Microsoft leads takedown of Necurs botnet

Microsoft announced a major victory against the Necurs botnet on Tuesday, which was first detected in 2012 and is now believed to be responsible for infecting more than 9 million computers globally.

A coordinated takedown, led by Microsoft and including partners across 35 countries, took legal and technical steps to disrupt the Necurs botnet. The takedown operation saw success on March 5 when the U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to "take control of U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers."

Now, the corporation is leading activities that will prevent the criminals behind Necurs from registering new domains to execute attacks in the future, according to a blog post by Tom Burt, corporate vice President of Customer Security and Trust at Microsoft.

"This was accomplished by analyzing a technique used by Necurs to systematically generate new domains through an algorithm. We were then able to accurately predict over six million unique domains that would be created in the next 25 months," Burt wrote. "Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked."

Capable of distributing malware and infecting victims' computers, the main functions of the Necurs botnet have been as a spambot, a delivery mechanism for ransomware, financial malware and for running pump-and-dump stock scams, according to a blog post by cyber security and risk company BitSight.

"From 2016 to 2019, it was the most prominent method to deliver spam and malware by criminals and was responsible for 90% of the malware spread by email worldwide," BitSight security researcher Valter Santos wrote in the blog post.

BitSight, which has been investigating Necurs since 2016, began working with Microsoft's Digital Crimes Unit in 2017. Together, they analyzed the communication methods and infrastructure behind the botnet. BitSight also studied the systems infected by the botnet to get a better idea of how it worked and how it compromised different organizations.

"We rely on externally available data. We don't go on site or anything like that, and one of the data sets that allows us to produce these reports and ultimately a rating for each company is the comprised systems' data," Dan Dahlberg, head of security research at BitSight, said. "One thing we do a lot of active research around is how diverse and big these different botnets are and these malware families, so our research is often targeted to understand who all the victims around the world are. What we want to know is do we see these different infections showing up at different companies or organizations, because if they do, they can speak to the security controls and practices of those companies."

Getting different organizations, registries and internet service providers to take action was a main challenge in taking down the botnet, Dahlberg said. Another challenge: there are still an estimated 2 million computers infected with Necurs.

"Turbo systems are fully remediated, so this should help," Dahlberg said. "But this is a platform that could be used to install other malware families. If an actor wanted to turn around and allow someone to sell Trickbot and if there's an active actor behind Trickbot, that could cause destruction or other malicious activity on that machine."

But after eight years of tracking and planning, a giant step has been with this disruption to what Microsoft calls "the world's largest criminal network."

It will help to ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks, according to Microsoft. And that's a critical step in botnet takedowns, according to Dahlberg.

"Necurs actually had a few different ways it could talk to the actors behind it," he said. "The operation was striving to disrupt the actor, not to completely wipe it away. We certainly made a disruption today."