Microsoft takes control over the US parts of the Necurs botnet

[German]Microsoft has been successful to overtake the US-based parts of the infrastructure of the Necurs botnet. The company has just announced this coordinated action with partners across 35 countries, that has disrupted the Necurs botnet.


I became aware of the story last night through articles and the subsequent tweet from Microsoft.

The seizure of the US infrastructure of the criminal network was part of a coordinated operation covering 35 countries.

What is Necurs?

The Necurs botnet is one of the largest networks for sending spam emails, operating worldwide. Therefore there are victims in almost every country in the world. For example, in a 58-day investigation period, Microsoft observed that a computer infected with Necurs sent a total of 3.8 million spam emails to over 40.6 million potential victims.

It is assumed that Necurs is operated by cyber criminals based in Russia. The botnet is used for a wide range of crimes. These include fraud with pump-and-dump stocks, spam emails offering fake pharmaceutical substances and spam emails for fraud with "Russian dating sites". The Necurs botnet has also been used to attack other computers on the Internet and deliver Trojans or other malware. This malicious software has stolen access data for online accounts and taken personal information and confidential data from individuals.


(Source: Pexels Markus Spiske CC0 Lizenz)

Necurs is also known for its targeted distribution of malware and ransomware, cryptomining on infected devices and even having DDoS (Distributed Denial of Service) capability. The latter has not yet been activated, but could be activated at any time. The cyber criminals behind Necurs offer access to the infected systems as well as the functions of the botnet to other cyber criminals as a botnet-forhire service for purchase or rent.

Seizure of US infrastructure

On Thursday, March 5, the US District Court for the Eastern District of New York issued an order allowing Microsoft to take control of the US-based infrastructure that Necurs uses to spread malware and infect victims' computers.

At the same time, the campaign was coordinated worldwide with authorities in another 35 countries. This is intended to prevent the criminals behind Necurs from registering new domains in order to carry out future attacks via the botnet. This was made possible by analyzing the algorithm used by Necurs to systematically generate new domain names.

The security researchers were then able to predict more than six million unique domain names that would be created in the next 25 months. Microsoft reported these domains to their respective registries in countries around the world, so these domain names are blocked from registration. Cyber criminals are thus prevented from using these domains as a new part of the Necurs infrastructure.

By taking control of existing websites of the Necurs botnet and the possibility to block the registration of new websites, Microsoft believes that the operation of the botnet could be significantly disrupted.

Cleaning infected computers

Microsoft is working with Internet Service Providers (ISPs) and other partners around the world to clean their customers' computers from the malware delivered with the Necurs botnet. These efforts are global in scope and include collaboration with industry, government, and law enforcement partners through the Microsoft Cyber Threat Intelligence Program (CTIP).

Through the CTIP, Microsoft is providing law enforcement agencies, government computer emergency response teams (CERTs), Internet service providers, and government agencies responsible for enforcing cyber laws and protecting critical infrastructure with greater insight into the criminal cyber infrastructure in their jurisdictions and an overview of vulnerable computers and victims affected by that criminal infrastructure.

For this effort, Microsoft is working with ISPs, domain registries, government CERTs, and law enforcement agencies in countries including Mexico, Colombia, Taiwan, India.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *