Microsoft orchestrates coordinated takedown of Necurs botnet

March 10, 2020

Special feature

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.

Microsoft announced today a coordinated takedown of Necurs, one of the largest spam and malware botnets known to date, believed to have infected more than nine million computers worldwide.

The takedown effort came after Microsoft and industry partners broke the Necurs DGA — the botnet’s domain generation algorithm, the component that generates random domain names.

Necurs authors register DGA-generated domains weeks or months in advance and host the botnet’s command-and-control (CC) servers, where bots (infected computers) connect to receive new commands.

“We were then able to accurately predict over six million unique domains that would be created in the next 25 months,” said today Tom Burt, Microsoft Vice President for Customer Security Trust.

Breaking the DGA allowed Microsoft and its industry partners to create a comprehensive list of future Necurs CC server domains that they can now block and prevent the Necurs team from registering.

Furthermore, Microsoft’s legal team also intervened and obtained a court order last week, on March 5, granting Microsoft control over existing Necurs domains that were being hosted in the US.

“By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet,” Burt said.

Coordinated effort across 35 countries

The OS maker said it worked with cybersecurity firms, internet service providers, domain registries, government CERTs, and law enforcement across 35 countries to coordinate the Necurs takedown, making this one of the biggest coordinated takedowns that have ever taken place.

After Microsoft has taken control of existing Necurs infrastructure, the company and its industry partners have been able to sinkhole the botnet and receive information about all the bots located across the world.

As a final step part of this effort, Microsoft says it’s now working with ISPs and CERT teams to notify users who have been infected so that they can remove the malware from their computers.

One of the largest spam botnets ever created

Historically, the Necurs botnet first appeared in 2012 and became one of the largest spam botnets known to date. The botnet is the collection of all computers that have been infected by a malware module named Necurs. The Necurs spam module runs on a user’s computers and uses its resources to send out massive amounts of spam email on a daily basis.

According to Microsoft, during a recent 58-day investigation, its engineers tracked one single Necurs-infected computer sending out more than 3.8 million emails to more than 40.6 million victims.

The emails usually carry malware-laced attachments, but the Necurs is also used to spread pump-and-dump stock scams, fake pharmaceutical spam email and “Russian bride” dating scams.

The botnet is believed to be managed by the creators of the Dridex banking trojan, known as Evil Corp, charged last year by US authorities.

But while Necurs has spewed out a lot of Dridex-infected spam emails, the botnet has also often rented its services to many other criminal gangs, carrying a wide assortment of other malware strains, including ransomware, remote access trojans, and information-stealing trojans.