Microsoft has announced it has seized the U.S. command and control infrastructure of the Necurs botnet and has taken steps to prevent the infrastructure from being recreated.
The Necurs botnet is one of the largest spamming and malware distribution networks ever created. The botnet consists of more than 9 million zombie devices that have been infected with Necurs malware and are under the control of the botnet operators.
The botnet is used to distribute malware and ransomware, sent huge volumes of spam emails, and conduct attacks on other computers. The botnet even has distributed denial of service (DDoS) capabilities, although that functionality has not yet been used.
The Necurs botnet was first detected in 2012 and is believed to be operated by the Russian hacking group Evil Corp. The botnet has been used to distribute malware such as Dridex and GameOver Zeus, and ransomware variants such as Locky. GameOver Zeus is believed to have resulted in losses in excess of $100 million.
The botnet was used to send a wide range of spam and phishing emails, notably spam emails pushing pharmaceutical products, Russian dating scams, and pump and dump stock scams. The scale of the spamming through the Necurs botnet is considerable. In 2017, emails spreading Locky and Dridex were being sent at a rate of more than 5 million an hour and the Necurs botnet was responsible for around 90% of email-based malware attacks between 2016 and 2019.
In a blog post announcing the takedown of the Necurs U.S. infrastructure, Microsoft said that during a 58-day observation period, one device infected with Necurs malware sent a total of 3.8 million spam emails to over 40.6 million potential victims.
The takedown was a coordinated effort between Microsoft and its partners in 35 countries. On March 5, 2020, Microsoft obtained a court order from the United States District Court for The Eastern District of New York to seize command and control domains hosted in the United States that were being used to communicate with infected machines and issue new commands.
What was critical to the disruption of the botnet was breaking the botnet’s domain generation algorithm, which was used to generate random domains for use by the botnet. “We were then able to accurately predict over six million unique domains that would be created in the next 25 months,” said Tom Burt, Microsoft Vice President for Customer Security & Trust. “By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet.”
Microsoft is working with internet service providers and CERT teams around the world to notify individuals whose devices have been infected with Necurs malware to ensure the malware is removed from their computers.