Microsoft And Others Takedown Botnet Necurs

Microsoft has revealed it was part of a team that has taken down one of the world’s largest and best known botnets called Necurs, that has been around since 2012.

In 2017 for example, Necurs was found to be behind a campaign to try to persuade their victims into buying shares by advertising a ‘once-in-a-lifetime’ opportunity for an obscure stock.

Over the years Necurs had infected over nine million computers around the world and the network was responsible for a number of crimes including stealing personal information and sending fake pharmaceutical emails.

Prolific botnet

Microsoft it should be remembered has been an active player in taking down multiple botnets over the years, disrupting the criminal gangs who utilise botnets to remotely take over internet-connected devices and install malicious software.

Infected computers can then typically be used to send spam to other computers or attack them, or collect information about what activity the infected computer is used for, or even delete information.

Microsoft revealed the takedown in a blog post by Tom Burt, Microsoft’s vice-president for customer security and trust.

“Today, Microsoft and partners across 35 countries took coordinated legal and technical steps to disrupt one of the world’s most prolific botnets, called Necurs,” wrote Burt. “This disruption is the result of eight years of tracking and planning and will help ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks.”

Microsoft’s Digital Crimes Unit, BitSight and others in the security community said that since its arrival in 2012, the botnet has distributed several forms of malware, including the GameOver Zeus banking trojan.

“The Necurs botnet is one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world,” wrote Burt. “Necurs is believed to be operated by criminals based in Russia and has also been used for a wide range of crimes including pump-and-dump stock scams, fake pharmaceutical spam email and ‘Russian dating’ scams.”

“It has also been used to attack other computers on the internet, steal credentials for online accounts, and steal people’s personal information and confidential data,” wrote Burt. “Interestingly, it seems the criminals behind Necurs sell or rent access to the infected computer devices to other cybercriminals as part of a botnet-for-hire service.”

He noted that Necurs is also known for distributing financially targeted malware and ransomware, cryptomining, and it also has a DDoS (distributed denial of service) capability that has not yet been activated.

Botnet takedown

According to Burt, on 5 March the US District Court for the Eastern District of New York issued an order enabling Microsoft to take control of US-based infrastructure Necurs used.

Action was also taken in other parts of the world.

“With this legal action and through a collaborative effort involving public-private partnerships around the globe, Microsoft is leading activities that will prevent the criminals behind Necurs from registering new domains to execute attacks in the future,” wrote Burt.

He said that Microsoft had analysed a technique used by Necurs to systematically generate new domains through an algorithm. It then accurately predicted over six million unique domains that would be created in the next 25 months. Microsoft then reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure.

“By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet,” he said.

Microsoft is also working with ISPs, domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others.

Possible return?

The takedown was welcomed by one security expert, but he warned the botnet could return.

“The Necurs botnet has been active for many years, undertaking spam campaigns and malware delivery, most notably Locky and Dridex ransomware,” said Carl Wearn, head of E-crime at Mimecast.

“Although this is welcome news, the scale of the malicious botnet issue is highlighted by the sheer numbers of compromised machines involved,” said Wearn. “This is one of many botnets in operation and recent months have seen the resurgence of the Emotet related botnet. Emotet’s command servers were disrupted last May and it resumed operation in September. I would therefore expect the disruption to the Necurs botnet to impact their operation for a similar amount of time, likely giving some much needed respite to organisations the world over.”

“Taking one net down is a hugely intensive effort in itself, often for limited temporal respite until threat actors modify their approach or alter their infrastructure,” said Wearn.

“The real takeaway has to be that general standards of cyber-security and hygiene overall, particularly in relation to IoT, are clearly currently inadequate,” he said. “So much so that botnets of millions of machines can successfully operate daily over many years.”

“Until a concerted and coordinated global effort to secure all users and infrastructure is undertaken to a common agreed minimum standard, new and resurrected botnet’s will continue to proliferate and plague users and organisations with spam email and malware,” said Wearn. “Prevention is clearly better than a cure as Necurs and Emotet, as only two examples, have operated with relative impunity for years.”

Do you know all about security? Try our quiz!