After eight years of careful planning and surveillance, Microsoft launched an international operation against Necurs, the largest botnet in the world. The operation was officially announced in a blog post where Tim Burt, Microsoft Vice President for Customer Security and Trust, said that "Microsoft and partners across 35 countries took coordinated legal and technical steps to disrupt one of the world's most prolific botnets, called Necurs."
Necurs was the highest volume sender of spam in 2017 and 2018. It has bots in almost every country around the globe and is used as a multitool to spread malware, ransomware, spam, and a facilitator of crypto-mining operations. The network is often used as a botnet-for-hire service, which is quite alarming because, on top of everything else, Necurs has DDoS attack capabilities.
What is the Necurs Botnet?
Necurs Botnet is a network of computers that are infected with a modular malware threat, known as Necurs. The botnet has been active since 2012 and is involved in various illegal activities, primarily known as a spam emitter. Microsoft linked the botnet to pump-and-dump stock scams, "Russian dating" scams, and fake pharmaceutical spam emails.
Valter Santos, a researcher at BitSight – a cybersecurity rating company that monitored the botnet since 2016 and participated in the takedown operation – added that the botnet is also actively used as a dropper for destructive malware, including GameOver Zeus, the banking nightmare TrickBot Trojan, and Dridex.
Researchers believe that the hackers behind the botnet are located in Russia. Statistics, however, show that the majority of infected devices are located in India, Indonesia, Vietnam, Turkey, Mexico, and Iran.
Although the Necurs network was never completely monitored, BitSight calculated that the botnet infects around 50k systems daily when there are active C&C servers, and between 100k-300k when not. Santos clarified that "the daily unique observations continue to be an underestimate of the true size of the botnet, but it still enables the ability to approximate those changes over time."
Burt added that during the investigation of the botnet, the researchers observed that in a 58-day period, one Necurs-infected computer sent 3.8 million spam emails to more than 40.6 million potential victims.
Necurs is a nefarious botnet that, in its prime, was "responsible for 90% of the malware spread by email worldwide," Santos said. Although this network is severely disrupted now, other botnets such as Emotet have already replaced it, the researcher warns. It is estimated that 2 million bots are waiting for commands that could arrive at any time.
Microsoft Breaks Necurs' Domain Generating Algorithm
On March 10, 2020, Microsoft took actions that broke the Necurs' domain generation algorithm (DGA), a component that is responsible for the generation of random domain names. Researchers explain that Necurs operates by registering DGA-generated domains weeks, even months in advance. These domains are later used to host the botnet's C&C servers that control the network of infected computers (bots).
According to Burt, the company was "able to accurately predict over six million unique domains that would be created in the next 25 months."
The breaking of the DGA allows Microsoft to predict and block any future Necurs C&C server domains, hindering the botnet's operations. Additionally, the company's legal team obtained a court order that grants Microsoft control over all existing Necurs domains that were hosted in the U.S.
Burt explained that "By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet."
The operation also allowed Microsoft to sinkhole the botnet and receive information about all infected bots in the networks. Burt added that the company is now collaborating with ISPs and CERT specialists to notify affected users so that they can take action to remove the malware from their devices.