Necurs Botnets Busted

Eleven Necurs botnets, which infected more than nine million computers since 2012, have been severely disrupted. 

The botnets were dealt a blow through the joint efforts of BitSightMicrosoft's Digital Crimes Unit (DCU), and by partners across 35 countries who today took coordinated legal and technical steps to disrupt Necurs. 

The disruption was the result of years of study focused on Necurs malware, its botnets, and its command and control infrastructure. Researchers performed forensic analysis, reverse engineering, malware analysis, modules updates, infection telemetry, command and control updates, and analysis of a technique used by Necurs to systematically generate new domains through an algorithm. 

“We were then able to accurately predict over six million unique domains that would be created in the next 25 months,” said a Microsoft DCU spokesperson. 

The domains were reported to their respective registries in countries around the world so the websites could be blocked and prevented from becoming part of the Necurs infrastructure.

Evidence found by researchers suggests that the botnets were controlled by a single group. Of the eleven Necurs botnets discovered, four were found to be responsible for approximately 95% of all infections.

Necurs was first spotted rearing its ugly head in 2012. Over the years, the malware has been used to support a wide range of illegal activities, but its main function has been to deliver other malware.

Malicious ware dropped by Necurs has included GameOver Zeus, Dridex, Locky, and Trickbot, among others. 

After infecting a system, Necurs is programmed to weaken its security to protect itself and make it easier for other malware to join the party. Using its kernel mode rootkit capabilities, the malware can disable a large number of security applications, including Windows Firewall.

Necurs botnets' activity stalled in March 2019, leaving an estimated 2 million infected systems around the world in a dormant state, awaiting revival. The year-long break was an unusually long period of inactivity for Necurs.

Describing Necurs' impact on the world, BitSight researchers wrote: "Its main uses have been as a spambot, a delivery mechanism for ransomware, financial malware and for running pump and dump stock scams. 

"From 2016 to 2019, it was the most prominent method to deliver spam and malware by criminals and was responsible for 90% of the malware spread by email worldwide."

Asked how he planned to celebrate the historic botnet takedown, BitSight security researcher Valter Santos told Infosecurity Magazine: "BitSight will be getting back to work—we are tracking more than 200 billion events on a daily basis. There's more malware out there."

What’s Hot on Infosecurity Magazine?