Around the 8th of June VICE picked up the story about Necurs’ downtime and wrote a great article including a tweet from Kevin Beaumont referencing my botnet tracker. I was contacted for comment and there’s a few things i’d have liked to add but at the time i was in London for BSides and may or may not have been incredibly inebriated, so didn’t reply before the article went live. The VICE article was pretty dead on, but as usual the facts get lost in translation as other news sites regurgitate the story and soon we go from “Necurs botnet offline” to “World Hunger Cured”.
So what actually happened?
Around 8 PM UTC on May the 31st the Necurs C&C servers went offline, when this happens all the bots begin polling the peer-to-peer network, hardcoded domains, and DGA (Domain Generation Algorithm) for new C&C servers until they find one. To visualize this, we can use OpenDNS’ brilliant passive DNS investigation platform to get a graph of queries to the hardcoded domain over time.
The jagged spike during the evening of May the 31st is caused by multiple separate outages across the Necurs botnets, then by midday on June the 1st all of the botnet C&Cs are completely offline. Something cool you can also see between the 1st and 11th of June is the day / night cycle due to the majority of the bots being in the same timezone and going offline at night, as well as a dip on Saturday the 4th followed by a larger dip on Sunday (In most Christian countries Sunday is a day of rest so fewer businesses open than on Saturday).
What a lot haven’t noticed is that Necurs is not a single botnet, it’s actually 7 botnets totaling about 1,700,000 infected computers. I’m not good at threat attribution nor am I going to do what others do and just blame China; I can’t say who runs which botnet, if they’re really linked, or what the organizational structure looks like. The fact that all the botnets went offline around the same time, stayed offline for the same period, then began the first revival attempt on the same day leads me to believe that there must be some organizational overlap between botnets, even though they use separate private keys.
The actual reason for the seemingly coordinated outage of all 7 botnets will remain a mystery, at least for now. I’ve received a slew of different stories, some of which were given to me under NDA and can’t be shared, but none of them really seem to completely correlate with my own investigation so the best response I can give is ¯\_(ツ)_/¯.
One prominent theory is that someone involved in the Necurs operation got caught up in the 50 arrests in Russia
around the same time, though this seems unlikely to me as the group arrested in Russia were reported to be behind the Lurk trojan, which targets Russian banks (this seems to be one of the only ways to get arrested for cybercrime in Russia and is an all round stupid idea).
Looking at my infection map of the Necurs botnet it is clear that either Russia has some next level antivirus products they’re keeping to themselves, or the Necurs trojan explicitly avoids computers with a Russian language pack present, the exact opposite of how Lurk operates.
One thing is fairly certain and that is Necurs is not dead. Over the past week and a bit I’ve noticed large drops in activity on my monitoring system which correlate with new C&C server IPs being pushed out to the botnet by the botmasters (this causes all Necurs infections to stop polling the DGA and connect to the new servers instead).
Here we can see that over a 72 hour period starting around June 11th C&C servers started being pushed to the various botnets, failed after a few hours, then new ones were pushed (the peaks are when all C&C servers are offline, the troughs are when they’re all online and in between is when individual botnets come and go online or offline).
To rule out network issues on my monitoring system, we can see that passive DNS on the main hardcoded domain shows a major drop in requests around the same time, followed by similar fluctuation throughout a 72 hour period.
Something interesting that was noticed by multiple people monitoring spam traffic was that Locky spam resumed briefly during the C&C uptime, though an old detected Locky sample from May 31st was distributed (the Locky group always start a new campaign with a fresh undetected binary). My guess here is that the Necurs C&Cs are just proxy servers for a hidden backend server, so when the botmasters brought up the new front-ends and connected them to the backend, they resumed coordinating the unfinished spam operation that was in progress before the downtime.
As of June 19th, with the exception of a a few hours, the C&C servers have been reliably online and almost all bots have stopped connecting to the DGA (though no commands have been sent yet). The fact that bots will not stop polling the DGA until a C&C server replies with a digitally signed response would suggest that the botmasters are still fully in control of the botnet, or someone else has gotten a hold of the private key.
Dridex & Locky
When news went mainstream on June the 8th there were mixed reports about Dridex and Locky also being down or dead, which is where I’d have liked to have given my input (unfortunately I wasn’t home). Around the time of the Necurs outage various people began reporting seeing a significant drop in Locky & Dridex spam email, which had lead some to theorize that the group behind Dridex & Locky had also been arrested.
I’d actually been monitoring Necurs for a while before the downtime and had seen it sending out Locky emails on multiple occasions so it was obvious that the Necurs downtime was also the cause of the drop in Locky emails, but what has me confused was Dridex. Personally I’ve never seen Necurs spam Dridex though I’m sure it has at some point; however, I do know that the Dridex group have a much more sophisticated operation for sending spam because they prefer to infect systems of high financial value (usually business network), which is easier if the spam operation goes unnoticed (i.e. not sent out from 2 million mostly third world computers).
As far as Locky being dead goes I guess depends on your definition of dead; if I say someone is dead I don’t expect them to show up at my door a week later with a new baby, but maybe that’s just me. As of now no new Locky emails have been seen even though the Necurs botnet is back online, but there hasn’t been any arrests announced so I’d definitely not call it dead yet. Dridex on the other hand is still actively issuing new commands; however, no new Dridex emails have been seen either.
This isn’t the first time the Dridex botnet has stopped spreading, in the past it has usually happened right before a big update and with Locky pretty much confirmed to be another product of the Dridex group, as well as some evidence tying the Necurs botnets to them too, it’s not entirely impossible that they are simply busy gearing up for the next big evolution.
Of course, only time will tell.
UPDATED 18:55 2016-06-21
Necurs has just begun spamming a new Locky campaign, this time with a clean binary featuring updated anti-vm code, so you could probably say both Necurs and Locky are definitely not dead.