sb-nz logo
Story image

Microsoft takes down malicious botnet after years of tracking

13 Mar 2020

Earlier this week, Microsoft, along with partners from 35 different countries took action to disrupt a notorious botnet which infected more than nine million computers across the world.

The botnet, called Necurs, gained control of the computers using malware and used them to commit crimes remotely.

Microsoft’s Digital Crimes Unit, BitSight and others in the security community first observed the Necurs botnet in 2012, when it was distributing a banking trojan named GameOver Zeus.

The action taken this week by Microsoft is the culmination of tracking and countermeasures in the eight years since its discovery.

Microsoft says the measures taken against Necurs will ensure criminals will no longer be able to use the network to execute cyber attacks.

The scope of Necurs

The Necurs botnet is one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world. 

Microsoft reports observing one Necurs-infected computer which sent a total of 3.8 million spam emails to over 40.6 million potential victims.

Necurs is believed to be operated by criminals based in Russia, where its functions have varied across the realm of cyber threats over the years. 

According to Microsoft, it has been used for pump-and-dump stock scams, fake pharmaceutical spam email and “Russian dating” scams. 

It has also been used to steal credentials for online accounts, as well as people’s personal information and confidential data. 


Necurs seems to have sparked a profitable business strategy, as reports have emerged indicating those behind the botnet sold and rented access to infected devices.

The botnet’s versatility across functions was key to its success. Necurs distributed financially targeted malware and ransomware, had cryptomining capabilities, and even had a DDoS (distributed denial of service) capability that has not yet been activated but could be at any moment.

Last week, the U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to take control of the U.S.-based infrastructure which Necurs was using to infect victim computers. 

This legal action led to this week’s announcement from Microsoft that the botnet had been disrupted.

This was accomplished by analysing a technique used by Necurs to systematically generate new domains through an algorithm. 

Microsoft was then able to accurately predict over six million unique domains that would be created in the next 25 months. 

Microsoft reported these domains to their respective registries in countries around the world so the websites could be blocked and thus prevented from becoming part of the Necurs infrastructure. 

Microsoft says it is also taking the additional step of partnering with Internet Service Providers (ISPs) domain registries, government CERTs and law enforcement around the world to further safeguard against Necurs’ malware.

The company will be undertaking these collaborations in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among other countries.

Story image
Network intelligence is stopping a wave of DDoS misdiagnosis
Security teams already know the value of a layered defence; it’s time to add more layers, writes ThousandEyes principal solutions analyst Mike Hicks.More
Story image
OkCupid website and app found to have significant security flaws
The popular online dating service has been found to have several vulnerabilities which, if exploited, could put the private data of users in danger of being stolen.More
Link image
Driving cloud cost efficiency with performance monitoring
Cloud infrastructure sprawl sneaks up on organisations through a series of individual decisions that in aggregate become inefficient. Thomas Dittmer shares how performance monitoring helped TravelSupermarket reduce cloud costs by 50%More
Story image
Huawei introduces all-flash OceanStor Dorado arrays
All-flash offers stability and high-performance storage with extremely low levels of latency – and it can offer reliability in the event of a disaster.More
Download image
Why there's a huge push for NFV in today's enterprises
To help networking and IT professionals better understand the opportunities and challenges associated with deploying NFV technology, new research based on responses from more than 1,300 IT and networking professionals from around the world is now available. More
Story image
Gallagher fortifies cybersecurity reporting as NZ's first CVE Numbering Authority
"The CVE Program looks forward to partnering with Gallagher going forward as we collectively maintain our commitment to improving security."More