UPDATED 21:20 EDT / OCTOBER 12 2020

trickbot SECURITY

Microsoft leads effort to disrupt infamous TrickBot botnet

Microsoft Corp. today claimed to have disrupted the infamous TrickBot botnet in partnership with other companies, but there’s evidence that only part of the botnet has been taken down.

TrickBot dates back to 2016 and is believed to exist on a network of more than 1 million machines. Initially used to target banking credentials with malware of the same name, TrickBot has since evolved.

In 2017 a new version went after niche financial institutions. In 2018 another new variant targeted cryptocurrency accounts and in 2019 it targeted email accounts in a phishing campaign. Most recently in March, Ostap Trojan-Downloader, yet another variant was detected in COVID-19 scams.

Fast forward to October, and it would appear that TrickBot is now being used to distribute ransomware along with general malware.

Microsoft joined with the Financial Services Information Sharing and Analysis Center, ESET spol s.r.o, Lumen Technologies Inc.’s Black Lotus Labs, Nippon Telegraph and Telephone Corp. and Symantec to study the botnet and its activities, with the ultimate goal of bringing it down. Having gathered sufficient evidence, Microsoft then gained a court order that allowed it to disable IP addresses, render the content stored on the command-and-control servers inaccessible, suspend all services to the botnet operators and block any effort by the TrickBot operators to purchase or lease additional servers.

This isn’t the first time Microsoft has taken legal action targeting a botnet. It successfully took on the Nucleus botnet in March. But where this court battle becomes interesting is in one of the legal arguments Microsoft put forward.

“Our case includes copyright claims against TrickBot’s malicious use of our software code,” Tom Burt, corporate vice president of customer security and trust at Microsoft, said in a blog post. “This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.”

Although some media reports suggest that Microsoft has “taken down” TrickBot, that’s not the exact language Microsoft itself uses, and the difference is important. Microsoft says it disrupted the botnet but does not claim to have taken it down.

According to security expert Brian Krebs, a security site that tracks servers used by TrickBot and other botnets shows that dozens of TrickBot control servers are still alive and operational. Currently the number of TrickBot control servers listed on the Feodo Tracker is eight, which is arguably an improvement but not total eradication of the bot.

Down or disrupted, the news that Microsoft has taken on TrickBot was well-received by security professionals.

“Microsoft has truly done an important service in thwarting Trickbot,” Chloé Messdaghi, vice president of strategy at cybersecurity training firm Point3 Security Inc. told SiliconANGLE. “It’s especially important because so many cities, towns and tribal jurisdictions across the U.S. rely on outdated technology including systems that have reached effective end-of-life, meaning that vendors no longer issue patches and security updates, leaving them even more vulnerable to the kinds of ransomware attacks spread by TrickBot.”

Mark Kedgley, chief technology officer at information technology security and compliance software company New Net Technologies LLC, noted that Microsoft’s new tactic of using copyright law to go after threat actors is a creative way to get legal backing to take the fight to the Botnet Wranglers.

Microsoft specifically raised concerns that TrickBot could be used to disrupt the U.S. presidential election. Jack Mannino, chief executive officer at application security provider nVisium LLC, said that the integrity and availability of systems during elections are critical to ensuring trust in the process. “Botnets can be used to overwhelm servers through well-timed DDoS attacks as well as erode trust against compromised systems,” he said.

Casey Ellis, chief technology officer of crowdsourced security provider Bugcrowd Inc., said such threats are especially important in the highly polarized U.S. presidential election.

“Regardless of the scale and nature of potential coming attacks, the most effective countermeasure the United States has is to dilute their impact through the greatest possible number of votes,” Ellis said. “The move to seize a series of IP addresses that have been directing activity on machines compromised with Trickbot helps reduce the risk of this botnet being involved in attacks in November, and projects a proactive stance to voters whose concerns about ransomware may have dissuaded them from voting in the first place.”

Photo: Microsoft

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.