SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Microsoft takes down malicious botnet after years of tracking
Fri, 13th Mar 2020
FYI, this story is more than a year old

Earlier this week, Microsoft, along with partners from 35 different countries took action to disrupt a notorious botnet which infected more than nine million computers across the world.

The botnet, called Necurs, gained control of the computers using malware and used them to commit crimes remotely.

Microsoft's Digital Crimes Unit, BitSight and others in the security community first observed the Necurs botnet in 2012, when it was distributing a banking trojan named GameOver Zeus.

The action taken this week by Microsoft is the culmination of tracking and countermeasures in the eight years since its discovery.

Microsoft says the measures taken against Necurs will ensure criminals will no longer be able to use the network to execute cyber attacks.

The scope of Necurs

The Necurs botnet is one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world.

Microsoft reports observing one Necurs-infected computer which sent a total of 3.8 million spam emails to over 40.6 million potential victims.

Necurs is believed to be operated by criminals based in Russia, where its functions have varied across the realm of cyber threats over the years.

According to Microsoft, it has been used for pump-and-dump stock scams, fake pharmaceutical spam email and “Russian dating” scams.

It has also been used to steal credentials for online accounts, as well as people's personal information and confidential data. 


Necurs seems to have sparked a profitable business strategy, as reports have emerged indicating those behind the botnet sold and rented access to infected devices.

The botnet's versatility across functions was key to its success. Necurs distributed financially targeted malware and ransomware, had cryptomining capabilities, and even had a DDoS (distributed denial of service) capability that has not yet been activated but could be at any moment.

Last week, the U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to take control of the U.S.-based infrastructure which Necurs was using to infect victim computers.

This legal action led to this week's announcement from Microsoft that the botnet had been disrupted.

This was accomplished by analysing a technique used by Necurs to systematically generate new domains through an algorithm.

Microsoft was then able to accurately predict over six million unique domains that would be created in the next 25 months.

Microsoft reported these domains to their respective registries in countries around the world so the websites could be blocked and thus prevented from becoming part of the Necurs infrastructure.

Microsoft says it is also taking the additional step of partnering with Internet Service Providers (ISPs) domain registries, government CERTs and law enforcement around the world to further safeguard against Necurs' malware.

The company will be undertaking these collaborations in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among other countries.