Microsoft leads effort to disrupt infamous TrickBot botnet
Microsoft Corp. today claimed to have disrupted the infamous TrickBot botnet in partnership with other companies, but there’s evidence that only part of the botnet has been taken down.
TrickBot dates back to 2016 and is believed to exist on a network of more than 1 million machines. Initially used to target banking credentials with malware of the same name, TrickBot has since evolved.
In 2017 a new version went after niche financial institutions. In 2018 another new variant targeted cryptocurrency accounts and in 2019 it targeted email accounts in a phishing campaign. Most recently in March, Ostap Trojan-Downloader, yet another variant was detected in COVID-19 scams.
Fast forward to October, and it would appear that TrickBot is now being used to distribute ransomware along with general malware.
Microsoft joined with the Financial Services Information Sharing and Analysis Center, ESET spol s.r.o, Lumen Technologies Inc.’s Black Lotus Labs, Nippon Telegraph and Telephone Corp. and Symantec to study the botnet and its activities, with the ultimate goal of bringing it down. Having gathered sufficient evidence, Microsoft then gained a court order that allowed it to disable IP addresses, render the content stored on the command-and-control servers inaccessible, suspend all services to the botnet operators and block any effort by the TrickBot operators to purchase or lease additional servers.
This isn’t the first time Microsoft has taken legal action targeting a botnet. It successfully took on the Nucleus botnet in March. But where this court battle becomes interesting is in one of the legal arguments Microsoft put forward.
“Our case includes copyright claims against TrickBot’s malicious use of our software code,” Tom Burt, corporate vice president of customer security and trust at Microsoft, said in a blog post. “This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.”
Although some media reports suggest that Microsoft has “taken down” TrickBot, that’s not the exact language Microsoft itself uses, and the difference is important. Microsoft says it disrupted the botnet but does not claim to have taken it down.
According to security expert Brian Krebs, a security site that tracks servers used by TrickBot and other botnets shows that dozens of TrickBot control servers are still alive and operational. Currently the number of TrickBot control servers listed on the Feodo Tracker is eight, which is arguably an improvement but not total eradication of the bot.
Down or disrupted, the news that Microsoft has taken on TrickBot was well-received by security professionals.
“Microsoft has truly done an important service in thwarting Trickbot,” Chloé Messdaghi, vice president of strategy at cybersecurity training firm Point3 Security Inc. told SiliconANGLE. “It’s especially important because so many cities, towns and tribal jurisdictions across the U.S. rely on outdated technology including systems that have reached effective end-of-life, meaning that vendors no longer issue patches and security updates, leaving them even more vulnerable to the kinds of ransomware attacks spread by TrickBot.”
Mark Kedgley, chief technology officer at information technology security and compliance software company New Net Technologies LLC, noted that Microsoft’s new tactic of using copyright law to go after threat actors is a creative way to get legal backing to take the fight to the Botnet Wranglers.
Microsoft specifically raised concerns that TrickBot could be used to disrupt the U.S. presidential election. Jack Mannino, chief executive officer at application security provider nVisium LLC, said that the integrity and availability of systems during elections are critical to ensuring trust in the process. “Botnets can be used to overwhelm servers through well-timed DDoS attacks as well as erode trust against compromised systems,” he said.
Casey Ellis, chief technology officer of crowdsourced security provider Bugcrowd Inc., said such threats are especially important in the highly polarized U.S. presidential election.
“Regardless of the scale and nature of potential coming attacks, the most effective countermeasure the United States has is to dilute their impact through the greatest possible number of votes,” Ellis said. “The move to seize a series of IP addresses that have been directing activity on machines compromised with Trickbot helps reduce the risk of this botnet being involved in attacks in November, and projects a proactive stance to voters whose concerns about ransomware may have dissuaded them from voting in the first place.”
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.