Microsoft and its partners across several countries went all guns blazing against the nefarious botnets called Necurs. The infamous Necurs is touted to be the world’s most prolific botnet and has infected more than nine million computers, with victims in nearly every country in the world.
According to Microsoft, the disruption will ensure the criminals behind the Necurs botnet network would no longer be able to use key elements of its infrastructure to execute cyberattacks.
The disruption of Necurs was caused by coordinated legal and technical steps by Microsoft and its partners—a result of eight years of tracking and planning. The Digital Crimes Unit of Microsoft along with other firms in the security community first observed the Necurs botnet in 2012 and witnessed it distribute several forms of malware with the most infamous one being the GameOver Zeus banking trojan. The researches also observed that, during a 58-day period in investigation, Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.
Believed to be operated by Russia-based cybercriminals, Necurs has been used for an array of cybercrime including fake pharmaceutical spam email, online dating scams among several others. Apart from this, the botnet is also sold in the black market as part of a botnet-for-hire service.
The disruption took place after a U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to take control of Necurs infrastructure. Following which, Microsoft analyzed a technique used by Necurs to systematically generate new domains through an algorithm.
“We were then able to accurately predict over six million unique domains that would be created in the next 25 months. Microsoft reported these domains to their respective registries in countries around the world so the websites could be blocked and thus prevented from becoming part of the Necurs infrastructure. By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet,” Tom Burt, CVP, Customer Security & Trust, Microsoft wrote in a blog post.
“For this disruption, we are working with ISPs, domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others. Each of us has a critical role to play in protecting customers and keeping the internet safe,” Tom added.
Countering Necurs in India
The breakdown by countries for the first seven days of March 2020 showed 13.59% of the distinct infected IP addresses coming only from India. India is also home to one of the largest number of super-nodes, also known as P2P (peer-to-peer) communication channels, which is created by cybercriminals in order to prevent botnet disruption by law enforcement, network operators and researchers.
In India, the Microsoft Digital Crimes Unit partnered with the Computer Emergency Response Team (CERT-IN) and National Internet Exchange of India (NIXI) to disrupt cyberattacks led by the botnet. This effort prevented the criminals behind Necurs from registering new domains to execute attacks in the future in India.