Akamai Diversity

The Akamai Blog

Preventing the Necurs Bot from Phoning Home

This story has been told thousands of times before - a botnet is born, a botnet goes down, a botnet tries to get its bots back together. But the story of Necurs is unique.

While any number of active bots are making their way around the web at any given time, Necurs is one of the largest to ever exist. According to MalwareTech, there were 6.1 million Necurs bots at its peak. Reports estimate that the malicious bot is responsible for millions of dollars in losses tied to ransomware and banking Trojan infections through cyberthreats such as Locky and Dridex.

Necurs was busy for several months until June of this year when it unexpectedly vanished from the face of the web. Its disappearance might have been the result of a successful arrest, a consequence of some regular network maintenance, or a combination of the two. Whatever the reason, it doesn't matter: Necurs is now 'getting back to business.'

Searching for troops

Getting back to business in the realm of botnets means that the web of bots has to be re-wired; many of the nodes that existed before the shutdown have changed. In the case of Necurs, the bot's 'masters' (the command & control servers) need to re-establish communications with their 'troops' (the client bots) in order to send them their new commands.

Necurs uses several simultaneous connection techniques to reconnect with its bots:

  1. An HTTP connection using a list of hardcoded servers
  2. An HTTP connection using a server obtained through a Domain Generation Algorithm (DGA)
  3. A P2P network, which is used mainly to deliver lists of HTTP C&C servers

While other security companies may have good visibility into the hardcoded list of servers by analyzing Necurs code samples, Nominum Data Science has unique visibility into the entire world of DNS. Using multiple clustering algorithms to analyze this vast data, combined with publicly available DGA algorithms, we are able to predict all the Necurs domains generated through DGAs, for all of Necurs' different variants. Nominum N2 ThreatAvert protects service provider networks from Necurs by automatically blocking over 10,000 unique Necurs server domains.

Necurs domains are generated through a combination of publicly available DGA algorithms and a 'secret magic number.' With Nominum's proprietary clustering algorithm and the public DGA algorithm, Nominum Data Science predicted the magic numbers for all existing and future domain names being used by Necurs. We also observed multiple variants of Necurs, which use different magic numbers for seeding the DGA algorithm. While these domains haven't become a threat at the time we block them, we know in advance they are Necurs-generated bots given their unique structure, features, and inter-connectivity.

For most of these predicted domains, we see unresolved DNS traffic (Figure 1) representing Necurs bots that are trying to connect to their master network but ultimately fail due to N2 ThreatAvert's pre-blocking mechanism. If you're a security person, there is nothing more satisfying than that.

Necurs bot graph
Figure 1: Necurs bots try to establish a connection with their C&C servers every 4 days, and that's very visible in our data

We will continue to update you on Necurs developments as they unfold. Meanwhile, Nominum N2 ThreatAvert customers certainly appreciate that this treacherous malware is not wreaking havoc on their networks or affecting their subscribers.