Microsoft leads take-down of Necurs botnet
The Necurs botnet is thought to be operated by cyber criminals based in Russia
Microsoft, in association with a number of international partners, has taken action to dismantle the Necurs botnet, which is believed to have infected over nine million computers across the world.
Necurs, also known as a 'dropper' botnet, is a network of all machines that have been infected by a Necurs malware module in the past. The module runs on an infected system and utilises its resources to carry out fraud schemes, such as sending out thousands of spam mails on a daily basis. The botnet also acts as carrier for other malware including Dridex, GameOver Zeus, Trickbot and Locky.
Necurs, which first detected in 2012, is thought to be operated by cyber criminals based in Russia. Over the past eight years, Necurs botnet has grown hugely to become one of the largest spam botnets in the world.
"Necurs is one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world," said Tom Burt, Microsoft's corporate vice president for customer security and trust.
Burt disclosed that during a 58-day observation period in their investigation, the researchers noticed one Necurs-infected machine sending about 3.8 million spam mails to more than 40.6 million potential victims.
Microsoft says it was able to break down the Necurs' domain generation algorithm (DGA), which malware operators use to generate random domain names. The gang registers those random domain names in advance and uses them to host command-and-control (C&C) servers, to which infected systems connect to receive new commands.
Microsoft says it was able to systematically predict nearly six million unique domains that were likely to be created by the Necurs scammers within a period of next 25 months.
Those domains were blocked by Microsoft and its partners, thereby preventing the Necurs operators to register and use them to host their C&C servers.
Furthermore, on 5th March, a judge in the Eastern District of New York allowed Microsoft to take control of Necurs domains that were being hosted in the US.
The software giant also worked with its partners across 35 countries to coordinate the Necurs takedown.
The authorities in those countries also blocked those domains to prevent them from being used in cyber attacks.
Microsoft and Bitsight estimate that nearly two million infected computer remain in the wild, which could be reactivated by Necurs operators at any time.
Microsoft says it is working with various agencies, including internet service providers, government CERTs, cyber security firms, domain registries and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others to take down Necurs' botnet.
"Each of us has a critical role to play in protecting customers and keeping the internet safe," the company added.