“Necurs, prior to Microsoft’s actions, remained a significant threat even though it seems to have declined in relevance since 2016,” says Evelyn French, senior analyst at Flashpoint, a security firm that has tracked the botnet.

Necurs was first discovered online eight years ago, and linked in the years since to the various malware families that used it for distribution. But the takedown work didn’t start in earnest until 2016, when BitSight began a years-long effort to disentangle the botnet, reverse engineering its structure so that Microsoft and others could actually disrupt it. You can’t fight what you can’t see.

It was a hard slog. Necurs isn’t a single botnet but a family of at least 11, all presumed to be under the control of the same unidentified Russian criminals. Four of those botnets, BitSight found, were responsible for 95 percent of all infections. Moreover, Necurs uses a particularly sophisticated command-and-control structure to relay information to and from the computers it controls.

In the most basic command-and-control set-up, a piece of malware will attempt to communicate with a single domain, from which hackers give instructions. Necurs is far from basic. Rather than rely on a fixed site, it uses a so-called domain generation algorithm, or DGA, to create 2,048 potential domains every four days, giving its zombie computers a lot of flexibility. “It’s a function to change the domains it talks to basically every day, every week, every month. That can be variable based on what the person who wrote it wants to be doing,” says Dan Dahlberg, BitSight’s head of security research. “Today the botnet may try to talk to 50 different domains to try to find the one the actor actually controls. The next day it might change to another 50.”

Several botnet families use DGAs. Necurs adds its own twists, though, primarily centered on adaptability. Once an infected machine successfully links up with a Necurs command-and-control domain, it stops reaching out elsewhere until that connection gets broken for whatever reason. Only then does it resort to the DGA. It also uses multiple layers of command-and-control servers, and enables devices connected to the same server to communicate with others in that cluster, and compare notes about what domains are functional.

“It has this kind of defense-in-depth communication structure, almost similar to how a company would structure its internal security tools to have this escape and fallback mechanism,” says Dahlberg. “And of course as these malware families implement more complex methods of communication, it makes disruption and takedowns much more complicated.”

The most effective way to stymie a botnet is to seize those command and control domains to cut off communication. That’s what makes a DGA such an effective weapon; companies like BitSight and Microsoft are left chasing thousands of new domains every week. But it’s also how they ultimately threw up an effective roadblock. By cracking the underlying algorithm, Microsoft was able to identify the next 6,144,000 domains that Necurs was scheduled to populate over the next 25 months, and alerted the authorities in relevant countries so that they could block their registration. A court order also allowed Microsoft to seize current Necurs domains located in the US. The company is also working with ISPs around the world to identify people with infected devices, and help them scrub their machines.

Other botnets, particularly Emotet, have ascended since Necurs went quiet a year ago. Crippling Necurs still serves an important purpose, though. “Even though it is dormant, we don’t know what the possibility is of it coming on line again for nefarious purposes,” says Dahlberg.

Microsoft and its partners have ensured that if the botnet does try to mount a comeback, it won’t have very many places left to turn.


More Great WIRED Stories