Skip to main content

Microsoft cripples 'biggest ever' zombie bot network

(Image credit: Shutterstock / Jaiz Anuar)

Microsoft has announced it was part of a coordinated effort to take down the prolific Necurs botnet.

The software giant and partners across 35 countries cracked the Necurs domain generation algorithm (DGA), allowing the group to prevent the registration of new domains to be used in future attacks.

First identified in 2012, the Necurs network is one of the most potent malware botnets to date, reportedly infecting over nine million devices worldwide.

Once a device is infected, it can be used by criminals to distribute several forms of malware via spam email. During its investigation - which spanned a period of eight years - Microsoft observed one infected computer send out 3.8 million spam emails in just 58 days.

Necurs botnet

Necurs is reportedly operated by a Russian hacking syndicate, which sells or rents access to infected devices to other cybercriminals as a botnet-as-a-service style offering.

The botnet has been used to execute a wide range of crimes, including pump-and-dump stock scams, credentials theft, financially-targeted ransomware.

Necurs authors register domains (generated by its DGA) many weeks - even months - in advance, which opened the door to Microsoft and its partners.

“We were able to predict over six million unique domains that would be created in the next 25 months,” said Tom Burt, Microsoft Corporate Vice President - Customer Security & Trust, in a blog post.

“Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure.”

“By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet,” he added.

Having seized control of existing Necurs infrastructure, the company and its partners were able to cripple the botnet and build a comprehensive map of infected devices.

Microsoft says it is in the process of notifying affected individuals so they can take steps to remove the malware from their device.

Via BBC