After eight years of tracking and planning, Microsoft and its partners across 35 countries have now taken coordinated legal and technical steps to disrupt one of the world’s most prolific botnets, called Necurs, which has infected more than nine million computers globally. Necurs is believed to be operated by criminals based in Russia, Microsoft said on Tuesday.
This disruption will help ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyber-attacks.
A botnet is a network of computers that a cybercriminal has infected with malicious software, or malware.
Once infected, criminals can control those computers remotely and use them to commit crimes.
Microsoft’s Digital Crimes Unit, BitSight and others in the security community first observed the Necurs botnet in 2012 and have seen it distribute several forms of malware, including the GameOver Zeus banking trojan.
The Necurs botnet is one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world.
“During a 58-day period in our investigation, for example, we observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims,” Tom Burt, Microsoft’s Corporate Vice President for Customer Security & Trust wrote in a blog post.
Necurs has also been used for a wide range of crimes including pump-and-dump stock scams, fake pharmaceutical spam email and “Russian dating” scams.
It has also been used to attack other computers on the Internet, steal credentials for online accounts, and steal people’s personal information and confidential data.
Interestingly, it seems the criminals behind Necurs sell or rent access to the infected computer devices to other cybercriminals as part of a botnet-for-hire service.
Necurs is also known for distributing financially targeted malware and ransomware, cryptomining, and even has a DDoS (distributed denial of service) capability that has not yet been activated but could be at any moment.
On March 5, the US District Court for the Eastern District of New York issued an order enabling Microsoft to take control of US-based infrastructure Necurs uses to distribute malware and infect victim computers.
“With this legal action and through a collaborative effort involving public-private partnerships around the globe, Microsoft is leading activities that will prevent the criminals behind Necurs from registering new domains to execute attacks in the future,” Burt said.
This was accomplished by analysing a technique used by Necurs to systematically generate new domains through an algorithm.
“We were then able to accurately predict over six million unique domains that would be created in the next 25 months,” Burt said.
Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure.