Necurs Botnet Goes Down, Shutting Off Dridex and Locky Spam

Share this…

All Necurs activity stopped on June 1, down ever since. The Necurs botnet, the largest malware distribution botnet known today, seems to be facing some technical problems, and the direct consequence of this downtime is a huge dip in Dridex and Locky distribution numbers.

Necurs is the collective network of computers infected with the Necurs rootkit. These bots band together to form a P2P network of interconnected computers into what’s known as a peer-to-peer botnet.

These botnets have a central C&C server which communicates with smaller networks, called subnets, managed by special bots called workers, which then send orders to regular bots.

All Necurs activity stopped on June 1

Instructions can vary from DDoS attacks to spam distribution, but Necurs has been known for a long time for being the source of all the spam that sends out waves and waves of emails containing the Dridex banking trojan, and more recently, the Locky ransomware.

According to MalwareTech, the Necurs botnet has around 6.1 million bots, by far the largest botnet known to date.

As Proofpoint revealed today, it appears that starting with June 1, all the activity from this botnet has stopped cold.

Is Necurs down because of authorities, or because of maintenance?

Researchers believe that someone has managed to sinkhole its main C&C server, something that has happened before. Maintenance operations should not be ruled out either.

“While this is not the first apparent Necurs outage we have seen, available data suggest that it involved a significant and ongoing failure of the C&C infrastructure behind the botnet,” the Proofpoint team explains.

Unfortunately, this hasn’t destroyed the botnet, because Necrus’ P2P architecture and the usage of a Domain Generation Algorithm (DGA) has always allowed crooks to take control back over their botnet by plugging in another C&C server later on.

Permanent or temporary, what’s known right now is that Dridex and Locky spam has stopped. The last time Necurs activity halted for so long was in the autumn of 2015 when a key player behind the Dridex gang was arrested in Cyprus.

Activity from suspected Necurs bot IPs

Activity from suspected Necurs bot IPs