News & Blog

Prolific Spammer and Malware Distributor Goes Mysteriously Quiet

By Francis West on 16th June 2016

Internet Security companies have reported the sudden and mysterious disappearance of one of the largest networks of compromised systems on the Internet. The Necurs botnet has been a notorious distributor of large amounts of spam / junk mail and malware over many years but is reported to have gone offline altogether this week.

Signs Earlier This Month

Reports from security companies from the beginning of June showed a decline in the amount of traffic coming from Necurs. Security company Proofpoint noted on their website that prior to this month’s traffic slowdown, the malicious email campaigns that Necurs was sending out had been in volumes reaching hundreds of millions of messages.

How and What?

Necurs has been relying upon a ‘Botnet’, which is a collection of compromised computers to enable it to distribute its spam and malware. The Windows computers (thought to be in excess of 5 million) became compromised and therefore under the control of Necurs when they were infected with malware called ‘rootkit’.

Botnets are typically used to distributed spam and to launch distributed denial of service (DDoS) attacks. Necurs has most recently been distributing the Dridex banking Trojan and Locky ransomware.

Dridex can be used by cyber criminals to steal banking credentials and other personal and financial information from computer systems. Locky uses a Trojan horse in an email to infect your computer and then scrambles and renames all your important files so that they have the extension .locky.

Victims of Locky are then directed to buy the decryption key to unlock the files from cyber criminals on the ‘dark web’.

Why Has It Stopped and Will It Start Again?

The exact reason why the Necurs botnet has stopped working is unknown but security company Proofpoint for example have noted that the core administration systems of the botnet have now disappeared.

Unfortunately, the Necurs botnet is the type that uses a domain generation algorithm (DGA) that allows nodes and workers to find a new Command and Control (C&C) when the active one goes down as it has done in this case. This means that the Necurs botnet could be able to set itself up again, although it is not known how quickly this could happen.

What Does This Mean For Your Business?

Even though having one of the biggest spammers and malware distributors out of action is obviously a good thing, there are plenty more cyber criminals out there looking for ways into vulnerable systems, networks and computers.

Multi-vector (multiple method) and DDoS attacks are at a high and it has never been more important to make sure that all aspects of your cyber security are given some serious attention. The Government’s Cyber Essential’s Scheme for example provides help and guidance to enable your business to implement essential security controls. See:

If you haven’t already done so you may also wish to seek other professional advice about measures you could take to ensure cyber resilience such as cyber security training for staff, health checks, risk assessments / audits, cyber security policies, Business Continuity and Disaster Recovery Plans.