Botnet Linked to Criminals in Russia That Infected 9 Million Computers to Spew Spam and Malware is Disrupted

A cybercrime operation that impacted millions of computers around the world, causing them to send spam, commit data theft, and spread malware, has been disrupted

The Necurs botnet, tied to the infection of more than 9 million devices since 2012, has been traced to criminals who appear to be based in Russia. The botnet took a major hit this week following a joint takedown project spanning 35 countries, according to Microsoft, which spearheaded the effort.

Broadly, a botnet is a swarm of devices infected with malware that can then be remotely joined to attack other computers, conduct fraud, or steal personal data.

Experts discovered the culprits behind Necurs—who were not individually named—were found to be renting out access to the vast botnet to other cybercriminals.

The zombie network was linked to a slew of malicious activity over the years, including pump-and-dump stock scams, fake pharmaceutical spam email, Russian dating scams, financial malware, and ransomware, experts said.

Tom Burt, corporate vice president of Microsoft's customer security and trust division, described Necurs as being "one of the largest networks in the spam email threat ecosystem" and revealed that it had amassed victims in "early every country in the world" since surfacing eight years ago.

Microsoft said one Necurs-infected computer sent out a total of 3.8 million spam emails to over 40.6 million potential victims during a 58-day period during the investigation.

On March 5, the District Court for the Eastern District of New York issued an order letting Microsoft take control of U.S.-based infrastructure the Necurs scammers use to infect computers. The effort would stop the criminals from registering internet web domains for use in future attacks.

"This was accomplished by analyzing a technique used by Necurs to systematically generate new domains through an algorithm," Burt explained in a blog post. "We were then able to accurately predict over six million unique domains that would be created in the next 25 months.

"Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure. By... inhibiting the ability to register new [domains], we have significantly disrupted the botnet."

U.S. cybersecurity company BitSight was one firm involved in the takedown.

In its analysis, the firm said Necurs seemed to be controlled by a single group and was responsible for 90 percent of the malware spread by email worldwide between 2016 and 2019.

It said that 11 Necurs botnets had been discovered in total, with four of those most active and tied to approximately 95 percent of all computer infections by the group.

"Since March 2019, the Necurs botnets' activity stalled but left an estimated two million infected systems in a dormant state waiting for the botnets to revive," the team noted.

The BitSight researchers added: "We knew in advance that Necurs was in idle mode for a while and had already been replaced by others but... there were still an estimated two million infected bots waiting for master commands—and that could happen at any time if no action was taken."

File photo: Typing on laptop
File photo: Typing on laptop. The Necurs botnet was traced to criminals based in Russia and took a major hit this week after a joint takedown project spanning 35 countries, said Microsoft. iStock