- David Goldstein -
Microsoft and a number of partners across 35 countries took down one of the world’s most prolific botnets in March. Called Necurs, it had infected more than nine million computers globally and in 25 months had used six million unique domains in various top-level domains.
Partners involved in the takedown included top-level domain registries, one of which was EURid, the .eu registry. But it wasn’t an overnight procedure. The takedown was eight years of tracking and planning led by Microsoft’s Malware Lab. As a result it is now more difficult for criminals behind the network as they are no longer able to use key elements of Necurs’ infrastructure to execute cyberattacks.
Microsoft’s Digital Crimes Unit, BitSight and others in the security community first observed the Necurs botnet in 2012 and saw it distribute several forms of malware, including the GameOver Zeus banking trojan.
It was one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world. During a 58-day period during Microsoft’s investigation they observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.
EURid’s involvement was through assisting Microsoft and partners with their Abuse Prevention and Early Warning System (APEWS). APEWS works by tagging potential malicious domain names during the registration process. Once tagged, these domain names are not delegated until they successfully pass a compliance and vetting process. This process effectively prevents domain names (like those used by the domain generation algorithm of the Necurs botnet) to be used for malicious and criminal purposes, while simultaneously offering cyber researchers and law enforcement the tools to identify potential victims and criminal actors.
Necurs was believed to be operated by criminals based in Russia and has also been used for a wide range of crimes including pump-and-dump stock scams, fake pharmaceutical spam email and “Russian dating” scams. It has also been used to attack other computers on the internet, steal credentials for online accounts, and steal people’s personal information and confidential data. Interestingly, it seems the criminals behind Necurs sell or rent access to the infected computer devices to other cybercriminals as part of a botnet-for-hire service. Necurs is also known for distributing financially targeted malware and ransomware, cryptomining, and even has a DDoS (distributed denial of service) capability that has not yet been activated but could be at any moment.
According to a report in the New York Times, Microsoft’s team struck on 10 March at an unusually empty Microsoft campus in Redmond, empty due to the area near Microsoft’s global headquarters has been a hot spot for the coronavirus. But taking down a botnet, the company concluded, was not a work-from-home task.
Microsoft accomplished the botnet takedown by analysing a technique used by Necurs to systematically generate new domains through an algorithm. Microsoft was able to accurately predict over six million unique domains that would be created in the next 25 months. Microsoft reported these domains to their respective registries in countries around the world so the websites could be blocked and prevented from becoming part of the Necurs infrastructure. By taking control of existing websites and inhibiting the ability to register new ones, Microsoft significantly disrupted the botnet, Tom Burt, Microsoft’s Corporate Vice President, Customer Security and Trust, explained in a company blog post.
While the botnet has been taken down, Microsoft is under no illusions the group is permanently disabled. “We’ve cut off their arms, for a while,” Amy Hogan-Burney, the general manager of the Digital Crimes Unit and a former F.B.I. lawyer, told The New York Times.
It was the 18th time in 10 years Microsoft had taken down a digital criminal operation, according to The Times. But they note it was unclear whether anyone would be indicted, or even if indicted whether they would ever face a trial. Microsoft executives acknowledged that this was a game of whack-a-mole, and that the creators of Necurs and groups like it would be back.
“The cybercriminals are incredibly agile,” Tom Burt told The Times, “and they come back more sophisticated, more complex. It is an ultimate cat-and-mouse game.”
For this disruption, Microsoft worked with ISPs, domain registries including EURid, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others.