Necurs botnet has been classified as the largest malware distribution botnet today. However, it looks like the botnet is currently facing some technical problems and this downtime leads to a huge dip in Dridex and Locky distribution numbers.
Necurs is the collective network of computers infected with the Necurs rootkit. When banded together, these bots form a P2P network of interconnected computers into the so called a peer-to-peer botnet. These botnets have a central C&C server which communicates with smaller networks, named subnets, managed by special bots called workers, which then send orders to regular bots.
The instructions vary from DDoS attacks to spam distribution, however, Necurs has always been known for being the source of all the spam that sends out waves and waves of emails containing the Dridex banking trojan, and more recently, the Locky ransomware.
MalwareTech claim that the Necurs botnet has around 6.1 million bots, by far the largest botnet known by now. However, on June 1, all the activity from this botnet has ceased. According to security experts, someone has managed to sinkhole its main C&C server, which is something that has happened before. Maintenance operations should not be ruled out either.
“While this is not the first apparent Necurs outage we have seen, available data suggest that it involved a significant and ongoing failure of the C&C infrastructure behind the botnet,” the team of Proofpoint stated.
The problem is that this hasn’t destroyed the botnet, because Necrus’ P2P architecture and the usage of a Domain Generation Algorithm (DGA) has always allowed hackers to take control back over their botnet by plugging in another C&C server later on.
In any case, the one certain thing now is the fact that Dridex and Locky spam has stopped. The last time Necurs activity halted for so long was in 2015 when a key player behind the Dridex gang was arrested.