Microsoft, working with other security companies and law enforcement agencies, has disrupted the operations of the venerable and pernicious Necurs botnet through a series of actions, including domain takeovers and taking control of some of the command-and-control infrastructure.
Necurs is one of the more prolific spam and malware-distribution botnets active right now and it has been known to deliver a wide range of malicious software, including the GameOver Zeus trojan, Dridex, Trickbot, and some ransomware strains. At some points in the last few years, Necurs was delivering as much as 90 percent of the malware sent through email around the globe. The botnet has been active since at least 2012 and security researchers have been tracking its evolution ever since.
Microsoft’s Digital Crimes Unit has followed Necurs’s activity closely as it has affected many of the company’s customers, and on March 5 the company got a federal court order allowing it to assume control of the C2 infrastructure based in the United States. That will help stop the distribution of spam and malware to new victims and prevent infected machines from receiving new instructions or exfiltrating data. But it also prevents the Necurs operators from using their unique algorithm to generate and register new domains to prop the botnet back up. Many botnets use a domain generation algorithm to generate new domain names on a continual basis in order to stay ahead of researchers and law enforcement, but Microsoft researchers were able to figure out the specific method the Necurs operators were using.
“This was accomplished by analyzing a technique used by Necurs to systematically generate new domains through an algorithm. We were then able to accurately predict over six million unique domains that would be created in the next 25 months. Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure. By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet,” Tom Burt, corporate vice president of customer security and trust at Microsoft, said in a post detailing the operation.
“Microsoft is also taking the additional step of partnering with Internet Service Providers (ISPs) and others around the world to rid their customers’ computers of malware associated with the Necurs botnet.”
Like most botnets, Necurs is not one global network but rather a number of smaller networks scattered around the Internet, but all connected through common malware, infrastructure, and usually operators. BitSight Technologies, which worked with Microsoft on the Necurs research and disruption effort, said it had identified 11 separate Necurs botnets, four of which account for the vast majority of the malicious activity. Necurs infections were at their peak in mid-2017 and have decreased quite a bit since then, with much of the C2 activity ending about a year ago.
“Back in 2016, we discovered that Necurs had around 1 million infected systems. Shortly after that post we had the opportunity to see a much bigger infection base of around 2 million infected systems in a 24 hour period. Measuring infections for Necurs is not as simple as for other malware; this is due to how the malware establishes communication with its command and control and how our sinkholes collect this information,” Valter Santos of BitSight said.
“The communication from the infected machines would not reach out to us always, so only in rare occasions we have full visibility of all the botnets. On normal days of Necurs operation, our daily infection counters are below 50k infected systems when there are active C2s, and between 100k-300k when not.”
Microsoft has a long history of working to take down botnets and has helped disrupt many of them over the years, including Zeus, Citadel, and others.