed; measures the available bandwidth; and checks if a Network Address Translation (NAT) service is activated.
If NAT is not activated, the complex malware uses a SOCKS/HTTP proxy service and command to allow the hackers to use the bots as proxies, creating connections through them.
That was malware’s exact behavior when its new capability was detected back six months ago, according to security researcher Tiago Pereira.
The Anubis Labs, he explains, noticed that there was a different port, apart from the usual port 80 communications, through which a Necurs-infected system communicated with a set of IPs using a different proxy.
When the researchers reverse engineered the Nercus malware sample, they realized a SOCKS/HTTP proxy module for communication was linking it with the control and command server.
It was discovered that in the commands that the bot would accept from the C2 was a new one that would enable the bot to start making UDP or HTTP requests to a target in an endless loop – a behavior that emulates a modern-day DDoS attack.
The Mirai botnet malware of late last year, albeit much smaller than Nercus, caused significant damage on Linux-running systems, and can only be used to guesstimate what a Nercus attack would beget.
Anubis noted that the Nercus malware is not exactly loaded with sophisticated features such as DDoS amplification in its repertoire of features, but has enormity to make up for the under-endowment.
“Given the size of the Necurs botnets, even the most basic techniques would produce a powerful attack,” wrote Pereira in a blog post about the malware.
That said, researchers have been keen to point out that the malware’s new addition hasn’t been used to execute an attack yet.
If it does, however, the attack will be carried out in two different modes depending on whether the message payload begins with the string “http:/” or not.
An HTTP Flood attack will be initiated for “http:/”-bearing message payloads, whereas UDPFlood will be used on any other target the malware comes across.
The HTTP Flood attack mode works by initiating 16 threads that send requests to the target in an endless loop.
The UDP Flood attack mode, on the other hand, works by sending a random 128-1024 byte payload to the target repeatedly, and ensures access to the bot is not lost in the middle of an attack by using a 0.1-second-sleep function triggered depending on the available bandwidth.
DDoS features are common in botnet malware and Necurs’ new facility shouldn’t be regarded as an entry point effort of any kind.
In fact, the notorious malware’s features, as stated earlier, are inferior to what some other documented botnets have offered.
Perhaps what sets Necurs apart from the rest, including the aforesaid Mirai, is its size and the damage it has the potential of causing in the event of an attack.
Right now, it remains anybody’s guess on how devastating exactly a Nercus DDoS attack would be and who the first victim will be.