Brian Barrett, writing for Wired.com, detailed how Mircosoft finally put an end to the infamous botnet Necurs. The way that Microsoft did it, feels like it was ripped from a cop movie. The slow build to finally reaching a conclusion and ultimately cutting off the botnet is an informative story. The article goes into not only what Necurs did and how it gained infamy, but also what lengths Microsoft had to go to to stop it. The chase would culminated nearly ten years after the botnet’s first appearance. While Necurs isn’t the largest botnet out there anymore, or certainly the most prominent, it was a big deal in the cyber-security world and it effective capture is an even bigger deal.
Necurs, the botnet thought to originate out of Russia, is a sleeping beast. Microsoft notes that a computer infected with the botnet “is capable of sending a total of 3.8 million spam emails to over 40.6 million potential victims over a 58 day period”. This staggering spam penetration is couple with the fact that Necurs has been around for quite some time. When the botnet first appeared on the scene eight years ago, it was known for being a big player in the game with a portfolio boasting “the infamous GameOver Zeus trojan that plagued the internet nearly a decade ago, as well as the Dridex malware deployed by Evil Corp and others”. Today, it is a sleeping giant. Despite the tremendous damage it caused while active, being a botnet-for-hire and a popular one at that, it hasn’t been very active recently. This downtime allowed Microsoft and Bitsight to narrow down how it was escaping them for so long. The botnet uses an algorithm, the article says, that adapts the domain name that the infected computers answer to. It does this so frequently, that it became incredibly hard to stop the infected computers from communicating with the random fifty new domains generated every few days. Micrsoft and Bitsight, their partner in capture, ultimately put the botnet in a corner by reverse engineering the algorithm and shutting down “the next 6,144,000 domains that Necurs was scheduled to populate over the next 25 months”. This effectively stamped out the fire for Necurs.
There are lots of intriguing bits going on with the Necurs capture. One of the most interesting, is that not only did it take eight years for Microsoft, one of the largest software companies in the world, to cuff the botnet, but that the article goes on to mention that more prevalent botnets have since appeared. Like crime in the physical world, the loop is endless. The game of whack-o-mole doesn’t end with Necurs. You can only hope that the method for reversing the domain algorithm can be used on other prominent botnets as well. Secondly, the length of time it took for some of the best minds in the computer science sector to halt this botnet is astounding. Reverse engineering the algorithm that Necurs used took nearly eight years. This certainly makes me wonder what kind of people are creating these botnets for them to be this sophisticated. Wins like silencing Necurs, even for the next 25 months, seemingly don’t come often, so it is important to analyze why the capture took so long and in the end what made it successful.
Social Structures & Algorithms 