1.9 C
New York
Thursday, February 22, 2024

How Microsoft Dismantled the Infamous Necurs Botnet

At the height of its powers, Necurs was one of the most disruptive forces on the internet. A sort of Swiss Army botnet, over the years it has harnessed more than 9 million computers unwittingly under its control to send spam, distribute ransomware, attack financial institutions, and more. Last week, Microsoft pulled its plug.

Necurs has been silent lately—its most recent significant activity petered out last March—but it still has 2 million infected systems awaiting its next command. By disrupting what remains of the botnet—in coordination with law enforcement and internet service providers across 35 countries, and with the help of cybersecurity firms like BitSight and ShadowServer—Microsoft has effectively prevented Necurs from rising again.

“This disruption is the result of eight years of tracking and planning,” wrote Microsoft corporate vice president Tom Burt in a blog announcing the takedown, “and will help ensure the criminals behind this network are no longer able to use key elements of its infrastructure.” Microsoft declined to comment further, but the company has taken the lead on similar takedowns in the past, given the extent to which operations like Necurs threaten Windows devices and their users.

While botnets are often associated with distributed denial of service attacks, Necurs has a more diverse portfolio. “The reason the Necurs botnet is so pernicious is because the attackers managed to infect so many devices, and leverage this massive botnet for various purposes based on the fact it distributes many other types of malware,” says Yael Daihes, senior security researcher at the content delivery network Akamai. Chief among those is spam; in a criminal complaint filed March 5, Microsoft noted that “one single infected Necurs computer is capable of sending a total of 3.8 million spam emails to over 40.6 million potential victims over a 58 day period.”

Necurs is largely a botnet-for-hire, available to distribute whatever malware a client might want. That includes the infamous GameOver Zeus trojan that plagued the internet nearly a decade ago, as well as the Dridex malware deployed by Evil Corp and others. The criminal complaint details the use of Necurs to distribute notorious malware like Locky and Trickbot, as well, like a smuggler for the Legion of Doom. The possibilities are endless, from ransomware to banking-information theft to surveillance.

Necurs can also block antivirus updates in older machines, leading to a host of knock-on problems. “For devices using an outdated Windows 7 without updated antivirus protections, Necurs not only cripples the security mechanism that might result in removal of Necurs from the computing device, it may leave victim’s computing devices exposed to many other types of malware,” the complaint reads.

“Necurs, prior to Microsoft's actions, remained a significant threat, even though it seems to have declined in relevance since 2016,” says Evelyn French, senior analyst at Flashpoint, a security firm that has tracked the botnet.

Necurs was first discovered online eight years ago, and has been linked in the years since to the various malware families that used it for distribution. But the takedown work didn't start in earnest until 2016, when BitSight began a years-long effort to disentangle the botnet, reverse engineering its structure so that Microsoft and others could actually disrupt it. You can’t fight what you can’t see.

It was a hard slog. Necurs isn’t a single botnet but a family of at least 11, all presumed to be under the control of the same unidentified Russian criminals. Four of those botnets, BitSight found, were responsible for 95 percent of all infections. Moreover, Necurs uses a particularly sophisticated command-and-control structure to relay information to and from the computers it controls.

In the most basic command-and-control setup, a piece of malware will attempt to communicate with a single domain, from which hackers give instructions. Necurs is far from basic. Rather than rely on a fixed site, it uses a so-called domain generation algorithm, or DGA, to create 2,048 potential domains every four days, giving its zombie computers a lot of flexibility. “It’s a function to change the domains it talks to basically every day, every week, every month. That can be variable based on what the person who wrote it wants to be doing,” says Dan Dahlberg, BitSight’s head of security research. “Today the botnet may try to talk to 50 different domains to try to find the one the actor actually controls. The next day it might change to another 50.”

Several botnet families use DGAs. Necurs adds its own twists, though, primarily centered on adaptability. Once an infected machine successfully links up with a Necurs command-and-control domain, it stops reaching out elsewhere until that connection gets broken for whatever reason. Only then does it resort to the DGA. It also uses multiple layers of command-and-control servers, and it enables devices connected to the same server to communicate with others in that cluster and compare notes about what domains are functional.

“It has this kind of defense-in-depth communication structure, almost similar to how a company would structure its internal security tools to have this escape and fallback mechanism,” says Dahlberg. “And of course, as these malware families implement more complex methods of communication, it makes disruption and takedowns much more complicated.”

The most effective way to stymie a botnet is to seize those command-and-control domains to cut off communication. That’s what makes a DGA such an effective weapon; companies like BitSight and Microsoft are left chasing thousands of new domains every week. But it’s also how they ultimately threw up an effective roadblock. By cracking the underlying algorithm, Microsoft was able to identify the next 6,144,000 domains that Necurs was scheduled to populate over the next 25 months, and it alerted the authorities in relevant countries so they could block their registration. A court order also allowed Microsoft to seize current Necurs domains located in the US. The company is also working with ISPs around the world to identify people with infected devices and help them scrub their machines.

Other botnets, particularly Emotet, have ascended since Necurs went quiet a year ago. Crippling Necurs still serves an important purpose, though. “Even though it is dormant, we don’t know what the possibility is of it coming on line again for nefarious purposes,” says Dahlberg.

Microsoft and its partners have ensured that if the botnet does try to mount a comeback, it won’t have very many places left to turn.

Related Articles

Latest Articles