Microsoft's secret wars against the bad actors continues, as the company announced a successful takedown of Necurs Botnet, which is perhaps the largest malware network, with over nine million computers infected worldwide.
The takedown follows after Microsoft and some industry partners decoded Necur's domain generation algorithm (DGA), which is responsible for generating their random domain names. It has helped the infamous botnet network to remain anonymous and resilient for quite a long time.
DGA is a technique to randomly generate domain names at regular intervals, which malware authors employ to continuously switch the location of command-and-control (C&C) servers and maintain uninterrupted digital communication with compromised systems.
What is A Botnet?
A network of computers that's infected with malicious software (malware) by a cybercriminal is known as botnet. The cybercriminals can control these computers remotely once infected and use them to carry out crimes undetected.
The Necurs botnet is among the largest networks in the malware threat ecosystem, with infected systems in nearly every country in the world; which according to research, Necurs-infected computer averages a total of 3.8 million spam mails to more than 40.6 million potential targets.
And it is believed to be operated by cybercriminals based in Russia, and has carried out a wide range of crimes including the fake pharmaceutical spam email, pump-and-dump stock scams, and “Russian dating” scams. Also, it has been used to attack several other computers on the internet, to steal people’s personal information and credentials of online accounts.
How Microsoft was able to disrupt the Botnet?
The disruption was made possible through an order by the U.S. District Court for the Eastern District of New York issued to take control of US-based infrastructure used by Necurs to distribute malware. This legal action and a collaborative effort by Microsoft with some public-private partnerships around the world, led to the prevention of the cybercriminals from registering new domains to execute further attacks.
Microsoft had reported the domains to their respective registrars to block and prevent them from becoming part of the Necurs infrastructure. And the taking control of the existing websites and inhibiting their ability to register new ones, will significantly disrupt the botnet.
Interestingly, the cybercriminals behind Necurs also sell or rent access for the infected computer to other criminals as part of botnet-for-hire service. And also distribute ransomware (financially targeted malware), cryptomining, and even possessing a DDoS (distributed denial of service) capability that's yet to be activated, but could at any moment.