Microsoft and Partners Disrupt World’s Largest Online Criminal Network That Used 6 Million Domains In 25 Months

Microsoft and partners across 35 countries announced this week that through coordinated legal and technical steps they have disrupted one of the world’s most prolific botnets, called Necurs, which has infected more than nine million computers globally and in 25 months had used six million unique domains in various ccTLDs and gTLDs.

This disruption, Tom Burt, Microsoft’s Corporate Vice President, Customer Security and Trust, wrote in a blog post was the result of eight years of tracking and planning and will help ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks.

Microsoft’s Digital Crimes Unit, BitSight and others in the security community first observed the Necurs botnet in 2012 and have seen it distribute several forms of malware, including the GameOver Zeus banking trojan.

The Necurs botnet is one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world. During a 58-day period during Microsoft’s investigation, for example, they observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.

Necurs is believed to be operated by criminals based in Russia and has also been used for a wide range of crimes including pump-and-dump stock scams, fake pharmaceutical spam email and “Russian dating” scams. It has also been used to attack other computers on the internet, steal credentials for online accounts, and steal people’s personal information and confidential data. Interestingly, it seems the criminals behind Necurs sell or rent access to the infected computer devices to other cybercriminals as part of a botnet-for-hire service. Necurs is also known for distributing financially targeted malware and ransomware, cryptomining, and even has a DDoS (distributed denial of service) capability that has not yet been activated but could be at any moment.

On 5 March, according to Burt’s post, the U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to take control of U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers. With this legal action and through a collaborative effort involving public-private partnerships around the globe, he writes Microsoft is leading activities that will prevent the criminals behind Necurs from registering new domains to execute attacks in the future.

According to a report in The New York Times, the team struck on 10 March, “from an eerily empty Microsoft campus. Tens of thousands of workers had been ordered to stay home because the area near the headquarters in Redmond, Wash., has been a hot spot for the coronavirus. But taking down a botnet, the company concluded, was not a work-from-home task.”

“After cleansing the Digital Crimes Unit’s command centre to eliminate any live viruses, a small team of Microsoft workers gathered in a conference room at 7 a.m., flipped on their laptops and began coordinating action against another kind of global infection.”

Microsoft accomplished this by analysing a technique used by Necurs to systematically generate new domains through an algorithm. Microsoft then was able to accurately predict over six million unique domains that would be created in the next 25 months. Microsoft reported these domains to their respective registries in countries around the world so the websites could be blocked and prevented from becoming part of the Necurs infrastructure. By taking control of existing websites and inhibiting the ability to register new ones, Burt writes Microsoft has significantly disrupted the botnet.

Microsoft is also taking the additional step of partnering with Internet Service Providers (ISPs) and others around the world to rid their customers’ computers of malware associated with the Necurs botnet. This remediation effort is global in scale and involves collaboration with partners in industry, government and law enforcement via the Microsoft Cyber Threat Intelligence Program (CTIP). Through CTIP, Microsoft provides law enforcement, government Computer Emergency Response Teams (CERTs), ISPs and government agencies responsible for the enforcement of cyber laws and the protection of critical infrastructure with better insights into criminal cyber infrastructure located within their jurisdiction, as well as a view of compromised computers and victims impacted by such criminal infrastructure.

While the botnet has been taken down, Microsoft is under no illusions the group is permanently disabled. “We’ve cut off their arms, for a while,” Amy Hogan-Burney, the general manager of the Digital Crimes Unit and a former F.B.I. lawyer, told The Times.

It was the 18th time in 10 years Microsoft had taken down a digital criminal operation, according to The times. But they note it was unclear whether anyone would be indicted, or even if indicted, whether they would ever face a trial. Microsoft executives acknowledged that this was a game of whack-a-mole, and that the creators of Necurs and groups like it would be back.

“The cybercriminals are incredibly agile,” Tom Burt, the executive who leads Microsoft’s security and trust operations told The Times, “and they come back more sophisticated, more complex. It is an ultimate cat-and-mouse game.”

For this disruption, Microsoft worked with ISPs, domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others.

A botnet, Burt explained, is a network of computers that a cybercriminal has infected with malicious software, or malware.