Microsoft partnered with organizations across 35 countries to take steps to disrupt the Necurs botnet. Necurs has infected more than nine million computers in the world. The steps taken today are the culmination of eight years of tracking and planning and are a significant blow against the infrastructure that Nercurs relies on.
Necurs has a massive network for spamming emails to people. In a blog post breaking down the actions taken against Necurs, Microsoft states that over a 58-day period, its investigation observed Necurs-infected computers sending 3.8 million spam emails to over 40.6 million people.
According to Microsoft, Necurs is used to perform a wide range of scams, including pump-and-dump stock scams, fake pharmaceutical scam emails, and “Russian dating” scams. It can also be used to steal credentials for online accounts and steal people’s confidential data. In addition to those scams, Necurs can distribute financially targetted malware and ransomware, and crypto mining.
Microsoft’s blog post summarizes the specific steps taken this month to battle Necurs:
On Thursday, March 5, the U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to take control of U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers. With this legal action and through a collaborative effort involving public-private partnerships around the globe, Microsoft is leading activities that will prevent the criminals behind Necurs from registering new domains to execute attacks in the future.
These steps allowed Microsoft to predict and report domains that Necurs would use as part of its infrastructure. By doing this, Micorosft inhibits Necurs ability to register new domains and stops it from taking control of existing ones. This greatly disrupts the botnet’s infrastructure.
Microsoft will also partner with Internet Service Providers and more organizations around the world to battle the Necurs botnet.