An inside look at the global battle with botnets
In March 2020, a small team at Microsoft dismantled Necurs, one of the world’s largest botnets. It was a project that was eight years in the making, and involved coordinated legal and technical action from 35 countries. And it means the criminal network behind the botnet will no longer be able to send spam emails and conduct cyberattacks.
This botnet, which infected 9 million computers around the world, is one of the biggest contributors to spam email threats and has been used in a wide range of scams. Like other botnets, it uses a network of computers infected with malicious software that can be controlled remotely.
Botnets are highly sophisticated, acting as a unified threat and often run by well-resourced operators. Tracking them down and preventing them from carrying out further infections and attacks is a complex task that takes coordination across geographies and organizations.
[Read more: What is a botnet and how can you stay safe online?]
Botnets are a problem without borders
The size and scale of botnet attacks can be immense, taking down websites in distributed denial-of-service (DDoS) attacks and using information gathered for ransom and financial crime. Cutwail, a botnet first identified in 2007, could send 74 billion spam emails per day, or almost half of all spam distribution. The Mariposa botnet, which originated in 2008, hijacked around 12.7 million computers worldwide.
Botnets remain a tool of cybercriminals because of the sheer number of devices they infect. And with increased connectivity, Internet of Things and cloud technology, there is great opportunity for attackers if insufficient protection measures are taken.
Botnets are used for multiple purposes: mining for bitcoins, unearthing private and financial information for fraud and ransomware attacks, as well as DDoS attacks on businesses and governments. Infected networks are also rented out to other cybercriminals, as was the case with Necurs.
Since the outbreak of COVID-19, we have witnessed cyberattacks on hospitals and organizations on the frontline of the fight. Brno University Hospital in the Czech Republic had to postpone surgeries and turn away patients. In the United States, an Illinois public health website was taken down by ransomware. And the World Health Organization was targeted by hackers.
To help combat this, Microsoft is making its AccountGuard threat notification service available for free to health care providers and humanitarian bodies.
How do we disrupt global botnets?
Disrupting botnets, with their complexity and global spread, is never simple. Disruptions require a coordinated response across multiple countries, law enforcement agencies and cyber experts.
Botnets operate on a command-and-control basis, with individual devices told what to do from either a centralized or highly dispersed and redundant command-and-control infrastructure. Identifying and cutting off that command-and-control center is key to disrupting a network.
Disrupting the Necurs botnet involved cracking the algorithm it used to generate new domains. These domains underpinned the way infected bots received new commands. Microsoft’s Digital Crimes Unit accurately predicted and blocked over six million unique domains that would have been created in the next two years.
Work is now continuing to rid computers of the malware associated with the Necurs botnet.
The Microsoft Cyber Threat Intelligence Program, part of the Digital Crimes Unit, provides government bodies, law enforcement and internet service providers with intelligence about criminal activity in their jurisdiction. Global coordination and cooperation are key to helping combat cybercrime.