Microsoft warfare on malware
A botnet is taken down by company operation, not by the government
WASHINGTON — Microsoft organized 35 nations on Tuesday to take down one of the world’s largest botnets — malware that secretly seizes control of millions of computers around the globe. It was an unusual disruption of an internet criminal group because it was carried out by a company, not a government.
The action, eight years in the making, was aimed at a criminal group called Necurs, believed to be based in Russia. Microsoft employees had long tracked the group as it infected 9 million computers around the world, hijacking them to send spam emails intended to defraud unsuspecting victims. The group also mounted stock market scams and spread ransomware, which locks up a computer until the owner pays a fee.
Over the past year, Microsoft’s Digital Crimes Unit has been quietly lining up support from legal authorities in countries around the world, convincing them that the group had seized computers in their territories to conduct future attacks.
“It’s a highway out there that is used only by criminals,” Amy Hogan-Burney, the general manager of the Digital Crimes Unit and a former FBI lawyer, said Tuesday. “And the idea that we would allow those to keep existing makes no sense. We have to dismantle the infrastructure.”
The team struck Tuesday, from an eerily empty Microsoft campus. Tens of thousands of workers had been ordered to stay home because the area near the headquarters in Redmond, Washington, has been a hot spot for the coronavirus. But taking down a botnet, the company concluded, was not a work-from-home task.
After cleansing the Digital Crimes Unit’s command center to eliminate any live viruses, a small team of Microsoft workers gathered in a conference room at 7 a.m., flipped on their laptops and began coordinating action against another kind of global infection.
As soon as a federal court order against the Necurs network was unsealed, they began prearranged calls with authorities and network providers around the world to strike Necurs at once, cutting off its connections to computers around the globe.
“Was Mongolia hit? I think it was in the court order,” one Microsoft employee asked. There was debate about Somalia — “a very last-minute win,” another noted — and discussion of the fact that Nevis, the Caribbean island, was both the birthplace of Alexander Hamilton and an unwitting host for a small element of the botnet.
“Tajikistan?” one person in the room asked, looking for it to turn green on a map overhead, indicating that the botnet had been neutralized there. “No joy yet.”
Rapidly, they took over or froze 6 million domain names that Necurs was using or had inventoried for future attacks. Necurs had created an algorithm to spawn millions of new domains, often with deceptive names, for future use against unsuspecting victims. Microsoft engineers had cracked the code.
By Tuesday’s end, there was satisfaction that, for the 18th time in 10 years, Microsoft had taken down a digital criminal operation.
Microsoft executives acknowledged that this was a game of whack-a-mole, and that the creators of Necurs and groups like it would be back.
“The cybercriminals are incredibly agile,” said Tom Burt, the executive who leads Microsoft’s security and trust operations, “and they come back more sophisticated, more complex. It is an ultimate cat-and-mouse game.”