- Beginning in May of 2018, Black Lotus Labs observed regular, sustained downtime of roughly two weeks, followed by roughly three weeks of activity for the three most active groups of bots comprising Necurs.
- Necurs' roughly 570,000 bots are distributed globally, with about half located in the following countries, in order of prevalence: India, Indonesia, Vietnam, Turkey and Iran.
- Necurs uses a domain generation algorithm (DGA) to obfuscate its operations and avoid takedown. However, DGA is a double-edged sword: because the DGA domains Necurs will use are known in advance, security researchers can use methods like sinkholing DGA domains and analyzing DNS and network traffic to enumerate bots and command and control (C2) infrastructure.
- CenturyLink took steps to mitigate the risk of Necurs to customers, in addition to notifying other network owners of potentially infected devices to help protect the internet.
- Discover how TheMoon has evolved into a proxy as a service: http://news.centurylink.com/2019-01-31-TheMoon-Illustrates-Evolving-Threat-of-IoT-Botnets.
- Learn more about Mylobot's second stage attack: http://news.centurylink.com/2018-11-14-Mylobot-botnet-delivers-one-two-punch-with-Khalesi-malware.
- Find out how the Satori botnet is resurfacing with new targets: http://news.centurylink.com/2018-10-29-Satori-botnet-resurfaces-with-new-targets.
SOURCE CenturyLink, Inc.