Microsoft and partners across 35 countries dismantled the world’s largest malware botnet, called Necurs. The network has infected more than nine million computers worldwide. Microsoft’s operation took eight years of careful monitoring, coordinating and planning. As a result, cyber criminals will no longer be able to use key elements of their infrastructure.
World’s Largest Malware Botnet
A botnet is a network of computers that a cybercriminal has infected with a bot. A bot allows a hacker to take control of these devices. The owners of the devices often don’t even know they are part of this network. To make things worse, all devices that are connected to the same network can also become infected.
The bot master, or the bot herder, could then send the same command to all the bots in his botnet. For example, he could prompt the devices to all visit a website at the same time, thus effecting a so-called DDos attack. Another popular strategy is to use bots to spread spam. To do so, the bot master sends emails or posts messages on social media, all in the device owner’s name. The bot master can also sell or rent out the network he has created, sell people’s credentials and spread malicious software.
Necurs is a distributor of many pieces of malware and one of the largest spam email networks. It has infected over nine million devices, with victims in nearly every country of the world. The number of victims can spread fast. “During a 58-day period in our investigation, we observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims”, Microsoft explained.
The takedown was the result of eight years of planning and co-ordination in close collaboration with ISPs, domain registries, government CERTs and law enforcement agencies in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others. Microsoft has also taken several technical and legal steps.
On Thursday, March 5, a US District Court issued an order enabling Microsoft to take control of Necurs’ US based infrastructure. The breakthrough came when Microsoft and partners were able to crack Necurs’ algorithm to systematically generate new domains. As a result, Microsoft was able to accurately predict over six million unique domains that would be created in the next 25 months.
“Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs’ infrastructure”, Microsoft said. “By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet.”
Continuous Efforts Needed
Necurs is not the first digital criminal operation Microsoft has taken down. In fact, it is the 18th in 10 years. Unfortunately, it remains unclear if anyone ever will be charged, and even if that were the case, if the cybercriminals involved would ever face trial. Cyber security experts and intelligence officials believe Necurs is operated by criminals based in Russia. Although not state-sponsored, they seem to be tolerated by the Russian state.
For now, Microsoft and partners have blocked the infrastructure the cybercriminals need to launch their attacks. The big job that follows is to rid people’s devices of malware associated with the Necurs botnet. To make this happen, Microsoft is working with ISPs and others around the world.
Unfortunately, cybercriminals will no doubt find more sophisticated and more complex ways to effect their attacks. It therefore remains important to stay vigilant and be a step ahead by protecting your privacy, being aware of what you click on and installing the latest software, patches and app updates.