Microsoft and partners across 35 countries took coordinated legal and technical steps to disrupt one of the world’s most prolific botnets, called Necurs, which had infected more than 9 million computers worldwide. This disruption is the result of eight years of tracking and planning and will help ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks.
The Necurs botnet is one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world. The breakdown by countries for the first seven days of March 2020 showed 13.59% of the distinct infected IP addresses coming only from India. India is also home to one of the largest number of super-nodes, also known as P2P (peer-to-peer) communication channels which is created by cybercriminals in order to prevent botnet disruption by law enforcement, network operators and researchers.
Microsoft’s Digital Crimes Unit, BitSight and others in the security community first observed the Necurs botnet in 2012, and Microsoft has since collaborated with law enforcement agencies, the government and Internet Service Providers (ISPs) to rid computers of malware associated with the Necurs botnet. In India, the Microsoft Digital Crimes Unit partnered with the Computer Emergency Response Team (CERT-IN) and National Internet Exchange of India (NIXI) to disrupt cyberattacks led by the botnet. This effort prevented the criminals behind Necurs from registering new domains to execute attacks in the future in India.
Tom Burt – CVP, Customer Security & Trust, Microsoft, shares details about Microsoft’s coordinated efforts to disrupt the botnet system, while also revealing how the system operated and its potential to affect more 40.6 million victims across the world.
Necurs is believed to be operated by criminals based in Russia and has also been used for a wide range of crimes including pump-and-dump stock scams, fake pharmaceutical spam email and “Russian dating” scams. It has also been used to attack other computers on the internet, steal credentials for online accounts, and steal people’s personal information and confidential data. Interestingly, it seems the criminals behind Necurs sell or rent access to the infected computer devices to other cybercriminals as part of a botnet-for-hire service.
Necurs is also known for distributing financially targeted malware and ransomware, cryptomining, and even has a DDoS (distributed denial of service) capability that has not yet been activated but could be at any moment.
On Thursday, March 5, the U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to take control of U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers. With this legal action and through a collaborative effort involving public-private partnerships around the globe, Microsoft is leading activities that will prevent the criminals behind Necurs from registering new domains to execute attacks in the future.