Microsoft has revealed it was part of a team that took down the Necurs botnet. The network had infected over nine million devices worldwide, making it one of the world’s largest botnets. It was used to send malware-packed spam emails, steal login details, deliver ransomware, and more.
Tom Burt, Microsoft’s vice-president for customer security and trust, said the company worked with partners across 35 countries to disrupt the prolific botnet. “This disruption is the result of eight years of tracking and planning and will help ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks,” he wrote.
First identified in 2012, Necurs is believed to be operated by a Russia-based hacking group who sell or rent access to the infected devices to other criminals . During a 58-day period in the investigation, it was found that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.
Microsoft and the others took down the botnet by breaking its domain generation algorithm (DGA), which generates random domain names that get turned into websites.
Necurs authors register the domains that are generated by its DGA weeks or months in advance, which allowed Microsoft and the team to disrupt the botnet. “We were able to predict over six million unique domains that would be created in the next 25 months,” said Burt.
“Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure. By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet.”
Once it broke the DGA and took control of Necurs’ infrastructure, Microsoft and its partners were able to cripple the botnet and create a map of the bots’ locations across the world. The company is now working with ISPs and CERT teams to notify affected users so they can remove the malware from their infected devices.