Microsoft Confirms Takedown Of ‘World’s Most Prolific’ Malware: Millions Of Victims Globally

Microsoft and partners have announced a major breakthrough in the fight against cybercriminals today (March 10), with the take-down of the prolific Necurs botnet. This automated network infected as many as 9 million computers, using these as endpoints to distribute dangerous emails and malware. Between 2016 and 2019, Nucurs was likely responsible for 90% of the world’s email-distributed malware.

This take-down came as a result of “eight years of tracking and planning,” Microsoft says, and involved its Digital Crimes Unit, BitSight, and other partners across 35 countries. In a separate announcement, BitSight claims the action has impacted “all [eleven] Necurs botnets,” albeit these botnets have appeared dormant for around 12 months—longer than ever before, leaving 2 million infected systems behind.

Taking spam email as an example of the scale of risk here, Necurs targeted victims “in nearly every country in the world. During a 58-day period in our investigation,” Microsoft says, “we observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.” The action taken, it says, “helps ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks.”

Botnets—or networks of bots—are large numbers of compromised computers that then become connected endpoints through which a criminal activity can take place. In essence, your PC becomes a tool for the criminal network to use, including dropping malware (such as GameOver Zeus, Dridex, Locky and Trickbot), sending spam emails, romance and financial scams, credential theft and cryptomining.

Back in 2017, IBM said of Necurs that “it militarizes up to 6 million zombie endpoints, delivers some of the worst banking trojans and ransomware threats in batches of millions of emails at a time, and keeps reinventing itself... Necurs is indirectly responsible for a major chunk of cybercrime and the losses it produces.”

The operators behind the Necurs botnet are believed to be Russian and have been using the platform for their own campaigns as well as renting out its capabilities to other criminals. Microsoft hit Necurs by killing millions of domains the malware would automatically generate and register to continually move its command and control servers away from prying eyes, remaining operational for years.

Microsoft says that it accurately predicted “over six million unique domains that would be created in the next 25 months.” These were then reported to the relevant registries and blocked, thus the disruption. The tech giant also secured a court order “to take control of U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers.” Put simply, Microsoft intercepted and blocked the operational infrastructure at the heart of the botnet, starving it of oxygen.

Now the job of work is cleaning up the mess that Necurs left behind. And here Microsoft is working with ISPs around the world “to rid their customers’ computers of malware associated with the botnet.

Comments are closed.