Necurs Botnet Takedown
Microsoft says it managed to disrupt the Necurs botnet by taking control of the U.S.-based infrastructure that it has been using to conduct its malicious activities.
Necurs is a peer-to-peer (P2P) hybrid botnet that uses a Domain Generation Algorithm (DGA) to ensure bots could always connect to a command and control (C&C) server. The botnet has been around since at least 2012 and has grown to become one of the most prolific botnets in existence.
Believed to be operated by Russian cybercriminals, Necurs has been used for a broad range of malicious activity, including pump-and-dump stock scams, spam emails credential and personal information theft, and the distribution of malware families such as GameOver Zeus, Dridex, Locky, Trickbot and others.
Additionally, the botnet operators are believed to be selling access to infected systems to other cybercriminals as part of a botnet-for-hire service. Necurs also has distributed denial of service (DDoS) capabilities, but it hasn’t been used for this type of attack as of now.
During the first seven days of March 2020, there were over 660,000 Necurs infections observed worldwide (based on the number of IPs reaching sinkholes), with India, Indonesia, and Turkey being affected the most, according to BitSight.
The security firm also says it has identified eleven Necurs botnets, with four of them accounting for most of the activity. The botnets have been largely inactive since March 2019 (and apparently replaced by Emotet), but left over 2 million infected systems in a dormant state.
Necurs’ P2P architecture allows it to resist takedown attempts, but Microsoft now says that it managed to crack down on the botnet’s DGA algorithm and take over the domains used for C&C after the U.S. District Court for the Eastern District of New York allowed it with an order issued on March 5.
Working with public and private entities worldwide, the tech giant was able to take control over the botnet’s U.S.-based infrastructure to ensure that Necurs’ operators can’t register new domains to launch additional attacks.
According to Microsoft, after figuring out how the botnet was generating new domains, it managed to accurately predict over six million unique domains created over the course of 25 months, and then reported these domains to registries worldwide to block them.
“This disruption is the result of eight years of tracking and planning and will help ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks,” Tom Burt, Corporate Vice President, Microsoft, says.
Additionally, the company is working with Internet Service Providers (ISPs) and other organizations worldwide, including partners in industry, government and law enforcement, to clean computers of malware associated with Necurs.
“For this disruption, we are working with ISPs, domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others. Each of us has a critical role to play in protecting customers and keeping the internet safe,” Burt concluded.