A Masterpiece of Criminality

The Cardsharps by Master Painter Caravaggio

The Cardsharps by Master Painter Caravaggio

The Necurs Botnet is so ingeniously crafted it is commonly referred to as a “Masterpiece of Criminality”. The master artist Caravaggio was also known to be a fugitive criminal, numerous paintings of his deal with blood and crime, and his picture the Cardsharps is all about deception, where looks are sneaked, things happen behind backs, and all before our eyes, just like the master cyber criminals behind Necurs.

The sophistication of malicious botnets has increased dramatically in recent history. While numerous techniques are in use to identify and mitigate them, cyber criminals have in turn become increasingly innovative in evading detection.

What is a botnet? Basically it is a network of infected computers that are under control of a criminal Command and Control (also known as C&C or C2), and are leveraged for many different types of malware distribution and other malicious activity, their presence and structure was documented over 15 years ago . Some botnets are so large that they are being leveraged for a multitude of criminal activities simultaneously. There are many different active criminal botnets at any given time, owned and controlled by different gangs, e.g. the eastern European “Business Club”.

What are the White Hats doing to stop the malicious botnets?

A growing number of DNS technology vendors are offering features that include (infected) device fingerprinting, and DNS communication with C2. However, this is not always as simple as it used to be (see below on the innovative Cyber Criminals). Security Researchers and Vendors are also increasingly cooperating on their Threat Intelligence data to ensure the maximum on knowledge and data is extracted on cyber criminals, including botnet operators.

A popular technique used by Security Researchers, Vendors and official authorities is DNS Sinkholing, referred to hereafter as Sinkholes. Typically the Sinkhole operator is cooperating with a local Registrar to then spoof the authoritative DNS and thereby ensure infected machines get a DNS resolution that points to the Sinkhole instead of the botnet gang C2.

How do Sinkholes work?

Infected computers are redirected to the Sinkhole instead of the botnet gang C2 via DNS. For example the Sinkhole operator spoofs the relevant C2 DNS entry in cooperation with Domain Registrars or ISPs. In detail: the criminal site “www.thebusinessclub.ru” initially resolves to the IP address 1.2.3.4 of the botnet gang. After Sinkhole operator spoofing it then resolves to 11.22.33.44 or the Sinkhole operator’s server. In this way the Sinkhole operator is communicating with many different infected machines and can learn more about the botnet and its C2 architecture, the malware and the malicious activities going on. This can provide the Sinkhole operator with crucial data and knowledge about the botnet operators. While there was some initial optimism that Sinkholes could take on an active role in neutralizing botnets, now it is seen more as a way to spy on botnet activity.

The innovative Cyber Criminals

Using Sinkholes to detect, analyze and potentially neutralize botnets is becoming increasingly challenging. The botnet gangs have devised numerous techniques to evade and overcome Sinkholes, here are some examples:

  • Increase the size of the DNS name pool in order to draw actual used DNS names from a much larger pool. Research has shown that newly allotted DNS names used for ransomware for example has increased 35-fold in a single quarter (https://www.infoblox.com/dns-threat-index)
  • Dynamic Generation Algorithm or “DGA” allows the botnet gang to continually rotate the relatively small number of domain names in actual use out of a potentially very large pool in an unpredictable way. This technology may also leverage public key cryptography to ensure the infected machine is not fooled by the Sinkhole (see also https://blogs.forcepoint.com/security-labs/lockys-new-dga-seeding-new-domains).
  • Domain Shadowing: malicious actors are infiltrating users with domain registrant accounts and leveraging their DNS capabilities to create subdomains for criminal activities. This is a good way to avoid detection as the Zone Apex or Naked Domain (e.g. goodguy.com) are not on any blacklists of known malicious domains.
  • Fast flux is a technique used to mask botnets, enabling them to hide behind a quickly changing network of compromised hosts acting as proxies, and using multiple IP addresses associated with the same domain name.
  • The resilient C2 architecture
    To ensure resiliency, Command and Control supports multiple communication alternatives or a so-called hybrid P2P architecture:
    • HTTP using a list of hardcoded servers;
    • HTTP using a server obtained through a DGA (see above);
    • A custom Point to Point or P2P network that is used mainly to deliver lists of HTTP C2 servers.
  • IP address conversion
    the botnet gangs are leveraging algorithms to convert the IP addresses received through DNS to the real IP addresses of its servers, and changing them quickly if backward engineered by the white hats.

Case in Point: Necurs botnet

All of this leads us inexorably to the notorious Necurs botnet. This botnet gang has been leveraging most if not all of the above evasion techniques to ensure maximum investment. The malware types controlled by Necurs include the recently successful campaigns of Locky and Dridex which have been closely monitored by officials and security vendors alike. As mentioned above, the Necurs Botnet is so sophisticated it is commonly referred to as a “Masterpiece of Criminality”. This botnet was also considered the world’s largest botnet until early June 2016 when it virtually disappeared under mysterious circumstances . What happened? At the same time some 50 hackers behind the Lurk Trojan were arrested by Russian authorities.

In a recent motherboard.com post , it is claimed to be coincidence that these 50 Russian hackers responsible for the Lurk Trojan were arrested at the same time the Necurs botnet disappeared. Is it really a coincidence? Dontneedcoffee.com links the indexm variant of Angler Exploit Kit to the Lurk Trojan, and further links the spread of the Angler EK to the Necurs botnet.

Note that malware architects are increasingly under the same pressure as software vendors, rushing to get new technologies out to the market first and neglecting security. Maybe some of the technology behind the Necurs botnet mistakenly leaks personal information on their criminal authors and actors?

Will the Necurs botnet reappear? Maybe his true identity is now known by authorities? What do you think?

Tags botnetscriminal activitymalicious softwareDNSHTTPtrojansmalicious attackersDGA

Show Comments