Necurs is the largest botnet that managed to infect more than 9 million computers worldwide
Microsoft managed to take down an entire infrastructure of Necurs – the largest botnet in the world that was used by cybercriminals to distribute spam and infect computer users with malware across the globe. Eight years of persistent technical and legal operations from Microsoft and industry representatives from 35 different countries were required to reach the goal.
The final step in the investigation occurred on March 5, 2020, when Microsoft acquired permission from the U.S. District Court for the Eastern District of New York to take control over the Necurs infrastructure:
With this legal action and through a collaborative effort involving public-private partnerships around the globe, Microsoft is leading activities that will prevent the criminals behind Necurs from registering new domains to execute attacks in the future.
Necurs botnet was first spotted back in 2012 and is believed to be compiled by Russian cybercriminals. Over the years, the infrastructure was used by malicious actors to push a variety of threats, such as GameOver Zeus, Locky, ZeroAccess, Dridex and other malware. Finally, after infecting over 9 million machines and operating for eight years, Necurs botnet was taken down with the help of Microsoft and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, and other countries.
Microsoft and partners used the DGA component to stop the botnet
A botnet is essentially a network of computers that are infected with malware – cybercriminals use Command & Control servers to input commands and communicate with the hosts. C&C servers are hosted by domains that are created by botnet's domain generation algorithm – otherwise known as DGA.
Domain generation algorithm is a component that creates random domain names which are typically pre-registered by the operators months in advance. If DGAs are taken down, Command & Control servers can no longer be supported – this prevents Necurs botnet operators from sending commands to bots, consequently stopping the extensive distribution of booby-trapped spam.
And this is exactly what Microsoft and partners did – they broke down the DGA component, which caused major disruption of the Necurs botnet:
We were then able to accurately predict over six million unique domains that would be created in the next 25 months. Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure. By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet.
The scale of Necurs botnet is immense
While this massive operation probably did not shut down Necurs for good, the disruption for the next 25 months is a major accomplishment. According to Tom Burt Microsoft's Corporate Vice President, victims of the botnet were traced to almost every country in the world – each of the infected computers sent out 3.8 million spam emails to 40.6 million victims over the 58 days alone. Countries with most infected users are India, Indonesia, Turkey, Vietnam, and Mexico, among others.
The botnet, which is believed to stem from Russia, is also used for purposes of hiring – various actors can rent access to the infected computer network. As a result, the botnet is used for a variety of malicious purposes, from distributing malware (ransomware, cryprominers, RATs, data-stealers, etc.), initiating DDoS attacks against pre-determined domains to disrupt their operations, as well as stealing confidential information from the hosts (banking data, login credentials).
Necurs is not the first large botnet that was shut down corporations and authorities. For example, the developers and operators of the notorious Mirai botnet were arrested and charged with several criminal offences in 2017 – later found guilty.