This article is more than 1 year old

Microsoft nukes 9 million-strong Necurs botnet after unpicking domain name-generating algorithm

Takedown should (in theory) see spam volumes shrink rapidly

Microsoft has bragged of downing a nine million-strong Russian botnet responsible for vast quantities of email spam.

The Necurs botnet, responsible over the years for quite a considerable volume of spam – as well as being hired out to crims pushing malware payloads such as the infamous Locky ransomware and Dridex malware – was downed by Microsoft and its industry chums following a US court order allowing the private sector companies to go in hard and heavy on the botnet.

Redmond's Tom Burt said in a blog post: "Necurs is believed to be operated by criminals based in Russia and has also been used for a wide range of crimes including pump-and-dump stock scams, fake pharmaceutical spam email and 'Russian dating' scams."

Microsoft researchers figured out how an algorithm that generated new, unique domains for Necurs' infrastructure operated and was able to correctly guess six million domain names that would be generated over a 25-month period, it said. These domains were then reported to registrars so they could be promptly blocked.

"By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet," beamed Burt. "Interestingly, it seems the criminals behind Necurs sell or rent access to the infected computer devices to other cybercriminals as part of a botnet-for-hire service."

He added: "For this disruption, we are working with ISPs, domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others."

Back in 2017 we reported Cisco Talos' findings that the botnet had gone offline for several months before reappearing to peddle a financial scam. ®

More about


Send us news

Other stories you might like