The Necurs botnet is arguably one of the most successful distribution points for many different types of malware. That was until Microsoft’s Digital Crimes Unit (MDCU), alongside other technology partners such as BitSight made a coordinated strike against it. 35 countries participated in the move shutting down its infrastructure. That meant taking control of domains, command and control (C&C) infrastructure and gaining control over millions of infected machines.
The latter is critical. In previous botnet takedowns, authorities have used the C&C servers to push fixes to the infected machines. This has prevented many from being re-infected when botnet owners have attempted to re-establish control. Interestingly, in this case, that is unlikely to happen due to the decryption of the Necurs domain generation algorithm (DGA).
Tom Burt, Corporate Vice President, Customer Security & Trust, Microsoft commented: “The Necurs botnet is one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world. During a 58-day period in our investigation, for example, we observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.”
Breaking the Necurs DGA is the key to stopping future infections
Taking down the Necurs botnet is a good thing. Of more importance, however, is the fact that the Necurs DGA has been broken. To stop botnets being blocked and removed, cybercriminals have developed complex algorithms that allow them to create new domains. These domains are constantly being created and fake websites built on them.
The DGA’s are so effective, that registrars have struggled to combat the process. The problem many face is that there are millions of legitimate domains created each day, spotting the ones used by the cybercriminals is difficult. According to Valter Santos, Senior Security Analyst, BitSight: “This DGA produces 2048 possible C2 domains every 4 days across 43 TLDs, including .bit.”
Burt explains that Microsoft was able to accurately predict over six million unique domains that would have been created in a 25 month period. By passing that information to the domain registrars in different countries, the websites are blocked as soon as they are created. This, Burt claims, prevents them from becoming part of the Necurs network.
In parallel to this activity, Microsoft acquired a court order in the US that allowed it to take control of the Necurs domains hosted in the US. This has allowed them to work with ISPs to help disinfected machines enrolled in the Necurs botnet. Similar actions are being taken by other parties outside of the US.
Does this mark the end for the global botnets?
Not a chance. Many of the users who will be disinfected will get re-infected with another botnet. Poor browsing habits, clicking on phishing email, falling for scams, getting hit by drive-by attacks when a website has been compromised, these are all ways in which users are caught out. Even those with the most up-to-date endpoint security cannot be sure they are always safe.
The driver for the cybercriminals is simple, money. There are billions being made every year from scams, cyberattacks and malware infections. While some of the attacks are carefully targeted requiring a degree of preparation, a lot are not. This creates a world where the entry level to cybercrime is low. But attacks need a delivery mechanism and this is where botnets come into play.
In the first 7 days of March, BitSight recorded over 650,000 infections by Necurs. That is down substantially on the peaks of 2016/1017. However, that does not mean that infections are down. Other botnets are taking over from Necurs.
In his blog, Santos comment: “We know in advance that Necurs was in idle mode for a while and was already been replaced by others (Emotet) but, nevertheless, there were still an estimated 2 million infected bots waiting for their master commands – and that could happen at any time if no action was taken.”
Enterprise Times: What does this mean?
Disruption and takedown of botnets happens on a fairly regular basis. Unfortunately, cybercriminals just rebuild over time. There is an irony here and lessons to be learned. Companies are castigated for their poor cyber resilience, disaster recovery and business continuity planning.
By comparison, cybercriminals set a gold standard. It is likely that we will see some form of Necurs botnet revival as the people behind it look to rebuild. It will take time and the breaking of the Necurs DGA is a major blow. However, there are other DGAs out there that are far from being broken.
For now, Microsoft has provided a link to the Microsoft Safety Scanner. This allows users to test their Windows machines to see if they are infected. Perhaps it is time that Apple started to do the same.