sb-eu logo
Story image

Microsoft takes down malicious botnet after years of tracking

13 Mar 2020

Earlier this week, Microsoft, along with partners from 35 different countries took action to disrupt a notorious botnet which infected more than nine million computers across the world.

The botnet, called Necurs, gained control of the computers using malware and used them to commit crimes remotely.

Microsoft’s Digital Crimes Unit, BitSight and others in the security community first observed the Necurs botnet in 2012, when it was distributing a banking trojan named GameOver Zeus.

The action taken this week by Microsoft is the culmination of tracking and countermeasures in the eight years since its discovery.

Microsoft says the measures taken against Necurs will ensure criminals will no longer be able to use the network to execute cyber attacks.

The scope of Necurs

The Necurs botnet is one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world. 

Microsoft reports observing one Necurs-infected computer which sent a total of 3.8 million spam emails to over 40.6 million potential victims.

Necurs is believed to be operated by criminals based in Russia, where its functions have varied across the realm of cyber threats over the years. 

According to Microsoft, it has been used for pump-and-dump stock scams, fake pharmaceutical spam email and “Russian dating” scams. 

It has also been used to steal credentials for online accounts, as well as people’s personal information and confidential data. 


Necurs seems to have sparked a profitable business strategy, as reports have emerged indicating those behind the botnet sold and rented access to infected devices.

The botnet’s versatility across functions was key to its success. Necurs distributed financially targeted malware and ransomware, had cryptomining capabilities, and even had a DDoS (distributed denial of service) capability that has not yet been activated but could be at any moment.

Last week, the U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to take control of the U.S.-based infrastructure which Necurs was using to infect victim computers. 

This legal action led to this week’s announcement from Microsoft that the botnet had been disrupted.

This was accomplished by analysing a technique used by Necurs to systematically generate new domains through an algorithm. 

Microsoft was then able to accurately predict over six million unique domains that would be created in the next 25 months. 

Microsoft reported these domains to their respective registries in countries around the world so the websites could be blocked and thus prevented from becoming part of the Necurs infrastructure. 

Microsoft says it is also taking the additional step of partnering with Internet Service Providers (ISPs) domain registries, government CERTs and law enforcement around the world to further safeguard against Necurs’ malware.

The company will be undertaking these collaborations in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among other countries.

Story image
Forcepoint Dynamic Edge Protection delivers data-centric SASE solutions
The Dynamic Edge Protection suite includes new cloud security gateway and private access offerings through its SASE solution architecture.More
Story image
Security teams face mounting stress, call for execs to step in
“With more organisations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern. This is a call to action for executives to prioritise alleviating the stress."More
Story image
AWS launches fully-managed fraud detection service
Businesses lose billions of dollars to online fraud every year, however businesses respond by investing in cumbersome fraud management solutions that often rely on hand-coded rules and are difficult to keep up to date.More
Story image
Interview: ThreatQuotient champions threat intelligence through virtual 'situation rooms'
To understand what it involves and some of the collaboration challenges that come with distributing threat intelligence amongst specialised security teams, we spoke to ThreatQuotient APJC regional director Anthony Stitt.More
Story image
Attivo Networks improves EDN solution with advanced features
“By detecting unauthorised ingress and egress connections both at the source and at the destination, security defenders gain real-time visibility along with conclusive detection alerts.”More
Story image
Cloud breaches set to increase in velocity and scale - Accurics
“While the adoption of cloud native infrastructure such as containers, serverless, and servicemesh is fuelling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organisations."More