Microsoft Disrupts the Long-Standing Necurs Botnet


A botnet is a network of computers or other devices connected to the Internet that has been harnessed by a third party, for nefarious purposes. Botnets are formed with malware that infects poorly protected internet devices, often as simply as using telnet when those devices are still using their factory default username and password. They are deployed to create havoc or commit cybercrimes in a variety of ways, from launching spam email campaigns, to infecting computers with ransomware. Another major use of botnets is to launch Distributed denial of service (DDoS) attacks that overwhelm a web-facing server, service or business application. Cybercriminals have propagated thousands of botnets in the world using various forms of malware. The most infamous being the Mirai code, but there are many others.

A Battle Won in the War Against Cybercrime

Cybersecurity professionals always seem to be playing a game of “whack-a-mole” with threats from cybercriminals who are often one step ahead. Every so often, the cybersecurity pros win a major battle in the war against big cybercrime, which happened in March when Microsoft and some of its partners disrupted (but did not totally wipe away) the Necurs botnet. Believed to be operated by cybercriminals from Russia, this has been haunting cyberspace for the past eight years.

Wired magazine reported, “Necurs has been silent lately—its most recent significant activity petered out last March—but it still has 2 million infected systems, awaiting its next command. By disrupting what remains of the botnet—in coordination with law enforcement and internet service providers across 35 countries, and with the help of cybersecurity firms like BitSight and ShadowServer—Microsoft has effectively prevented Necurs from rising again.”

According to SDXCentral, “Late last week, the U.S. District Court for the Eastern District of New York issued an order allowing Microsoft to take control of U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers. The company analyzed a technique that Necurs used to generate new domains through an algorithm and then was able to predict more than 6 million unique domains that would be created in the next 25 months.”

There are still approximately two million infected computers worldwide, so as a next step Microsoft reports that it is “partnering with Internet Service Providers (ISPs) and others around the world to rid their customers’ computers of malware associated with the Necurs botnet.”

Microsoft is to be commended for its successful multi-year, international, operation to cripple the Necurs botnet that has plagued users and their computers across the globe for several years. Although there are no reported cases of Necurs being used to deploy a DDoS attack, it easily could have. Disrupting the infrastructure behind this massive botnet sends a powerful signal to other cybercriminals that they are not immune to countermeasures or criminal prosecution to keep them in check. However, this shouldn’t lead to any complacency or thinking that the botnet era is likely come to an end any time soon.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.