Microsoft announced on Tuesday that it was in on the busting-up of Necurs: one of the world’s biggest, baddest, busiest botnets.
Some consider Necurs to be the largest botnet ever, with estimates from 2017 indicating that, at the time, it consisted of more than 6,000,000 infected computers. It’s metastasized in the last three years: Microsoft said that the malware has now infected more than nine million computers globally.
The majority of infected computers looked like they were in India, but almost every country in the world seemed to be affected. Necurs has been used to pump out multiple flavors of nastiness worldwide, with the notable exception of Russia: the malware deliberately avoided infecting computers set up to use a Russian keyboard.
Up until it temporarily went offline around December 2016, it was inflicting malware that included Locky ransomware. It got its wind knocked out for a few months, but when Necurs came back in March 2017, it started belching out a huge pump-and-dump scam.
In its blog post, Microsoft said that, along with partners, it’s been spending the past eight years tracking and planning to knock the knees off Necurs. Microsoft says that coordinated legal and technical steps to disrupt the network of zombified computers will…
…help to ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks.
Microsoft says its Digital Crimes Unit, along with BitSight and others in the security community, first observed the Necurs botnet in 2012. Besides Locky and the pump-and-dump scam, Necurs has also been used by crooks to distribute the GameOver Zeus banking Trojan; fake pharmaceutical spam email and Russian dating scams.
Unsurprisingly, given that it’s tiptoed around computers using Russian keyboards in the past, Necurs is thought to be operated by Russian crooks. Besides the ransomware and the spam, the botnet has also been used as an attack dog, sent to jump on other computers on the internet and to steal credentials for online accounts, people’s personally identifiable information (PII), and other confidential data.
Microsoft says that Necurs’ operators also sell or rent access to their zombie computers to other crooks – what’s known as a botnet-for-hire service. The botnet has also been used to distribute financially targeted malware and cryptomining. It also has the capability of being used to launch a distributed denial of service (DDoS) attack. Its operators haven’t flipped the switch on that – yet. They could activate that capability at any time, Microsoft says.
Necurs has been a powerful force of yuck: Microsoft says that during one 58-day period, its staff watched as one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.
How did they castrate that bull?
The trick was to grab it by its algorithm. Microsoft says it’s been heading up activities that will keep the crooks behind Necurs from registering new domains to execute attacks in the future – a feat that was accomplished by analyzing how Necurs systematically generates new domains through an algorithm.
From its post:
We were then able to accurately predict over six million unique domains that would be created in the next 25 months. Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure. By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet.
Microsoft also had help from the courts: on 5 March, the US District Court for the Eastern District of New York issued an order enabling the company to seize the US-based infrastructure Necurs uses to distribute malware and infect computers.
The next step is to partner with ISPs to scrub Necurs malware off of victimized computers: an effort that also involves partnering with law enforcement, government Computer Emergency Response Teams (CERTs), ISPs and government agencies. Microsoft says it’s working with domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others.
Want to make sure you’re free of malware? Microsoft suggests you head over to its Safety Scanner: a tool that helps to remove malware from Windows systems. Sophos also has its free Virus Removal Tool, as well as free tools for protecting both Windows and Mac systems.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
4 comments on “Necurs zombie botnet disrupted by Microsoft”
“Necurs has been a powerful force of yuck: Microsoft says that during one 58-day period, its staff watched as one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.”
Ummm… did they send less than a tenth of an email to each potential victim? Was that supposed to say 3.8 Billion?
I assmue this means either that there were 3,800,000 SMTP connections with a total of 40,600,000 recipients (i.e. an average of just under 11 people BCCed on each message), or that there were 40,600,000 SMTP connections sending a total of 3,800,000 different spam messages (i.e. each spam text was repeated just under 11 times).
These figures are perfectly believable. More than 5 years ago, SophosLabs researchers observed 5,500,000 email connections from a one infected computer in a one-week period. A total of 750,000 different message bodies were sent totalling 30GBytes. 74% of these messages promoted pharmaceutical products using 3771 different URLs hosted on 58 different hacked servers; the other 26% contained one of 11 different strains of malware.
Thanks for the response. I actually remember that article, which is pretty impressive considering how little else I can remember these days! I have no trouble at all believing those stats. It was just my interpretation of what Lisa had written that was apparently incorrect.
I am extremely fortunate; I have one single personal email address that I have used exclusively for over 20 years. It’s provided by my ISP, and they do an absolutely incredible job of spam filtering. There is zero filtering at my client end, yet I receive, on average, less than one spam per day. Not impressed yet? Well, those are emails that end up in the junk mailbox on the ISP’s server, which I would never even see if I didn’t log in there via webmail to check them for any false positives – which I might see once or twice a year. And that’s about the same frequency that a spam email actually makes it to my inbox. No, I do not pay any extra fee for this aspect of their service, or pay a premium price to get it.
Point is, between my cautious approach to use of my email and the outstanding efforts of the ISP, it *IS* possible to keep things under control. Secondary point is that I’m definitely a true-blue loyal customer for these folks as a result.
Microsoft’s article said pretty much what Lisa reported – when I had re-re-read it a few times I coudn’t figure out if Microsoft meant 3.8m unique messages in 40.6m emails or 3.8m separate SMTP connections with 40.6m recipients. Then I figured those are [a] commensurate with our figures and [b] similar enough in volume and reach no matter which measurement is correct.