back to article Microsoft nukes 9 million-strong Necurs botnet after unpicking domain name-generating algorithm

Microsoft has bragged of downing a nine million-strong Russian botnet responsible for vast quantities of email spam. The Necurs botnet, responsible over the years for quite a considerable volume of spam – as well as being hired out to crims pushing malware payloads such as the infamous Locky ransomware and Dridex malware – was …

  1. IceC0ld Silver badge

    MS at least try to be the good guys every now and then

    took some time, but reading the - very basic - details, it would appear to be a fully integrated effort from a lot of people around the world, so kudos to them for the result.

    BUT

    are the botnets so large because it's a Windows thing ? ie, Windows is inherently 'weaker' so easier to break ?

    or because Windows is still such a big player that the options to trap millions of *nix servers isn't available ?

    Serious question BTW

    1. jake Silver badge

      Re: MS at least try to be the good guys every now and then

      The answer to your questions is "yes".

      Also, the bulk of Windows users are quite gullible when it comes to technology. (Note that I have made no comment about any other OS before your knee jerks itself out of socket.)

      1. bombastic bob Silver badge
        Devil

        Re: MS at least try to be the good guys every now and then

        agreed - "safe surfing" works, even on unpatched windows systems.

        I'm sure the malware infections target people who aren't suspicious enough. And of course, windows is the big target. 'Droid seems to be attracting similar kinds of attention [and it's Linux under the hood] but at least the kernel side should be rock-solid. Userland applications, however...

        (and isn't that USUALLY where the virus/trojan infections take place, in a vulnerable userland application?)

        Meltdown and derivatives notwithstanding, you usually need some kind of entry vector. And it's probably a browser or someone getting tricked into "download this to view the content".

        1. Jon 37

          Re: MS at least try to be the good guys every now and then

          > "safe surfing" works, even on unpatched windows systems

          Sadly not true. Any site that serves ads may also be serving you malware that will get installed automatically unless you have a patched system. An ad blocker helps a lot, and is an essential security tool nowadays, but is not perfect.

          https://en.wikipedia.org/wiki/Malvertising#History

    2. Flocke Kroes Silver badge

      Re: MS at least try to be the good guys every now and then

      Windows was a security disaster and Microsoft spent years not doing anything about it - in part because any improvements in security would have pissed off users by breaking lots of legacy software. By the time Microsoft started to make a serious effort criminals had all the resources they needed to keep up. Windows is still a major target despite massive improvements in security for many reasons: criminals have lots of experience, there is a large supply of machines that are badly defended and plenty have security features actively undermined by computer illiterate users.

      There are millions of *nix servers but the big server farms have had a reasonable defensive budget and the resulting security patches have been quickly distributed thanks to free software's upgrade continuously for free history. Make an ssh server visible on the internet and someone will promptly try to brute force access to it. This has been true for decades so presumably there is a large supply of badly configured *nix machines worth exploiting. The tools to make a *nix machine more trouble than it is worth to all but the most experienced / funded criminals / NSA agents are freely available to anyone who makes the effort to understand them.

      Please learn of Microsoft's early mistake and make an effort proportional to the value of the data you are defending no matter what OS you choose.

      1. Anonymous Coward
        Anonymous Coward

        Re: MS at least try to be the good guys every now and then

        The massive lie that underpins the continued use of Windows is leaving out the cost of labour in TCO discussions. As soon as you add in the cost of lost time and the efforts to keep it anywhere near reasonably secure, TCO does not favour Windows.

        It never has.

        1. jake Silver badge

          Re: MS at least try to be the good guys every now and then

          Indeed. How many man-hours world-wide would have been saved if the corporate world had quite sensibly told Redmond to fuck off way back when? More to the point, why the fuck do people still allow the garbage from Microsoft on their corporate systems? I wonder how many billions of dollars (trillions?) have been wasted in this charade?

          1. RyokuMas Silver badge
            Stop

            Re: MS at least try to be the good guys every now and then

            "How many man-hours world-wide would have been saved..."

            Probably very few; yes, Windows security may be less robust than that of other operating systems, but had these other operating systems become more widely adopted, there would have inevitably come a tipping point when the cyber-criminals decided that they were worth the effort.

            And this "wider adoption" has to be considered across all markets: how many of these Windows botnet agents are going to be someone's home PC, where there is no (hopefully) threat-savvy IT department to configure protection, and it's down to the users' own knowledge (or lack thereof)?

            After that point, it would only have been a matter of time until someone had broken in; the idea that any system is secure enough to resist all penetration attempts is delusional.

            1. Anonymous Coward
              Anonymous Coward

              Re: MS at least try to be the good guys every now and then

              Ah yes, the "widely adopted" excuse..

              Weirdly, that doesn't appear to work much for Linux. I'm old enough to remember that Linux exactly got its chance in corporate deployment because its SMB was actually stable, and the rest is history.

              I can understand the angst to have Windows confirmed for the crud it is. I just don't think that the fact that a great many people depend on its continued existence for their livelihood is an excuse to avoid reality.

              Now please, MS marketing team, get on with downvoting. I'm about to crack the 10k of downvotes. That is, of course, against 63k up, but it's still a worthy effort. And easy. I just have to kick Microsoft's shins, or Julian Assange's..

              1. RyokuMas Silver badge
                Facepalm

                Re: MS at least try to be the good guys every now and then

                Ah yes, the "selective reading" counter-argument - opting to completely miss the acknowledgement that Windows' security is not up to the standard of other operating systems in order to express personal feelings (.. and should that last work be in caps?)

                So here it is again: yes, Windows security is far from brilliant, and others do it better. However, the weakest link in the chain is invariably the end user. And due to their more niche adoption, the end users of these other operating systems - especially outside the business environment - tend to be more tech-savvy and clued up on security that the average Joe who has just bought a new Windows 10 box from PC World.

                When the reward is great enough, there will always be someone willing to spend the time needed to find a way of attacking a system - be that directly through exploiting how the system is build (and yes, to re-iterate, Windows is especially guilty of this), or through its users. Android is a prime example of this - yes, in this case the attack almost always involves manipulating the user in some way as this approach requires the lowest effort.

                At the end of the day, regardless of whether the box is running Windows or something else, stopping Joe Average from clicking that link which promises fast cash/nude pics/whatever is a battle of education. Maybe if the more vocal, self-righteous members of the communities surrounding these other operating systems stopped counting their votes, got down of their anti-Windows soap boxes and started actually explaining to the less tech-savvy what the issue is and how to use these other operating systems to overcome it, perhaps these other operating systems would stand a greater chance of gaining traction...

                1. Denarius Silver badge

                  Re: MS at least try to be the good guys every now and then

                  Assisting Joe User? Bwahahaja! Futile until the superstition that computers are more than a complex machine is dead, buried and actively mocked by Hollywood

      2. Version 1.0 Silver badge

        Re: MS at least try to be the good guys every now and then

        Microsoft's first attempt a security was shouted down everywhere, OK, so Vista wasn't a perfect solution but it was a start and everyone was running around saying that it was a disaster because it made users actually have to work at security.

        But it's not just the computers and users that are the problem, every computer is connected to the internet and the standard ISP supplied access device has issues too and anyone can hook up to the internet and try and break into your computer.

        Security in the internet today is like making everyone walk around naked all the time and then complaining about the backroom chatter.

        1. jake Silver badge

          Re: MS at least try to be the good guys every now and then

          TehIntraWebTubes isn't secure. Worse, it can't be made secure.

          And yet somehow none of my systems have ever been broken into. Yet. (Not paranoid, but I'm getting there. I am, however, quite pragmatic ... that's why most of the Internet facing gear is BSD, and the rest is mostly Slackware.)

          1. Andy Law

            Re: Dead on arrival

            > And yet somehow none of my systems have ever been broken into. Yet.

            To your knowledge...

            1. This post has been deleted by its author

          2. keith_w Bronze badge

            Re: MS at least try to be the good guys every now and then

            Funny enough, none of my Windows machines have been broken into either. That I know of.

            1. TonyJ Silver badge

              Re: MS at least try to be the good guys every now and then

              As far as I am aware, none of mine have, either.

              My perimeter is locked down with a high quality firewall which also does malware / virus scanning. It doesn't support and I would never run UPnP;

              My OS firewalls are active and my AV is kept up to date and patched as are my OS's;

              I run a second antimalware scan occasionally as well;

              I have a sandbox VM that is snapshoted and only has access to the internet on 443 and 80 and has no SMB/file/print services etc - anything even vaguely suspicious is run here first and whether it passes muster or not, the sanbox is reverted to the snapshot;

              My files are backed up with a version-controlled component so I can always play back through them if the worst happens (accident as well as anything nefarious);

              I run my work machines in their own VM's with separation from the host (for all kinds of reasons other than just security).

              My browsers have nosript and ghostery among others;

              And even after all of this caution the best I can say is that as far as I know...

              1. Anonymous Coward
                Anonymous Coward

                Re: MS at least try to be the good guys every now and then

                You kinda proved the original point: just see how much effort you (have to) put in to still barely trust the result..

                1. TonyJ Silver badge

                  Re: MS at least try to be the good guys every now and then

                  ..."You kinda proved the original point: just see how much effort you (have to) put in to still barely trust the result..."

                  Not really - I choose all of the above.

                  My old man, and my son both do none of the above other than ensure that the OS and apps are patched and the AV is up to date.

                  Scans suggest neither of them have been compromised either.

                  My point was the smugness some show is misplaced.

          3. Anonymous Coward
            Anonymous Coward

            Re: MS at least try to be the good guys every now and then

            And yet somehow none of my systems have ever been broken into

            Easy if you never switch them on..

        2. Missing Semicolon
          Unhappy

          Re: MS at least try to be the good guys every now and then

          UAC is not security,as has been pointed out before. It's merely the transfer of liability to the user.

          1. taz-nz

            Re: MS at least try to be the good guys every now and then

            Microsoft openly admitted that one of the key rolls of the hyperactive nature of UAC in Windows Vista, was to shame developers into running there code in user space only instead of running there applications at higher system levels that resulted in system lockups, BSOD and security issues. People may have hated Windows Vista, but BSOD went from something every other application caused, to BSOD being basically limited to faulty hardware or a bad driver by the time Windows 7 came around.

        3. TonyJ Silver badge

          Re: MS at least try to be the good guys every now and then

          "...But it's not just the computers and users that are the problem, every computer is connected to the internet and the standard ISP supplied access device has issues too and anyone can hook up to the internet and try and break into your computer..."

          Totally agree with this point but...you are still talking about the same home users who are not technically that capable so can you imagine asking them to feed and water say a Sophos XG Home (free and my own personal choice)?

          Even those who are supposed to be more savvy tend to see "security" as a dedicated role best left to someone else. As an example, when queried, to date, precisely one techie knew that the Windows Firewall can generate logs but has this feature turned off by default (I'll caveat that by saying I haven't checked the last couple of builds to see if this is still the case). Ok my sample size is small, but even so...

          I was massively downvoted recently for saying here that I actually accept, agree with, and to an extent applaud MS's approach that Windows 10 Home users cannot block patches. Again, see above - these users tend towards not being that tech savvy.

          That is NOT me saying I agree with poor quality / lack of testing on said patches, before the foaming starts.

    3. phuzz Silver badge

      Re: MS at least try to be the good guys every now and then

      I suspect the second part is the important one in this case.

      Botnets are worth more, the more members they have, so it makes sense to go after clients, rather than servers.

      I'd guess that they're also look at going after phones, but a combination of lower power and bandwidth, spottier connectivity, and higher baseline security*, make them less popular right now.

      * Botnets like this rely on attacks that can be massively automated. A complex attack like (eg) Rowhammer, that requires someone to hand tune each attack is just too much effort.

    4. a_yank_lurker Silver badge

      Re: MS at least try to be the good guys every now and then

      The principle reason to target Bloat is it is the most common desktop OS. With widespread adoption there are a lot of users who are basically clueless about how computers work and how to protect them, easy pickin's for the miscreants. Plus, all it takes to get infected is make 1 mistake which can happen to anyone.

      Fruity OS and penguinista's are less common on the desktop and in the case of the penguinistas generally more skilled users. Less common makes these OSes less them profitable to attack and in the case of the penguinistas the higher skill makes successful attacks less likely. But they are still vulnerable, just not as often or as easy.

      As far as Bloat being easier to break, this is true but often the issue is a lack of maintenance (updating) and user competence than the inherent security flaws of Bloat. Servers as compared to desktops are run by more knowledgeable personnel who more about the OS and its proper configuration which makes attacking servers directly more difficult, independent of the OS.

      1. taz-nz

        Re: MS at least try to be the good guys every now and then

        It's simple math, Windows has about a billion active installation on the desktop, so 9 million infected systems is 0.9% of the total install base, where as Linux on the desktop has about a 2% market share meaning to infect the same 9 million system on desktop Linux you would need infect 50% of all desktop Linux installs, no malware has that level of infection rate and if it did it be quickly discovered and patched.

    5. veti Silver badge

      Re: MS at least try to be the good guys every now and then

      TFA mentions Locky and Dridex, both of which used vulnerabilities in MS Word. So it's not just about Windows...

    6. IGotOut Silver badge
      Stop

      Re: MS at least try to be the good guys every now and then

      It's interesting how many people slag off Windows and rave about the like of Linux like it's some magic bullet. They take great great delight in saying how secure it is, but completely ignoring all those insecure routers, IoT devices, TV's and other tat that are currently causing huge DDOS issues across the internet.

      The simple answer is an unpatched OS, regardless of who made it, is a liability.

      So grow up, I've heard these My OS is better than your OS for close on 4 decades.

      Use what you like, but keep the bloody thing up to date.

      Disclaimer

      I own a Windows PC, an iPad, an Android Phone and run a Linux based webserver.

    7. Aseries

      Re: MS at least try to be the good guys every now and then

      Windows is not necessarily "weaker" but it is more numerous, providing a bigger bang for the buck.

  2. lglethal Silver badge
    Go

    Financial analysis?

    I would actually be interested to read an indepth financial analysis for how these botnets work. I mean the cost of purchasing "six million domain names that would be generated over a 25-month period..." must be pretty high (even if only €1 per domain, that is still €3 million per year just in domain fees, not to mention server fees and all the other costs that must be behind this), so they must be expecting to make some serious coin in that period just to cover those costs. Are there really that many people buying penis pills to make the spam worthwhile?

    Also, if Microsoft can see what domains were coming in the future, can they also see what was used in the past? Can this be used to track down the a$$hats behind the botnet based on their domain buying habits? Or have all of the purchases been done with stolen bank and credit card details?

    1. Jellied Eel Silver badge

      Re: Financial analysis?

      Are there really that many people buying penis pills to make the spam worthwhile?

      AFAIK it works much as advertising works in the real world. So botnet operators charge their customers to run campaigns, and presumably those customers think it's worth it.

      Can this be used to track down the a$$hats behind the botnet based on their domain buying habits? Or have all of the purchases been done with stolen bank and credit card details?

      That's one of those curious parts. So registering thousands of pseudo-random domains over a fairly short period of time isn't exactly normal for legit businesses. So some of the a$$hats behind the botnet would be the registrars that provide the domain names. So if operating a botnet supports illegal activity, then RICO could be used to go after the registrars who profit from those crimes. That would include the TLD operators who could/should be monitoring for this kind of abuse. If you can't register 10,000 domains a month, you can't operate this kind of botnet.

      1. lglethal Silver badge
        Go

        Re: Financial analysis?

        You raise an interesting point. I'm curious can you think of any reason why any legitimate firm/individual would need a domain that is a random sequence of numbers and letters?

        A quick whip around the office (admittedly of engineers and not IT folk) couldnt come up with a legitimate reason for having a random domain. Unless you count espionage communication, but I dont really count that as falling under legitimate uses...

      2. bombastic bob Silver badge
        Devil

        Re: Financial analysis?

        CAUCE has done a lot of analysis on this

    2. Adam 1

      Re: Financial analysis?

      I doubt they would need to register all the domains. That's 8000 per day, or about one every 10 seconds . The #*#£heads behind it can just figure out the 6 domains that'll resolve tomorrow at 4:13 pm and leave the payload on whatever fly by night aws site that resolves to. Have it delay execution of that payload for a few hours and determining the particular culprit domain might even be tricky.

      You could even host a JPEG image on a site which contained a steganographically encoded IP address, pull that out and download the payload. The site then looks legitimate if only not looking deeply at the patterns.

      Unfortunately, the defenders need to block it every time. The attackers only need to succeed once.

    3. the reluctant commentard

      Re: Financial analysis?

      You don't need to register them all, you just need to register *one* - the domains are used by bots to connect to their command and control (C2) server. Once they connect to one, they will continue to use that one for as long as that domain is "up".

      If you seize the domain, take down the server or interrupt C2 communication in any way, the bot uses the Domainname Generation Algorithm (DGA) to generate a list of *possible* new domains - that list may be as large as 50,000 domains for that particular day. It then just goes down the list trying domains until it finds one where a C2 is alive and waiting for it - that would the one domain the botnet herder registered.

      If it fails, it will just generate a fresh list the next day and try again, right until it finds a C2 server.

      Many DNS queries for non-existent domains (NXDOMAIN responses) are a sign you have a bot which is trying to find "home" on your network.

  3. Waseem Alkurdi Silver badge

    Couldn't the malware authors read this and simply reconfigure their name-generating algorithms?

    1. Phil O'Sophical Silver badge

      Whac-a-mole

      Not on the already-compromised systems. No doubt the next round of malware will have some more-reconfigurable algorithms.

    2. Adam 1

      Yes, the malware authors could read this and simply reconfigure their name-generating algorithms. Unfortunately for them, they can't push those updated algorithms to the malware in question because those potential domains where they could have put a payload to update to a newer name generation algorithm have been blacklisted for the next 25 months.

    3. phuzz Silver badge

      You know when you're trying to change an IP address remotely, so you change the config, disable the adaptor, and then go to re-enable it, only to realise that your connection just dropped...?

      That.

    4. Doctor Syntax Silver badge

      Yes, and now they know that that was their problem thanks to some public back-patting. They might well have been able to work that out for themselves but why save them the bother?

  4. TheProf Silver badge
    Angel

    Win

    I thought I had a disappointingly low number of spam emails this morning.

    Not even in double figures.

    1. Anonymous Coward
      Anonymous Coward

      Re: Win

      > I thought I had a disappointingly low number of spam emails this morning.

      And yesterday I received more than usual - it's as if they knew the take down was coming and wanted to get the most out of their botnet before it was gone.

  5. Anonymous Coward
    Anonymous Coward

    Windows is merely a tool used by business to run business processes. Security processes need to govern all business tools.

    I can't express how monotonous it is hearing how a market leading O/S has flaws.

    Simple security 101, exposure is proportional to footprint. Windows has the market share at the most vulnerable part in the business, the user.

    Move on..... and think about the business process and how to better secure the business

  6. fm+theregister

    Report is flawed - Namecoin DNS infrastructure?

    From: https://www.bitsight.com/blog/joint-effort-with-microsoft-to-takedown-massive-criminal-botnet-necurs

    "A second DGA-like fetches .bit domains that are not generated algorithmically but hard-coded.

    The .bit TLD is an alternative DNS model, maintained by Namecoin, that uses a blockchain infrastructure and is harder to disrupt when compared with ICANN regulated TLDs."

    Unless they block all Namecoin-able DNS servers, I cannot reasonably see why spend so much time, money and coordination efforts in such operation.

  7. Anonymous Coward
    Anonymous Coward

    Takedown should (in theory) see spam volumes shrink rapidly

    I heard or saw such claims before, when other / previous bot networks were shut down. Much fanfare (deserved, no doubt), but about nothing, because spam levels got back to "normal" within weeks, if not days.

  8. disgustedoftunbridgewells Silver badge

    I wonder why these things don't use I2P.

    ( Tor is still vulnerable to that fairly trivial DOS attack which has been taking dark web markets offline )

  9. amanfromMars 1 Silver badge

    The Refreshing Lull before the Storming of Realities/Numerous Systems Administrations

    Back in 2017 we reported Cisco Talos' findings that the botnet had gone offline for several months before reappearing to peddle a financial scam.

    When things are all going just as expected and as if perfectly preplanned, surely it is Heavenly Party Time for Bots. And several months is impressive :-)

    And EMPowering rather than Exhausting to Boot with Root is a Bonus Devilish Delight to Server and Satisfy with Insatiable Desire for More Spectacularly Similar with Leading Role Plays Exchanged for Further Future Experimentation ..... :-)

    Are there botnets in AI where anything known can be shown and presented to be realised as news and views in the planning today for sharing tomorrow ...... ad infinitum?

  10. Anne-Lise Pasch

    Let's hope bad guys don't know how to generate guids.

  11. amanfromMars 1 Silver badge

    Wide Boys and Spivs and Spies ..... This Way Please. Virgin Honey Awaits your Dirty Money

    Let's hope bad guys don't know how to generate guids.[sic] ........ Anne-Lise Pasch

    Hope springs eternal in the harbour of improbable dreams, Anne-Lise Pasch, ..... although it is indeed extremely fortunate good guys and gals have the crushing advantage in knowing what needs to be generated for effectively following other almighty guides .... or A.N.Other's Almighty Guide, although that might be something considered by many as being too close to being of Epic Biblical Proportions to be easily accepted as anything else quite different.

  12. Anonymous Coward
    Mushroom

    russia russia russia

    C_A C_A C_A

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020