At the height of its powers, Necurs was one of the most disruptive forces on the internet. A sort of Swiss Army botnet, over the years it has harnessed more than 9 million computers unwittingly under its control to send spam, distribute ransomware, attack financial institutions, and more. Last week, Microsoft pulled its plug.
Necurs has been silent lately—its most recent significant activity petered out last March—but it still has 2 million infected systems awaiting its next command. By disrupting what remains of the botnet—in coordination with law enforcement and internet service providers across 35 countries, and with the help of cybersecurity firms like BitSight and ShadowServer—Microsoft has effectively prevented Necurs from rising again.
“This disruption is the result of eight years of tracking and planning,” wrote Microsoft corporate vice president Tom Burt in a blog announcing the takedown, “and will help ensure the criminals behind this network are no longer able to use key elements of its infrastructure.” Microsoft declined to comment further, but the company has taken the lead on similar takedowns in the past, given the extent to which operations like Necurs threaten Windows devices and their users.
While botnets are often associated with distributed denial of service attacks, Necurs has a more diverse portfolio. “The reason the Necurs botnet is so pernicious is because the attackers managed to infect so many devices, and leverage this massive botnet for various purposes based on the fact it distributes many other types of malware,” says Yael Daihes, senior security researcher at the content delivery network Akamai. Chief among those is spam; in a criminal complaint filed March 5, Microsoft noted that “one single infected Necurs computer is capable of sending a total of 3.8 million spam emails to over 40.6 million potential victims over a 58 day period.”
Necurs is largely a botnet-for-hire, available to distribute whatever malware a client might want. That includes the infamous GameOver Zeus trojan that plagued the internet nearly a decade ago, as well as the Dridex malware deployed by Evil Corp and others. The criminal complaint details the use of Necurs to distribute notorious malware like Locky and Trickbot, as well, like a smuggler for the Legion of Doom. The possibilities are endless, from ransomware to banking-information theft to surveillance.
Necurs can also block antivirus updates in older machines, leading to a host of knock-on problems. “For devices using an outdated Windows 7 without updated antivirus protections, Necurs not only cripples the security mechanism that might result in removal of Necurs from the computing device, it may leave victim’s computing devices exposed to many other types of malware,” the complaint reads.
“Necurs, prior to Microsoft’s actions, remained a significant threat even though it seems to have declined in relevance since 2016,” says Evelyn French, senior analyst at Flashpoint, a security firm that has tracked the botnet.
Necurs was first discovered online eight years ago, and linked in the years since to the various malware families that used it for distribution. But the takedown work didn’t start in earnest until 2016, when BitSight began a years-long effort to disentangle the botnet, reverse engineering its structure so that Microsoft and others could actually disrupt it. You can’t fight what you can’t see.
It was a hard slog. Necurs isn’t a single botnet but a family of at least 11, all presumed to be under the control of the same unidentified Russian criminals. Four of those botnets, BitSight found, were responsible for 95 percent of all infections. Moreover, Necurs uses a particularly sophisticated command-and-control structure to relay information to and from the computers it controls.