Microsoft disrupted US-Based Infrastructure of the Necurs botnet

Microsoft announced that it took over the US-based infrastructure used by the infamous Necurs spam botnet that infected millions of computers.

Microsoft announced to have taken over the US-based infrastructure used by the Necurs botnet. The IT giant explained that success is the result of a coordinated legal and technical joint effort to disrupt the Necurs botnet, which has infected more than nine million computers globally.

The operation saw the participation of partners across 35 countries.  

Necurs botnet is one of the largest spam botnet, it has been active since at least 2012 and was involved in massive campaigns spreading malware such as the Locky ransomware, the Scarab ransomware, and the Dridex banking Trojan.

According to the experts, the botnet was used to send out roughly 3.8 million spam messages to more than 40.6 million targets during a 58-day long investigation.

The Necurs botnet is active since at least 2012, it is operated by the cybercrime gang tracked as TA505.

“Today, Microsoft and partners across 35 countries took coordinated legal and technical steps to disrupt one of the world’s most prolific botnets, called Necurs, which has infected more than nine million computers globally. This disruption is the result of eight years of tracking and planning and will help ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks.” reads the announcement published by Microsoft.

“On Thursday, March 5, the U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to take control of U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers,”

The operation will prevent Necurs operators from registering new domains to employ in their malicious campaigns.

The experts were able to determine the algorithm used by the botnet to generate new domains, then they accurately predicted over six million unique domains that would be created in the next 25 months and reported them to their respective registries in countries worldwide. The registries were tasked to block the creation of such domains disrupting the Necurs infrastructure. Basically, Microsoft and partners were able to take over existing websites and preventing the registration of new ones.

Microsoft revealed that it has also collaborated with Internet Service Providers (ISPs) and other industry partners to help detect and sanitize infected computers.

“This remediation effort is global in scale and involves collaboration with partners in industry, government and law enforcement via the Microsoft Cyber Threat Intelligence Program (CTIP),” concludes Microsoft.

“For this disruption, we are working with ISPs, domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – malware, Necurs botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]