Microsoft busted Necurs botnets, which infected more than nine million computers since 2012. Microsoft’s Digital Crimes Unit (DCU) worked together with BitSight and other partners across 35 countries.
They managed to disrupt it after years of study focused on Necurs malware, its botnets, and its command and control infrastructure. Researchers performed forensic analysis and also reverse engineering, malware analysis or modules updates. Also, they resorted to infection telemetry, command and control updates, and analysis of a technique used by Necurs to generate new domains through an algorithm. “We were then able to accurately predict over six million unique domains that would be created in the next 25 months,” said a Microsoft DCU spokesperson.
The reported the domains to their respective registries in countries around the world. Thus, the authorities could block the websites and prevent them from becoming part of the Necurs’ infrastructure.
Researchers believe that a single group controlled the botnets. Thus, of the eleven Necurs botnets they discovered, four were responsible for approximately 95% of all infections.
Necurs worked for seven years
Necurs was first spotted in 2012. It usually delivered malware, but it also supported many other illegal activities. After infecting systems, Necurs would weaken its security. This way, it would protect itself and attract other malware. But it could also disable a large number of security apps, including Windows Firewall.
Necurs botnets’ activity stopped in March 2019. In fact, it left about two million infected systems in the world in a dormant state. “From 2016 to 2019, it was the most prominent method to deliver spam and malware by criminals,” BitSight researchers mentioned. Also, they added that this was responsible for 90% of the malware spread by email worldwide. Its main uses have been as a spambot, a delivery mechanism for ransomware, financial malware and for running pump and dump stock scams.
The team said it is tracking more than 200 billion events every day, regarding malware. One of the most recent threats is the Coronavirus malware.