On March 10, Microsoft and its partners across 35 countries, including in India, disrupted one of the world’s largest botnets — a network of computers that a cybercriminal has infected with malicious software, or malware — which is believed to have infected over 9 million computers globally. The disruption was aimed at botnet group Necurs, which is presumably operated by criminals based in Russia. It is one of the largest networks in the spam email threat ecosystem, “with victims in nearly every country in the world”, Microsoft said. The botnet was first observed in 2012.
What is the Necurs botnet? Necurs botnet has been used to attack other computers on the internet, steal credentials for online accounts, and steal people’s personal information and confidential data.
- The group also distributes financially targeted malware and ransomware, cryptomining, and even has a DDoS (distributed denial of service) capability that has not yet been activated but could be at any moment, Microsoft said.
- Microsoft observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.
How they disrupted Necurs: After receiving approval from a U.S. Court to take control of Necurs’ infrastructure in the U.S. on March 5, Microsoft was able to accurately predict over 6 million unique domains that would be created in the next 25 months. It then reported these domains to respective registries to block those websites to significantly disrupt the botnet.
Microsoft worked with ISPs, domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others to bring this network down.