Microsoft Has Hijacked the Necurs Infrastructure and Crippled the Botnet

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Microsoft has managed to severely disrupt the Necurs botnet operation after a coordinated legal and technical action across 35 countries. Necurs was one of the most successful botnets in the world, distributing malware payloads since 2012 and causing problems mainly in India, Indonesia, Vietnam, Turkey, and Iran. Recently, we reported about how Necurs was having a comeback with an enriched payload repertoire and a hybrid communication approach that enabled it to hide better. However, in 2016, Necurs suffered a technical problem that disconnected 16% of its bots, and the recent developments may have delivered the final blow.

Microsoft says their "Digital Crimes Unit", BitSight, and more of their partners have been tracking and mapping Necurs for eight years now. They concluded that the operators of the botnet are based in Russia, and they estimate the number of total victims to be more than nine million. Apparently, Necurs actors were compromising systems and then renting access to them as part of a "botnet-for-hire" service. Last week, they managed to secure a seizure order by the U.S. District Court of New York, which enabled them to take full control of the U.S.-based infrastructure that supported Necurs.

In addition to the seizure, Microsoft also ensured that the operators of the botnet won’t be able to register new domains, as the tech giant figured out what system they were using to do that. More specifically, Necurs was generating new domains through an algorithm that Microsoft has managed to steal. Thus, they managed to accurately predict more than six million domains that would be created over the upcoming 25 months and proactively reported them to domain name registries in various countries. As a result, the disruption after the infrastructure takeover was significant, and hopefully - it will be one that the botnet won’t be able to recover from.

As for the computers that carry bots that belong to Necurs, Microsoft has shared technical data with many Internet Service Providers (ISPs) from around the world, to point them to the customers whose computers remain infected. White-hat hackers and security companies are always looking for ways to stop botnets instead of merely defending against their direct activity. In August 2019, Avast managed to stop the "Retadup" worm by replacing its C&C, following a collaboration with the French police and the FBI. Whether or not the Necurs will return, we will have to wait and see, but it will be hard. The two million systems that remain infected out there will definitely play a key role in that part.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: