Thursday, March 12th 2020

Microsoft Part of Global Operation to Disrupt World's Largest Online Criminal Network

Microsoft today announced it was part of a global operation meant to disrupt the world's largest online criminal network. Dubbed Necurs, the network functioned as a botnet - a number of computers infected by malware or otherwise malicious software that are functioning on behalf of a botmaster. The botmaster is basically akin to an administrator - but for nefarious purposes.

Thought to be controlled by criminals based in Russia, Necurs spanned more than nine million computing devices across 35 countries, making it one of the largest spam email threat ecosystems known to authorities - besides being used for pump-and-dump stock scams, fake pharmaceutical spam email and "Russian dating" scams. Necurs was such a well-oiled machine that it was seen sending 3.8 million spam messages to over 40 million targets across a 58-day long time frame in the investigation.

Bringing Necurs down took eight years of tracking, planning, and a joint effort between the judicial system and key technology players. These efforts culminated, according to Microsoft, with the company being enabled to take control of U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers by a judicial order. The idea - and planned attack vector - was to disrupt Necurs operations in their currently active domains, whilst also breaking the organization's algorithm that enabled it to constantly generate new domains for future exploits.

The company also added that "Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure. By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet."

Microsoft is also partnering with Internet Service Providers (ISPs) and others around the world to rid their customers' computers of malware associated with the Necurs botnet - a remediation effort global in scale and involving collaboration with partners in industry, government and law enforcement via the Microsoft Cyber Threat Intelligence Program (CTIP).
Source: Microsoft
Add your own comment

19 Comments on Microsoft Part of Global Operation to Disrupt World's Largest Online Criminal Network

#1
_UV_
Spam e-mails in 2020 with 40 million targets around WHOLE world...:clap:, that was relevant in 2005-2012. :respect::respect::respect: MS
Posted on Reply
#2
Manoa
yhe microsoft don't wanne anyone else stilling money other than themselfs :)
Posted on Reply
#3
The Quim Reaper
Lol..Russians.

Doing everything they can to live up to being the worlds comicbook villians.

It's almost as if they have no other purpose for existing as a country.
Posted on Reply
#4
GlacierNine
Wait.

How can they have sent 3.8 million messages to 40 million targets? Am I missing something here?
Posted on Reply
#5
Mats
Manoa
yhe microsoft don't wanne anyone else stilling money other than themselfs :)
That doesn't make sense, at all.
Posted on Reply
#6
GlacierNine
Manoa
yhe microsoft don't wanne anyone else stilling money other than themselfs :)
Can you try repeating this in human?
Posted on Reply
#8
voltage
more are Iranian, not Russian. Outdated to think otherwise, go do your own research. 70% is known to be from Iran and a few other neighboring areas.
Posted on Reply
#9
Minus Infinity
The Quim Reaper
Lol..Russians.

Doing everything they can to live up to being the worlds comicbook villians.

It's almost as if they have no other purpose for existing as a country.
I have to agree, they seem to go out of their way to to live up to their stereotype. Putin's the problem and they are trying to let him stay in power until 2036.
Posted on Reply
#10
DeathtoGnomes
GlacierNine
Wait.

How can they have sent 3.8 million messages to 40 million targets? Am I missing something here?
yes, math. each message has multiple targets.
Posted on Reply
#11
timta2
voltage
more are Iranian, not Russian. Outdated to think otherwise, go do your own research. 70% is known to be from Iran and a few other neighboring areas.
Who's more credible here, Microsoft or random guy on the internet?
Posted on Reply
#12
lexluthermiester
timta2
Who's more credible here, Microsoft or random guy on the internet?
That's actually a tough call sometimes.... :roll:
Posted on Reply
#13
silentbogo
The Quim Reaper
Lol..Russians.

Doing everything they can to live up to being the worlds comicbook villians.
They've only disrupted the infrastructure. No one knows where these are from. Could be Chinese, Iranian, Turkish or Romanian.
And the whole thread is very understated in this MS fluffpiece. It started way longer than 58 days ago, and the scope is way bigger than what they say.
Necurs is believed to be operated by criminals based in Russia
To quote the source, "believed" is a keyword.

Over the past year spam problems intensified so much that I went from simple monthly checkups on our mail server, to weekly marathons of re-working and adding new custom filters.
Including all the crap sent to bogus addresses in our domain, we get thousands of spam messages daily. SpamAssassin , Spamhaus, or any other anti-spam/blacklisting service is of no use.

We also have a huge outbreak of ransomware (which conveniently started around 3mo ago), and attacks range from usual spam-vector to targeted attack on machines with unpatched RDP vulnerability. It sounds silly, but we have lots of greedy small/medium business retards running pirated Windows 7 or Server 2013 with updates disabled, and facing the world on port 3389, while having weak credentials.
Posted on Reply
#14
BiggieShady
Enough with Russians and Iranians theories please ... it's a botnet, it's everywhere, "Admin" is probably at some resort in Seychelles, who cares where are his parents from?
It's not like he's running illegal streaming service and needs low regulation hosting + domain name
Posted on Reply
#15
Recus
100% this botnet had support from ruskies government.
Posted on Reply
#16
Totally
DeathtoGnomes
yes, math. each message has multiple targets.
There isn't math just poor wording. Even if that wasn't the case as written in the article an operator isn't declared and the reader has to make an assumption for it to make sense, an assumption that is most likely wrong because there is no operator due to the TPU author trying to spice things up or by accident. Here is the original text:

"...sent a total of 3.8 million spam emails to over 40.6 million potential victims."

36.8 million potential victims do not receive an email. 3.8 million sent emails sent doesn't sound so impressive right? But wait!

"During a 58-day period in our investigation, for example, we observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims."

There is more than just one computer in the botnet, and how many are there? no one knows besides the botmaster.
Posted on Reply
#17
DeathtoGnomes
Totally
There isn't math just poor wording. Even if that wasn't the case as written in the article an operator isn't declared and the reader has to make an assumption for it to make sense, an assumption that is most likely wrong because there is no operator due to the TPU author trying to spice things up or by accident. Here is the original text:

"...sent a total of 3.8 million spam emails to over 40.6 million potential victims."

36.8 million potential victims do not receive an email. 3.8 million sent emails sent doesn't sound so impressive right? But wait!

"During a 58-day period in our investigation, for example, we observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims."

There is more than just one computer in the botnet, and how many are there? no one knows besides the botmaster.
There are several botnets around for varying purposes from what I've read, /tin-hat.
Posted on Reply
#18
Totally
GlacierNine
Wait.

How can they have sent 3.8 million messages to 40 million targets? Am I missing something here?
It's trying to say that one infected computer in the network sent 3.8 million messages and chose from a list 40 million to send them to.
Posted on Reply
Add your own comment