Eerie Silence from Massive Source of Spam

Eerie silence from massive source of spam

There is a very murky side to the world of computing. While everyone has heard of hackers and maybe the term ‘the dark net’ has come across your radar, most people are happily oblivious to what goes on in the hidden corners of the Internet.

Frankly, that’s exactly how we want it to be for our customers. We put the pieces in place to protect them, monitor it constantly and, as long as everyone using company IT is responsible, everything that can be done to mitigate the risks of being online has been done, allowing them to get on with business.

However something strange has happened recently that’s worth pausing to note… One of the world’s biggest ne’er do well networks has gone quiet. It’s a botnet known to the security community as Necurs.

A botnet is a network of computers which have been compromised with software that allows someone (usually someone with criminal intent) to control them all. They might be used to distribute ransomware programmes, viruses or Trojans, or they could be put to work in concert to launch attacks on other networks, such as those belonging to big businesses or state security services.

Because Necurs was such a large botnet, thought to be about six million (yes, million) security-compromised Windows computers, it became very apparent when it suddenly went silent. No-one was using it or otherwise controlling it and a massive proportion of the world’s total spam stopped being sent! That was at the start of this month and we can see the effects in our own monitoring.

On the surface, this could be good news. There’s always a ‘but’ though.

Waiting to Wake Up?

Analysts have gone digging and found that the network of infected/compromised machines in the Necurs botnet are still there, they’re just waiting for someone to put command and control back in place…

This network is extremely valuable to criminals, so if the former owners are no longer controlling it, could someone else be trying to take it over? Will it spring back to life and carry doing what it’s always done, spewing spam across the globe?

The unknowns are potentially quite unnerving. That old phrase “better the devil you know” comes to mind. While we knew what it was up to, Necurs could be spotted and, to some extent at least, monitored – even if it couldn’t be stopped. Now it’s a waiting game. What happened to it and, more importantly, what’s going to happen? The best case scenario might be that it sits idle for a long time, until a growing proportion of those infected computers that make it up get cleaned up or decommissioned, degrading the botnet over time.

Bear in mind that this thing exists because the owners of those computers are unaware that they have been infected. The bad stuff goes on in the background where they can’t see it. In a well-managed network the network traffic they generate would set off alarms, but not in the millions of homes and small businesses around the world which simply put a computer on a desk, hook it up to the net and get on with their work. They are the real risk here.

In sharing these thoughts we don’t want to disconcert anyone, just to give you a glimpse into some of the darker corners of the internet. If we’ve got your back (in IT terms) we’ve very much still got your back. That’s a huge part of what we do and this changes nothing (we can protect every mailbox in your business from spam for just £1 each per month!). These issues are worth knowing something about though, because Necurs isn’t the only botnet and you don’t want to fall foul of one of its still-active siblings.