A new module has been added to Necurs, the world’s largest spam botnet, and can be used for launching DDoS attacks. The news comes from security researchers who believe the capability was added almost six months ago, and despite a Necurs yet to be attributed to a DDoS attack, if it did decide to use its bots for such an attack, the scale would be larger than anything we have seen before. Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS IB commented below.
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS IB:
“When observing the common motivations for DDoS attacks, the Necurs Botnet having functioning DDoS modules does not make a great deal of sense. Being focused on generating phishing revenue for hackers via Trojan infections and ransomware, most cannot imagine why hackers would include a DDoS module on Necurs botnet infected machines. If the DDoS functionality was ever used, it would likely gain the attention of law enforcement officials, primarily due to its firepower capabilities. One possible motivation was to use the botnet to sell DDoS-for-Hire services, but that seems unlikely.
“Another possible motivation could be centered around a “going down in a blaze of glory” mentality. Many hackers understand that as law enforcement gets closer to shutting down their operations, many would like to cause as much havoc as possible before they’re completely taken offline. They do this as a last ditch effort of gaining additional underground notoriety; while at the same time hoping to cover some of their tracks. Using this botnet for a massive DDoS attack could possibly accomplish both.”