A New York State court issued an order this week giving Microsoft control of the U.S.-based infrastructure used by the notorious Necurs botnet in an effort to stop the world’s most prolific and globally dispersed spam and malware infrastructure.
The move came after Microsoft and partners across 35 countries cracked Necur’s domain generation algorithm, which is what generates random domain names to allow the botnet to distribute malware and infect victim computers around the world. Details of the coordinated effort were unveiled by Microsoft in a blog post published Tuesday.
“We were then able to accurately predict over six million unique domains that would be created in the next 25 months,” Tom Burt, Microsoft corporate vice president, customer security and trust, wrote in the post. “Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure.”
By taking control of existing websites and inhibiting the ability to register new ones, Microsoft and its partners managed to “significantly” disrupt the botnet, he said.
The subsequent order—handed down by the District Court for the Eastern District of New York—will now help ensure that criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks, Burt added.
Necurs—believed to be operated by Russian cybercriminals–is what one security researcher called the “multitool” of botnets because of its ability to multitask cybercriminal operations. It can operate as a spam botnet to deliver banking trojans and ransomware as well as be used to develop a proxy service or launch cryptomining and DDoS efforts.
Necurs is perhaps best known for being used as a dropper for other malware, including GameOver Zeus, Dridex, Locky, Trickbot and others, according to analysis of the botnet published Tuesday by BitSight security researcher ValterSantos. BitSight is one of the partner companies who worked alongside Microsoft’s Digital Crimes Unit to help disrupt Necurs.
“Its main uses have been as a spambot, a delivery mechanism for ransomware, financial malware and for running pump and dump stock scams,” Santos wrote. It also has been tied to fake pharmaceutical spam email and “Russian dating” scams, according to Microsoft.
The botnet was flogged as part a botnet-for-hire service in which the criminal custodians of Necurs would sell or rent access to the infected computer devices to other cybercriminals, researchers said.
One characteristic of Necurs that made it highly effective was its kernel mode rootkit capabilities, which it used to disable a large number of security applications–including Windows Firewall–both to protect itself and other malware on an infected system, Santos wrote.
The botnet also is modular, which allowed operators to change how they operate it over time, keeping security administrators and researchers guessing, he said.
While Necurs seemed to be losing some of its steam earlier this year, it remains one of the largest networks in the spam email threat ecosystem, with victims numbering about 9 million in nearly every country in the world, Burt said.
In its heyday from 2016 to 2019, Necurs “was the most prominent method to deliver spam and malware by criminals and was responsible for 90% of the malware spread by email worldwide,” Santos said.
Even during Microsoft and its partners investigation, Necurs showed considerable nefarious activity, Burt said. In a 58-day period, researchers observed one Necurs-infected computer sending 3.8 million spam emails to more than 40.6 million potential victims, he said.
Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.
