To disrupt Necurs, Microsoft analyzed a technique the botnet used to generate new domains through an algorithm. It then predicted over six million domains that would be created in the next 25 months and reported these to registries around the world, so that they can be blocked, preventing future attacks.
Today's action, Microsoft says, is the result of eight years of planning. Microsoft and its cybercrime-fighting cohorts first observed Necurs in 2012 and have seen it distribute malware like GameOver Zeus, which authorities squashed in 2014. It's likely been involved in stock scams, fake pharmaceutical spam emails and "Russian dating" scams, and authorities believe it's operated by Russia-based cybercriminals.
Last week, a US District Court issued an order that allowed Microsoft to take control of the US-based Necurs infrastructure. In addition to blocking new domains from being registered, Microsoft is working with internet service providers (ISPs) to help remove Necrus malware from their customers' computers.