Malware analysis

Necurs: World’s Largest Botnet

Security Ninja
January 27, 2018 by
Security Ninja

This article examines what is touted to be the world's largest botnet known as "Necurs," focusing on the following:

  1. How Necurs stands out from other botnets;
  2. The famous infections/malware that has used Necurs;
  3. How this botnet has become the first choice for the Cyber attacker.

The first occurrence of Necurs was observed in 2012. At that time, it was essentially a network of compromised systems that sent spam emails with malicious attachments to a large number of recipients.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Malicious attachments included various forms of Trojan Horses to Ransomware. Today, Necurs is reinventing itself by supporting other variants of malware.

To target a victim computer into the Necurs botnet, it is first infected by a rootkit. As soon as it becomes a part of Necurs, the victim computer it is then used to infect other devices with newer and more powerful forms of malware, by using various commands.

It is important to note that Necurs is also a P2P botnet, and this means that it can also communicate with other infected bots and share a list of server-based IP addresses as well. Necurs also makes use of Domain Generating Algorithms (DGA's) to carry out its attacks.

Necurs consists of a modular approach which means that it can make the initial infection, and from there, it can add additional malware. This is what has made Necurs stealthy and covert.

Below are the main modules of Necurs:

  • The Spam Module:

    This is the main module of Necurs. It is used to conduct malicious attacks against target computers. From this module, there are several ways in which Necurs has been deployed, one of the most famous delivery mechanisms is that of the Locky ransomware.

  • Proxy Module:

    This module adds traffic redirection through the HTTPS and SOCKS network protocols.

  • DDoS Module:

    This module was added in February 2017. It allows for every bot to conduct a DDoS attack on any selected target. As the present time, there has been no DDoS attack conducted by Necurs; but if it were to occur, it would have a significant impact worldwide.

Below is a summary of the roles which have been undertaken by Necurs since its inception:

Necurs was initiated by creating a peer to peer network with a .bit domain extension. This gave the evolving botnet the advantage to evade detection and to be part of a decentralized DNS system. In 2013, Necurs leveraged the Upatre loader to create the initial infection. Then, it used the Gameover Zeus loader for subsequent attacks. Eventually, they were neutralized by the security community. However, before this happened, Necurs also became associated with Ransomware, such as CryptoLocker. In 2015, Necurs continued delivering its various forms of ransomware, one of the prime examples being that of Cryptowall. In 2016, Necurs initiated various spam campaigns that were launched by some of the significant Cyber attacker groups such as TeslaCrypt, NeverQuest, and Dridex. During this timeframe, Necurs also started to distribute the Locky Ransomware. It is believed that it is still present on over 50,000 machines. In March 2017, Necurs launched a "pump and dump scam" financial scam for very low valued stocks. The result was that the trading volume for these stocks went much higher than normal. The Latest infection from Necurs is the exploitation of the DDE vulnerability and delivering that through the Locky Ransomware. To infect, initially, the victim computer will receive a "malspam" from the Necurs botnet. It contains an infected.DOC attachment that further exploits the DDE. Second, after the execution has taken place, the 1st stage malware is then downloaded. This stage consists of the HTTP requests with the returning URL of the malware. Third, the first stage malware then sends over 2 HTTP posts requests to download Locky binary that makes up the Ransomware.

Necurs has resiliency built into it, and the following are its characteristics:

  • Necurs possesses a modular architecture, and it consists of a kernel-mode rootkit. As a result, it is difficult to remove. This allows for Necurs to disable any security solutions features on the end-host.
  • Necurs currently uses 2 sets of DGAs. These are used to generate 2048 domains that cover 48 different TLDs.
  • Necurs also has some Anti-Analysis Techniques. For example, it can detect if it is being executed inside a virtual environment. Once the binary has been established, it will then use the DGA to generate 4 random domains in an attempt to resolve them. If it can do this, it will then ascertain that it is indeed inside a virtual environment.
  • All the malicious payloads that are transferred by Necurs are encrypted and in a binary, thus making them difficult to detect.

Finally, Necurs is the catalyst behind many of the Cyber-attacks that take place. The result is a catastrophe for businesses and corporations regarding lost revenues and customers. Further, it is expected that Necurs will become much more sophisticated, and thus will be the tool of choice for future Cybercrimes, especially where Ransomware is involved.


Security Ninja
Security Ninja