Microsoft organized 35 nations on Tuesday to take down one of the world’s largest botnets — malware that secretly seizes control of millions of computers around the globe. It was an unusual disruption of an internet criminal group because it was carried out by a company, not a government.
The action, eight years in the making, was aimed at a criminal group called Necurs, believed to be based in Russia. Microsoft employees had long tracked the group as it infected nine million computers around the world, hijacking them to send spam emails intended to defraud unsuspecting victims. The group also mounted stock market scams and spread ransomware, which locks up a computer until the owner pays a fee.
Over the past year, Microsoft’s Digital Crimes Unit has been quietly lining up support from legal authorities in countries around the world, convincing them that the group had seized computers in their territories to conduct future attacks.
“It’s a highway out there that is used only by criminals,” Amy Hogan-Burney, the general manager of the Digital Crimes Unit and a former F.B.I. lawyer said on Tuesday. “And the idea that we would allow those to keep existing makes no sense. We have to dismantle the infrastructure.”
The team struck on Tuesday, from an eerily empty Microsoft campus. Tens of thousands of workers had been ordered to stay home because the area near the headquarters in Redmond, Wash., has been a hot spot for the coronavirus. But taking down a botnet, the company concluded, was not a work-from-home task.
After cleansing the Digital Crimes Unit’s command center to eliminate any live viruses, a small team of Microsoft workers gathered in a conference room at 7 a.m., flipped on their laptops and began coordinating action against another kind of global infection.
As soon as a federal court order against the Necurs network was unsealed, they began prearranged calls with authorities and network providers around the world to strike Necurs at once, cutting off its connections to computers around the globe.
“Was Mongolia hit? I think it was in the court order,” one Microsoft employee asked. There was a debate about Somalia — “a very last-minute win,” another noted. “Tajikistan?” one person in the room asked, looking for it to turn green on a map overhead, indicating that the botnet had been neutralized there. “No joy yet.”
Rapidly, they took over or froze six million domain names that Necurs was using or had inventoried for future attacks. A domain name can be a website — www.nytimes.com is a legitimate one, for example — but Necurs had created an algorithm to spawn millions of new domains, often with deceptive names, for future use against unsuspecting victims. Microsoft engineers had cracked the code.