Microsoft takes down the world’s most prolific botnet 'Necurs'

Tech giant Microsoft said Tuesday that the company along with its partners across 35 countries took coordinated legal and technical steps to disrupt Necurs botnet, one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world.

The Necurs botnet which first appeared in 2012 has distributed several forms of malware including the prevalent password-stealing trojan GameOver Zeus, infecting more than nine million computers globally. According to the Dell SecureWorks Counter Threat Unit reports, GameOver Zeus was the most active banking trojan of 2013.

Believed to be operated by Russia-backed criminals, Necurs is known for distributing fake pharmaceutical spam email, pump-and-dump stock scams, financially targeted malware and ransomware, crypto mining, and even has a DDoS (distributed denial of service) capability that has not yet been activated but could be at any moment.

Microsoft said the disruption is part of a cooperative effort with industry partners and law enforcement to take out cybercriminal networks. In a blog post, Tom Burt, Microsoft Vice President for Customer Security and Trust said that the disruption is the result of eight years of tracking and planning and will help ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks.

After a legal order enabling the company to take control of Necurs' U.S.-based infrastructure, Microsoft, through a collaborative effort, is leading activities that will prevent the criminals behind Necurs from registering new domains to execute attacks in the future.

For this disruption, Microsoft analyzed a technique used by Necurs to systematically generate new domains through an algorithm which further enabled it to accurately predict over six million unique domains that would be created in the next 25 months. In the next step, Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure. 

In addition, Microsoft is also joining forces with Internet Service Providers (ISPs), domain registries, government Computer Emergency Response Teams (CERTs) and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland, and Romania, among others to protect customers and make the internet a safer place.