Malware Levels Drop As Huge Botnet Goes Offline

One of the largest networks of compromised systems on the Internet has mysteriously gone dark in recent days, leading to a noticeable fall-off in the distribution of spam and malware, computer security researchers have found.

Several IT security firms have confirmed that Necurs, which is believed to be one of the biggest botnets in existence, controlling several million compromised computers, went offline on June 1.

Spam and malware campaigns

Botnets are generally formed when a computer is compromised by a particular piece of malware that links it to a control server, which then commonly uses it to send spam and malicious code. Computer users are generally unaware that their system belongs to the botnet and is carrying out malicious activity.

Security firm Proofpoint observed that two of the largest malicious email campaigns to date, sending malware known as Dridex and a piece of ransomware called Locky, dwindled away almost to nothing on June 1. They found that the campaigns’ disappearance corresponded to the Necurs outage, and concluded that the malicious messages were mostly sent via that botnet.

“This confirmed our suspicion that the threat actors behind Locky ransomware and Dridex banking Trojans have been using the Necurs botnet to distribute their massive email campaigns,” Proofpoint said in an advisory.

Proofpoint said that the compromised systems that made up the botnet have since June 1 been observed actively searching for a new command system, indicating that the control servers previously used had disappeared.

Mystery outage

Anubis Networks and other IT security firms also reported that the command server seemed to have gone offline.

“We have no evidence that the Necurs botmaster has been able to retake control of the botnet,” Proofpoint wrote.

As yet researchers are unable to explain what might have happened to Necurs, which has been in operation for several years. However, the re-establishment of control systems is often a slow process, Proofpoint said.

“For P2P botnets in general, reestablishing connections between compromised PCs and new command-and-control infrastructure is a gradual process as new command-and-control information propagates,” the company stated.

Are you a security pro? Try our quiz!