September 27, 2020

Microsoft blocked a botnet that infected 9 million computers

2 min read

The latest blog from Microsoft claims to have disrupted the world’s largest online criminal network, and its basic implementation and domain names have been banned by law enforcement agencies.

The so-called world’s largest online criminal network is actually a botnet. According to surveillance, a total of 9 million computers worldwide have been infected and joined the botnet.

When a computer is infected, its controllers make extensive use, such as distributing spam, financial fraud software, stock fraud software, and ransomware.

The botnet was first monitored by the industry in 2012 and is now completely disintegrated. Microsoft is now working with operators in various countries to block the botnet connection.

According to industry analysis, the operators behind the Necurs botnet may be Russian criminals, but the infected computers have spread to many countries and regions around the world.

Image: Microsoft

Under normal circumstances, the botnet also relies on network channels to distribute Trojan horses. When users are accidentally infected, the computer is automatically added to the botnet.

At the same time, the controller behind it has the ability to remotely operate the user’s computer. Of course, in most cases, the attacker will issue instructions through the server to perform batch operations.

For example, it is used to send spam emails, distribute banking Trojans, steal user personal data and data, distribute ransomware, and launch DDOS attacks.

On the operational side, its controllers do not appear to use the infected computer directly but sell or rent it to other criminals to perform a variety of malicious operations.

Last week, Microsoft applied for an executive order issued by the Eastern District of New York Court. With the execution, Microsoft successfully shut down the botnet’s US infrastructure.

The loss of the server used for connection control will have a greater impact on the botnet, but this botnet will naturally not only set up a control server in the United States.

So Microsoft is working with law enforcement agencies and security companies around the world to shut down all its control servers and disable its controllers.

At the same time, the new technology developed by the Microsoft security team can predict the domain names used by controllers. According to Microsoft, its algorithm generates up to 6 million possible domain names.

Currently, Microsoft has transferred the domain name list to registries around the world. If an attacker attempts to register, it will be blocked and cannot be used directly.

In addition, Microsoft will transfer traffic data and related characteristics to operators around the world, and the operators will directly block and control server connections on the backbone network. These measures will help rescue 9 million infected computers in a short period of time.