Microsoft this week announced the success of its efforts, jointly undertaken with partners across 35 countries, to disrupt the Necurs botnet group blamed for infecting more than 9 million computers globally.

There are 11 botnets under the Necurs umbrella, all apparently controlled by a single group, according to Valter Santos, security researcher at
Bitsight, which worked with Microsoft on the takedown. Four of those botnets account for about 95 percent of all infections.

“Necurs is the named exploit that is most consistently used,” said Rob Enderle, principal analyst at the Enderle Group.

The U.S. District Court for the Eastern District of New York last week issued an
order enabling Microsoft to take control of the U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers.

Microsoft figured out the new domains Necurs would generate algorithmically and reported them to respective registries worldwide so they could be blocked.

Microsoft also is partnering with ISPs, domain registries, government CERTs and law enforcement in various countries to help flush malware associated with Necurs from users’ computers.

The botnet activity stalled this month, but about 2 million infected systems remain, waiting in a dormant state for Necurs’ revival.

These systems “should be identified and rebuilt” to avoig leaving them susceptible to Necurs or another botnet, Enderle told TechNewsWorld.

“They could do a lot of damage if they aren’t found in time,” he said.

“Microsoft is one of the few companies going after the bad actors and not just addressing the point security problems,” Enderle noted. “Until the world becomes aggressive with bringing the bad actors to justice, we will continue to be at risk of a worldwide catastrophic computer event. This problem needs to be solved at the source.”

The Long Arm of Necurs

Necurs is one of the largest networks in the spam email threat ecosystem.

During one 58-day period in the Microsoft-led investigation, a single Necurs-infected computer sent a total of 3.8 million spam emails to more than 40.6 million potential victims, noted Microsoft Corporate Vice President Tom Burt.

Necurs first was detected in 2012. It is known primarily as a dropper for other malware, including GameOver Zeus, Dridex, Locky and Trickbot, Bitsight’s Santos said.

Its main uses have been as a spambot — a delivery mechanism for pump-and-dump stock scams, fake pharmaceutical spam email, and Russian dating scams. It also has been used to attack other computers on the Internet, steal credentials for online accounts, and steal people’s personal information and confidential data.

The botnet is known for distributing financially targeted malware and ransomware, as well as for cryptomining. It has a DDoS (distributed denial of service) capability, although that has not been activated.

From 2016 to 2019, Necurs was responsible for 90 percent of the malware spread by email worldwide, according to BitSight’s Santos.

“Necurs is essentially an operating system for delivering bad stuff to infected machines,” said Mike Jude, research director at IDC.

“By itself, it isn’t really threatening,” he told TechNewsWorld. “It’s more like an annoying bit of code that works at the root level. But the stuff it can deliver or activate can be devastating.”

The Necurs operators also offer a botnet-for-hire service, selling or renting access to infected computer devices to other cybercriminals.

Necurs is believed to be the work of criminals based in Russia.

How Necurs Works

Necurs’ developers implemented a layered approach for infected systems to communicate with its command-and-control servers through a mixture of a centralized and peer-to-peer communication channels, BitSight found.

Necurs communicates with its operators primarily through an embedded list of IPs, and occasionally through static domains embedded in the malware sample. It also can use domain generation algorithms.

A dummy DGA produces domains to be used to see if the malware is running in a simulated environment. A second DGA fetches hard-coded .bit domains.

The .bit top-level domain is an alternative DNS model, maintained by Namecoin, that uses a blockchain infrastructure and is more difficult to disrupt than ICANN-regulated TLDs, Santos said.

If none of the other methods can get an active C&C server, the main DGA kicks in. It produces 2,048 possible C2 domains every four days across 43 TLDs, including .bit, based on the current date and a seed hardcoded in the binary. All domains are tried until one resolves and responds using the correct protocol.

If all the above methods fail, the C&C domain is retrieved from the always-on P2P network, which acts as the main channel to update C&C servers. An initial list of about 2,000 peers is hardcoded in the binary, but it can be updated as needed. The peers in the list are known as “supernodes” — victim systems with elevated status within the infrastructure.

Further, the malware uses an algorithm that converts the IP addresses received through DNS to its servers’ real IP addresses.

The C&C infrastructure is tiered, with multiple layers of C&C proxies, to make discovery even more difficult.

The first tier of C&C servers consists of cheap virtual private servers in countries such as Russia and the Ukraine. They reverse-proxy all communications to the second-tier C&C servers, which typically are hosted in Europe, and sometimes in Russia. The communications proceed further up the chain until they finally reach the back end.

On normal days of Necurs’ operation, BitSight detected fewer than 50,000 infected systems daily when there were active C&Cs, and between 100,000 and 300,000 when the C&Cs were inactive.

“The daily unique observations continue to be an underestimate of the true size of the botnet,” Santos remarked.

Dropping the Hammer on Necurs

Analyzing Necurs’ DGA allowed Microsoft to make accurate predictions of more than 6 million unique domains the botnet group would create over the next 25 months. Its lawsuit and partnerships with various entities will prevent Necurs from registering and using them.

Microsoft “has done a stellar job of taking this version apart — but these things evolve, and it’s likely there will be another iteration if this one becomes more or less neutralized,” IDC’s Jude observed.

“Code is easy to change and it isn’t being developed in a vaccuum,” he pointed out. “The people behind this are probably already investigating how Microsoft reverse-engineered their approach and are building that into the next version.”

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology.
Email Richard.

Source link


  1. Fantastic beat ! I wish to apprentice while you amend your web site, how can i subscribe for a blog website? The account helped me a acceptable deal. I had been tiny bit acquainted of this your broadcast offered bright clear concept

  2. Today, I went to the beach front with my children. I found a sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She put the shell to her ear and screamed. There was a hermit crab inside and it pinched her ear. She never wants to go back! LoL I know this is totally off topic but I had to tell someone!

  3. I’m really impressed with your writing skills as well as with the layout on your blog. Is this a paid theme or did you customize it yourself? Anyway keep up the excellent quality writing, it’s rare to see a nice blog like this one these days.|

  4. I think what you said made a great deal of sense. But, consider this, suppose you added a little content? I mean, I don’t want to tell you how to run your website, but suppose you added a title to possibly grab a person’s attention? I mean BLOG_TITLE is a little boring. You ought to peek at Yahoo’s front page and note how they write article headlines to get viewers to open the links. You might add a video or a related picture or two to grab readers interested about everything’ve written. Just my opinion, it might make your posts a little livelier.|

  5. Greetings, I think your blog may be having browser compatibility problems. Whenever I look at your blog in Safari, it looks fine however when opening in I.E., it’s got some overlapping issues. I just wanted to provide you with a quick heads up! Aside from that, fantastic blog!|

  6. I don’t know whether it’s just me or if perhaps everyone else encountering problems with your blog. It appears as though some of the written text within your posts are running off the screen. Can someone else please provide feedback and let me know if this is happening to them as well? This might be a issue with my browser because I’ve had this happen previously. Thank you|

  7. Howdy! Someone in my Facebook group shared this website with us so I came to check it out. I’m definitely loving the information. I’m book-marking and will be tweeting this to my followers! Great blog and amazing design and style.|

  8. Hi! I’ve been following your web site for a long time now and finally got the bravery to go ahead and give you a shout out from Huffman Texas! Just wanted to say keep up the great job!|

  9. Have you ever considered about including a little bit more than just your articles? I mean, what you say is important and everything. But think of if you added some great pictures or videos to give your posts more, “pop”! Your content is excellent but with pics and video clips, this blog could undeniably be one of the greatest in its niche. Superb blog!|

  10. Thank you a bunch for sharing this with all people you actually realize what you are speaking approximately! Bookmarked. Please additionally consult with my web site =). We may have a link exchange arrangement between us|

  11. Oh my goodness! Awesome article dude! Thank you, However I am going through issues with your RSS. I don’t know the reason why I am unable to subscribe to it. Is there anybody having similar RSS issues? Anyone that knows the answer can you kindly respond? Thanks!!|

  12. You’re so interesting! I do not think I’ve read through a single thing like that before. So wonderful to find another person with a few genuine thoughts on this issue. Really.. thank you for starting this up. This web site is something that’s needed on the web, someone with some originality!|

  13. wonderful submit, very informative. I’m wondering why the other specialists of this sector don’t notice this. You must continue your writing. I’m sure, you’ve a huge readers’ base already!|

  14. Simply wish to say your article is as astonishing. The clarity in your post is just spectacular and i can assume you are an expert on this subject. Fine with your permission let me to grab your feed to keep up to date with forthcoming post. Thanks a million and please continue the enjoyable work.|

  15. Hi this is somewhat of off topic but I was wondering if blogs use WYSIWYG editors or if you have to manually code with HTML. I’m starting a blog soon but have no coding knowledge so I wanted to get guidance from someone with experience. Any help would be enormously appreciated!|

  16. Excellent goods from you, man. I’ve understand your stuff previous to and you’re just extremely excellent. I actually like what you have acquired here, certainly like what you’re stating and the way in which you say it. You make it enjoyable and you still care for to keep it wise. I can not wait to read much more from you. This is really a terrific site.|

  17. With havin so much content and articles do you ever run into any problems of plagorism or copyright infringement? My website has a lot of unique content I’ve either written myself or outsourced but it seems a lot of it is popping it up all over the internet without my permission. Do you know any ways to help reduce content from being ripped off? I’d truly appreciate it.|

  18. I don’t know whether it’s just me or if perhaps everyone else experiencing issues with your blog. It seems like some of the written text within your posts are running off the screen. Can somebody else please provide feedback and let me know if this is happening to them as well? This could be a issue with my browser because I’ve had this happen previously. Many thanks|

  19. It is appropriate time to make some plans for the future and it’s time to be happy. I have read this submit and if I may I want to recommend you some attention-grabbing issues or advice. Perhaps you can write subsequent articles relating to this article. I want to learn more issues about it!|

  20. Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your blog? My blog site is in the exact same area of interest as yours and my visitors would certainly benefit from some of the information you provide here. Please let me know if this okay with you. Regards!|

  21. Heya i’m for the primary time here. I came across this board and I find It really helpful & it helped me out much. I hope to provide one thing again and aid others such as you helped me.|

  22. Wonderful blog! Do you have any helpful hints for aspiring writers? I’m planning to start my own blog soon but I’m a little lost on everything. Would you advise starting with a free platform like WordPress or go for a paid option? There are so many options out there that I’m totally overwhelmed .. Any ideas? Thanks!|

  23. I will immediately seize your rss as I can not to find your e-mail subscription hyperlink or newsletter service. Do you’ve any? Kindly permit me recognize so that I may just subscribe. Thanks.|

  24. Thanks for one’s marvelous posting! I definitely enjoyed reading it, you may be a great author. I will always bookmark your blog and definitely will come back in the foreseeable future. I want to encourage continue your great writing, have a nice holiday weekend!|

  25. Howdy would you mind sharing which blog platform you’re using? I’m going to start my own blog in the near future but I’m having a tough time choosing between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design and style seems different then most blogs and I’m looking for something completely unique. P.S My apologies for being off-topic but I had to ask!|

  26. I will immediately grasp your rss as I can’t find your e-mail subscription hyperlink or e-newsletter service. Do you’ve any? Please permit me understand so that I could subscribe. Thanks.|

  27. Hi, I do believe this is a great website. I stumbledupon it 😉 I am going to revisit yet again since I book-marked it. Money and freedom is the best way to change, may you be rich and continue to help other people.|

  28. When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get three e-mails with the same comment. Is there any way you can remove me from that service? Many thanks!|

  29. Hey there superb blog! Does running a blog such as this require a lot of work? I’ve very little understanding of programming but I was hoping to start my own blog in the near future. Anyways, should you have any recommendations or techniques for new blog owners please share. I understand this is off subject however I just wanted to ask. Many thanks!|

  30. Nice post. I was checking continuously this blog and I’m inspired! Very helpful information particularly the final part 🙂 I care for such info much. I used to be seeking this certain information for a long time. Thanks and best of luck. |

  31. Undeniably imagine that which you stated. Your favourite justification seemed to be at the web the easiest factor to take into account of. I say to you, I certainly get irked even as folks think about worries that they plainly do not understand about. You managed to hit the nail upon the top and also outlined out the whole thing with no need side-effects , other folks can take a signal. Will probably be back to get more. Thank you!

  32. You’re so awesome! I don’t suppose I’ve truly read something like this before. So good to discover someone with original thoughts on this subject matter. Really.. thanks for starting this up. This website is something that is required on the web, someone with some originality!|

  33. Very nice post. I simply stumbled upon your weblog and wished to mention that I have truly enjoyed surfing around your blog posts. In any case I will be subscribing on your rss feed and I am hoping you write once more very soon!

  34. It is perfect time to make a few plans for the longer term and it is time to be happy. I’ve learn this put up and if I may I want to recommend you some attention-grabbing issues or advice. Maybe you can write next articles referring to this article. I wish to read even more things about it!

  35. My partner and i still can’t quite believe I could often be one of those studying the important recommendations found on your web blog. My family and I are really thankful on your generosity and for giving me the chance to pursue this chosen career path. Thank you for the important information I acquired from your web site.

  36. I do consider all the ideas you’ve presented to your post. They’re really convincing and can definitely work. Nonetheless, the posts are too brief for newbies. May you please extend them a bit from subsequent time? Thank you for the post.

  37. I haven’t checked in here for some time as I thought it was getting boring, but the last several posts are great quality so I guess I’ll add you back to my daily bloglist. You deserve it my friend 🙂

  38. I want to show my thanks to you for bailing me out of this particular matter. Just after checking throughout the the net and seeing recommendations that were not beneficial, I believed my entire life was done. Existing without the presence of approaches to the issues you’ve fixed through your good blog post is a critical case, as well as the ones which may have adversely affected my entire career if I had not come across your blog. That know-how and kindness in handling all areas was helpful. I’m not sure what I would’ve done if I had not discovered such a solution like this. I can at this time relish my future. Thank you so much for the professional and result oriented help. I won’t hesitate to endorse your site to any person who will need tips about this matter.

  39. Thanks for the sensible critique. Me and my neighbor were just preparing to do a little research on this. We got a grab a book from our local library but I think I learned more from this post. I’m very glad to see such magnificent information being shared freely out there.

  40. I like what you guys are up too. Such smart work and reporting! Keep up the excellent works guys I have incorporated you guys to my blogroll. I think it will improve the value of my website :).

  41. Hello, Neat post. There’s an issue together with your site in internet explorer, might test this? IE still is the marketplace leader and a huge section of other people will pass over your great writing due to this problem.|

  42. I have been surfing on-line more than 3 hours nowadays, but I never discovered any interesting article like yours. It is lovely value enough for me. In my view, if all web owners and bloggers made just right content material as you did, the web will probably be a lot more useful than ever before.|

  43. Howdy! This blog post could not be written any better! Going through this article reminds me of my previous roommate! He always kept talking about this. I most certainly will send this information to him. Fairly certain he’ll have a good read. I appreciate you for sharing!|

  44. Hey there! Someone in my Myspace group shared this site with us so I came to give it a look. I’m definitely loving the information. I’m book-marking and will be tweeting this to my followers! Fantastic blog and excellent design.|

  45. This design is incredible! You definitely know how to keep a
    reader amused. Between your wit and your videos, I was almost moved to start my own blog
    (well, almost…HaHa!) Fantastic job. I really
    loved what you had to say, and more than that,
    how you presented it. Too cool!

  46. Have you ever considered publishing an ebook or guest authoring on other sites? I have a blog centered on the same subjects you discuss and would love to have you share some stories/information. I know my viewers would enjoy your work. If you’re even remotely interested, feel free to shoot me an e-mail.|

  47. Hey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog that automatically tweet my newest twitter updates. I’ve been looking for a plug-in like this for quite some time and was hoping maybe you would have some experience with something like this. Please let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new updates.|

  48. Thanks for ones marvelous posting! I actually enjoyed reading it, you’re a great author.I will always bookmark your blog and definitely will come back very soon. I want to encourage yourself to continue your great work, have a nice morning!|

  49. Its such as you learn my thoughts! You seem to understand a lot approximately this, such as you wrote the guide in it or something. I feel that you simply could do with some percent to force the message home a bit, but instead of that, this is fantastic blog. An excellent read. I’ll certainly be back.|


Please enter your comment!
Please enter your name here