sb-nz logo
Story image

Microsoft takes down malicious botnet after years of tracking

13 Mar 2020

Earlier this week, Microsoft, along with partners from 35 different countries took action to disrupt a notorious botnet which infected more than nine million computers across the world.

The botnet, called Necurs, gained control of the computers using malware and used them to commit crimes remotely.

Microsoft’s Digital Crimes Unit, BitSight and others in the security community first observed the Necurs botnet in 2012, when it was distributing a banking trojan named GameOver Zeus.

The action taken this week by Microsoft is the culmination of tracking and countermeasures in the eight years since its discovery.

Microsoft says the measures taken against Necurs will ensure criminals will no longer be able to use the network to execute cyber attacks.
 

The scope of Necurs

The Necurs botnet is one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world. 

Microsoft reports observing one Necurs-infected computer which sent a total of 3.8 million spam emails to over 40.6 million potential victims.

Necurs is believed to be operated by criminals based in Russia, where its functions have varied across the realm of cyber threats over the years. 

According to Microsoft, it has been used for pump-and-dump stock scams, fake pharmaceutical spam email and “Russian dating” scams. 

It has also been used to steal credentials for online accounts, as well as people’s personal information and confidential data. 
 

Botnet-as-a-service

Necurs seems to have sparked a profitable business strategy, as reports have emerged indicating those behind the botnet sold and rented access to infected devices.

The botnet’s versatility across functions was key to its success. Necurs distributed financially targeted malware and ransomware, had cryptomining capabilities, and even had a DDoS (distributed denial of service) capability that has not yet been activated but could be at any moment.

Last week, the U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to take control of the U.S.-based infrastructure which Necurs was using to infect victim computers. 

This legal action led to this week’s announcement from Microsoft that the botnet had been disrupted.

This was accomplished by analysing a technique used by Necurs to systematically generate new domains through an algorithm. 

Microsoft was then able to accurately predict over six million unique domains that would be created in the next 25 months. 

Microsoft reported these domains to their respective registries in countries around the world so the websites could be blocked and thus prevented from becoming part of the Necurs infrastructure. 

Microsoft says it is also taking the additional step of partnering with Internet Service Providers (ISPs) domain registries, government CERTs and law enforcement around the world to further safeguard against Necurs’ malware.

The company will be undertaking these collaborations in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among other countries.

Story image
Report: Power utilities increasingly at risk of devastating cyber-attacks
“Utilities’ existing systems are becoming increasingly connected through sensors and networks, and, due to their dispersed nature, are even more difficult to control.”More
Story image
Dark web monitoring and how it can help protect online identities
As many as 1 in 6 New Zealanders have been a victim of identity theft, and the consequences can be disastrous - and it may lead to more than just financial loss.More
Story image
How cyber-attackers use Microsoft 365 tools to steal data
Vectra security research has recently identified how cyber-attackers use Microsoft Office 365 tools against organisations to steal data and take over accounts.More
Link image
The importance of data resilience in the current cybersecurity climate
Protecting an organisation's data is one of the most crucial functions of any CISO. Strategies should be in place where data is stored securely and cost-effectively.More
Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More
Story image
Gartner reveals the top strategic tech trends for 2021
“CIOs are striving to adapt to changing conditions to compose the future business - this requires the organisational plasticity to form and reform dynamically. Gartner’s top strategic technology trends for 2021 enable that plasticity.”More