Microsoft has disrupted the Necurs botnet, one of the biggest spam email and malware distributors on the internet.
Necurs basically operates as a collection of hacker-controlled computers, which will use malware to try to infect other machines, hence the name botnet. All that computing power can then be harnessed to send out waves of spam, along with emails that contain other malicious programs, including ransomware.
But on Tuesday, Microsoft said it “significantly disrupted” Necurs by going after how it receives orders on the internet. To control the botnet, the hackers behind Necurs use obscure internet domains, which can send out new orders to the collection of infected computers.
Taking over these domains means you can theoretically interrupt access to the botnet. So in response, the hackers behind Necurs built a “domain generation algorithm” into their botnet, which will cycle through a long list of ever-changing domain sites during the communication process. This can throw off security researchers, making it hard to pinpoint which domains a botnet is actually receiving orders from.
Past research on Necurs has found the botnet will generate up to 2,048 different domains, which will change every four days. Nevertheless, Microsoft cracked Necurs' domain generation algorithm; the company was able to predict a whopping 6.1 million domains that the botnet is slated to use over the next 25 months.
With a US court order, Microsoft was then able to secure access to all 6.1 million domains and now controls the US-based properties. The rest of the domains have been shared with internet registries across the globe, which have proceeded to block anyone from controlling the sites.
Necurs is likely the brainchild of Russian hackers, who’ve been renting out access to the botnet to other cybercriminals. As a result, it’s played a role in a variety of criminal schemes since 2012, including spam email campaigns as well as spreading other malware strains like ransomware and Trojans that can steal your banking login information.
“During a 58-day period in our investigation, for example, we observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims,” Microsoft VP Tom Burt said in today’s announcement.
Necurs itself usually ends up on a PC via other malware sent through email spam or malicious advertisements. Once it infects, Necurs will attempt to secretly turn the victim computer into an email server. To date, the botnet has ensnared at least 9 million computers across the globe, Microsoft says.
Further Reading
- Market Research Firm Uses Free VPN Apps to Harvest Data From Consumers
- It's Now (a Bit) Harder to Register a .Gov Domain
- Hacking Tools Are Being Infected With Malware
- Connected Cars Are Cool, But Are They Safe?
- More in Security