A Masterpiece of Criminality

The Cardsharps by Master Painter Caravaggio

The Cardsharps by Master Painter Caravaggio

The Necurs Botnet is so ingeniously crafted it is commonly referred to as a “Masterpiece of Criminality”. The master artist Caravaggio was also known to be a fugitive criminal, numerous paintings of his deal with blood and crime, and his picture the Cardsharps is all about deception, where looks are sneaked, things happen behind backs, and all before our eyes, just like the master cyber criminals behind Necurs.

The sophistication of malicious botnets has increased dramatically in recent history. While numerous techniques are in use to identify and mitigate them, cyber criminals have in turn become increasingly innovative in evading detection.

What is a botnet? Basically it is a network of infected computers that are under control of a criminal Command and Control (also known as C&C or C2), and are leveraged for many different types of malware distribution and other malicious activity, their presence and structure was documented over 15 years ago . Some botnets are so large that they are being leveraged for a multitude of criminal activities simultaneously. There are many different active criminal botnets at any given time, owned and controlled by different gangs, e.g. the eastern European “Business Club”.

What are the White Hats doing to stop the malicious botnets?

A growing number of DNS technology vendors are offering features that include (infected) device fingerprinting, and DNS communication with C2. However, this is not always as simple as it used to be (see below on the innovative Cyber Criminals). Security Researchers and Vendors are also increasingly cooperating on their Threat Intelligence data to ensure the maximum on knowledge and data is extracted on cyber criminals, including botnet operators.

A popular technique used by Security Researchers, Vendors and official authorities is DNS Sinkholing, referred to hereafter as Sinkholes. Typically the Sinkhole operator is cooperating with a local Registrar to then spoof the authoritative DNS and thereby ensure infected machines get a DNS resolution that points to the Sinkhole instead of the botnet gang C2.

How do Sinkholes work?

Infected computers are redirected to the Sinkhole instead of the botnet gang C2 via DNS. For example the Sinkhole operator spoofs the relevant C2 DNS entry in cooperation with Domain Registrars or ISPs. In detail: the criminal site “www.thebusinessclub.ru” initially resolves to the IP address 1.2.3.4 of the botnet gang. After Sinkhole operator spoofing it then resolves to 11.22.33.44 or the Sinkhole operator’s server. In this way the Sinkhole operator is communicating with many different infected machines and can learn more about the botnet and its C2 architecture, the malware and the malicious activities going on. This can provide the Sinkhole operator with crucial data and knowledge about the botnet operators. While there was some initial optimism that Sinkholes could take on an active role in neutralizing botnets, now it is seen more as a way to spy on botnet activity.

The innovative Cyber Criminals

Using Sinkholes to detect, analyze and potentially neutralize botnets is becoming increasingly challenging. The botnet gangs have devised numerous techniques to evade and overcome Sinkholes, here are some examples:

  • Increase the size of the DNS name pool in order to draw actual used DNS names from a much larger pool. Research has shown that newly allotted DNS names used for ransomware for example has increased 35-fold in a single quarter (https://www.infoblox.com/dns-threat-index)
  • Dynamic Generation Algorithm or “DGA” allows the botnet gang to continually rotate the relatively small number of domain names in actual use out of a potentially very large pool in an unpredictable way. This technology may also leverage public key cryptography to ensure the infected machine is not fooled by the Sinkhole (see also https://blogs.forcepoint.com/security-labs/lockys-new-dga-seeding-new-domains).
  • Domain Shadowing: malicious actors are infiltrating users with domain registrant accounts and leveraging their DNS capabilities to create subdomains for criminal activities. This is a good way to avoid detection as the Zone Apex or Naked Domain (e.g. goodguy.com) are not on any blacklists of known malicious domains.
  • Fast flux is a technique used to mask botnets, enabling them to hide behind a quickly changing network of compromised hosts acting as proxies, and using multiple IP addresses associated with the same domain name.
  • The resilient C2 architecture
    To ensure resiliency, Command and Control supports multiple communication alternatives or a so-called hybrid P2P architecture:
    • HTTP using a list of hardcoded servers;
    • HTTP using a server obtained through a DGA (see above);
    • A custom Point to Point or P2P network that is used mainly to deliver lists of HTTP C2 servers.
  • IP address conversion
    the botnet gangs are leveraging algorithms to convert the IP addresses received through DNS to the real IP addresses of its servers, and changing them quickly if backward engineered by the white hats.

Case in Point: Necurs botnet

All of this leads us inexorably to the notorious Necurs botnet. This botnet gang has been leveraging most if not all of the above evasion techniques to ensure maximum investment. The malware types controlled by Necurs include the recently successful campaigns of Locky and Dridex which have been closely monitored by officials and security vendors alike. As mentioned above, the Necurs Botnet is so sophisticated it is commonly referred to as a “Masterpiece of Criminality”. This botnet was also considered the world’s largest botnet until early June 2016 when it virtually disappeared under mysterious circumstances . What happened? At the same time some 50 hackers behind the Lurk Trojan were arrested by Russian authorities.

In a recent motherboard.com post , it is claimed to be coincidence that these 50 Russian hackers responsible for the Lurk Trojan were arrested at the same time the Necurs botnet disappeared. Is it really a coincidence? Dontneedcoffee.com links the indexm variant of Angler Exploit Kit to the Lurk Trojan, and further links the spread of the Angler EK to the Necurs botnet.

Note that malware architects are increasingly under the same pressure as software vendors, rushing to get new technologies out to the market first and neglecting security. Maybe some of the technology behind the Necurs botnet mistakenly leaks personal information on their criminal authors and actors?

Will the Necurs botnet reappear? Maybe his true identity is now known by authorities? What do you think?

Join the CSO newsletter!

Error: Please check your email address.

Tags trojansmalicious softwareDGAbotnetsmalicious attackersHTTPDNScriminal activity

More about C2Threat Intelligence

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dr Claudia Johnson

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place