Microsoft Quarterbacks a Major Counterstrike Against a Formidable Botnet
After observing and analyzing a massive botnet for nearly eight years, Microsoft and an international consortium of partners launched a counterstrike against the Necurs computer malware network this week in what they hope will be a devastating disruption.
Necurs is a poster child for what security researchers warn about from botnets -- those packs of hundreds, thousands or millions of PCs, sometimes called zombies, that have been infected with malware and are under the command and control of malicious actors. Think of your parents' under-patched and out-of-support Windows 7 computer infected with a Trojan that enlists that computer in various nefarious schemes. The zombie PC's owner may notice nothing at all, or sometimes suspect a decline in performance.
According to Microsoft, Necurs has had a role in a lot of those nefarious schemes. Believed to be controlled by criminals in Russia, the botnet is also thought to have been used directly by its owners, as well as rented out as a botnet-as-a-service for various online skullduggery. One of its highest-profile roles was aiding in distribution of the GameOver Zeus banking trojan.
In the years since it first came to the attention of security researchers in 2012, the network has infected as many as 9 million computers globally. It has left its nasty digital fingerprints on pump-and-dump stock scams, fake pharmaceutical spam, Russian dating scams, Internet-based computer attacks, credential theft schemes, data theft attempts, cryptomining and, of course, ransomware. While botnets can be a key component of distributed denial-of-service (DDoS) attacks and Necurs has DDoS capabilities, Microsoft says that particular use for the botnet has not been documented.
Detailing what a big deal Necurs represents is a blog post from BitSight, a cyber risk management platform provider that worked closely with Microsoft on the Necurs problem. "From 2016 to 2019, it was the most prominent method to deliver spam and malware by criminals and was responsible for 90% of the malware spread by email worldwide," BitSight alleged.
In a sign of the complexity and length of the effort against Necurs, BitSight and Microsoft have been collaborating since 2017 to understand technical aspects of the botnet. That effort included techniques such as reverse engineering, malware analysis, module updates, infection telemetry, command and control updates, and forensic analysis, BitSight said.
In parallel with the technical work, Microsoft coordinated an international campaign involving the courts, other tech companies, ISPs, domain registries, government computer emergency response teams and law enforcement.
To prepare for the operational phase, Microsoft on March 5 got an order from the U.S. District Court for the Eastern District of New York. That order allowed Microsoft to take over the systems inside the United States that are used by Necurs for malware distribution and computer infections.
Microsoft and its partners crafted a sophisticated response built on the technical specifics of the Necurs botnet. Having studied the algorithm that Necurs uses to generate new domains, Microsoft used its considerable technical resources to jump ahead of the botnet. "We were then able to accurately predict over six million unique domains that would be created in the next 25 months," wrote Tom Burt, Microsoft corporate vice president for customer security and trust, in a blog post.
The response then leveraged Microsoft's web of global relationships with partner companies worldwide. "Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure," Burt said.
The main counterstrike was launched Tuesday from what a detailed New York Times account described as an "eerily empty Microsoft campus" due to most workers having been ordered home to prevent the spread of the coronavirus.
"By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet," Burt said. "Microsoft is also taking the additional step of partnering with Internet Service Providers (ISPs) and others around the world to rid their customers' computers of malware associated with the Necurs botnet."
As a concrete step, Microsoft is pointing users to the Microsoft Safety Scanner to help wipe their computers of malware, including Necurs.
While the Necurs botnet was massive, and Microsoft's effort to attack it required substantial resources, Microsoft executives were resigned that any drops in spam, malware and cyberattacks would be temporary at best. In the NYT article, executives described the effort -- sadly and accurately -- as a game of whack-a-mole.
Posted by Scott Bekker on 03/11/2020 at 10:16 AM