Analysis: Will Trickbot Takedown Impact Be Temporary?Experts Weigh in on the Effects of Actions by Microsoft and Others to Disable Botnet
Despite the takedown of the Trickbot botnet by Microsoft and others Monday, the malware is still functioning, and its operators retain the tools needed to rebuild their malicious network, some cybersecurity experts say. So, the impact, while significant, could prove to be temporary.
"Trickbot is not gone from the face of the earth. This is a multimillion-dollar organization that has some resiliency built into it," says Kevin Haley, director of security response at Symantec, a division of Broadcom. The company worked with Microsoft's Digital Crimes Unit on the takedown, along with the Financial Services Information Sharing and Analysis Center and security firms ESET, Lumen's Black Lotus Labs and NTT.
Even though Trickbot’s U.S.-based command-and-control servers were taken offline, the botnet’s infrastructures in other countries will continue to function unless local law enforcement agencies force ISPs to shut them down, Haley says.
Jerome Segura, director of threat intelligence with the security company Malwarebytes, called Trickbot not only one of today's top threats but a tough adversary.
"Disrupting large botnets is not an easy task these days, especially considering that their operators typically build fallback mechanisms. This is the case with TrickBot, and we can expect that this takedown will cause some harm but likely won't be a problem for its resiliency," he said.
The powerful botnet has long been used to distribute a variety of malicious code, recently including the Ryuk ransomware variant, which the U.S. government has cited as a potential threat vector against the Nov. 3 election.
‘Victory for Good Guys’
Even if the takedown is temporary and incomplete, however, Haley and others called the move "a victory for the good guys."
"We should celebrate victories when they happen as it means that some victims were spared," Segura says.
Trickbot's operators have built in a layer of redundancy by scattering other servers throughout the world, which likely will enable the botnet to continue operating on some level, says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.
"Nonetheless, any disruption to the botnet is a welcome one, and we certainly hope other countries around the world take similar action,” Hahad says. “We believe it will take months for the botnet to rebuild to the level it was before this disruption, but it will require action from everyone to keep patching their systems to avoid new infections.”
Security experts say it’s difficult to estimate how long it might take Trickbot’s operators to fully reestablish the botnet.
"While many pieces of Trickbot's infrastructure were disrupted with this effort, there are still Trickbot servers and newer [command-and-control servers] up as of this afternoon,” Sherrod DeGrippo, senior director of threat research at security company Proofpoint, said on Tuesday. “Trickbot can of course easily operate outside of the jurisdiction of the U.S. court order. The nodes that were taken down are likely to be replaced.”
Trickbot and the US Election
The Trickbot takedown was positioned by Microsoft and others as a defensive measure designed, in part, to help protect the November election from cyberattack. The FBI and the Cybersecurity and Infrastructure Security Agency have issued a series of warnings over the past month about potential cyber disruptions and disinformation campaigns that could affect the election (see: Hackers Chaining 'Zerologon,' Other Vulnerabilities).
Some cybersecurity insiders say any move against organized cybercriminals will help improve election security, but no direct link between Trickbot and election disruption efforts has been established.
"The linkage between Trickbot-based ransomware attacks and threats to election security is a tenuous one," says Sean Gallagher, senior threat researcher at Sophos. "We haven't seen ransomware gangs target election infrastructure, or even local governments, specifically for political effect in the past - they've been hit because of phishing attacks that were at most targeted to individuals based on public data and were otherwise opportunistic."
Proofpoint's DeGrippo adds: "While we have seen other malware accompanying election-themed lures, we haven't observed direct evidence that Trickbot specifically would be leveraged against election-related entities or distributed with election-themed messages. As we get closer to Election Day, we will watch for this to develop."
Because ransomware attackers' tactics continually evolve, Gallagher says, the Trickbot takedown “will likely not have a sizeable impact on the attackers we've been tracking."
Gallagher and others point out, however, that even a partial Trickbot takedown is welcome news. If Trickbot was left alone and then used against the election, Haley says, "we would kick ourselves for doing nothing. These are really bad guys.”
Taking Down Trickbot
Microsoft obtained a court order from the U.S. District Court for the Eastern District of Virginia that allowed it to disable the servers that hosted Trickbot in the United States, Tom Burt, the company's corporate vice president of customer security and trust, said Monday.
"We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems," Burt said.
The Washington Post, citing sources, reported last week that U.S. Cyber Command had launched a counterstrike designed to at least temporarily take down Trickbot in the run-up to the election.
Bazar and Trickbot
The Bazar backdoor and loader have become favorite malware options for the operators behind Trickbot to help target high-value enterprise victims, according to a report released this week security firm Advanced Intelligence.
This approach is not likely to change much even though Microsoft and others helped disrupt the Trickbot botnet this week by targeting its U.S.-based infrastructure and command-and-control servers, the researchers note. Some security researchers noted that operation could help protect the U.S. elections in November (see: Microsoft, Others Dismantle Trickbot Botnet).
A major reason this relationship is unlikely to change is that Bazar loader and backdoor are among the stealthier tools for inserting a wide variety of malware - not just Trickbot, says Roman Marshanski, an analyst with Advanced Intelligence, tells Information Security Media Group.
"We do not predict any significant changes for BazarLoader operators. BazarLoader was designed and created as a more concealed and stealthier malware," Marshanski says.
Earlier Botnet Takedown
Microsoft has used the U.S. court system to disrupt many illegal activities in the last year, including a move in March to disrupt the Necurs botnet.
A court order from the U.S. Eastern District of New York enabled Microsoft to take control of U.S.-based infrastructure used by the botnet to distribute malware and infect computers, according to a previous report published by Burt. Microsoft says it observed one Necurs-infected computer sending 3.8 million spam emails to more than 40.6 million targets over a 58-day period (see: Microsoft Disrupts Necurs Botnet).
Haley notes, however, that Trickbot’s infrastructure is not at all like Necurs’ infrastructure.
"Microsoft took Necurs down by going after domain names the botnet used,” he says. “Necurs would change the domain names of its command-and-control servers, using a program on the infected machine that would generate the new domain names. By figuring out how the algorithm worked, Microsoft knew what the future domains would be and prevented Necurs from owning them. This is similar to how Conficker was neutered. With Trickbot, Microsoft used a new legal method to have ISPs take down the command-and-control servers."
Microsoft’s Burt explained that the Trickbot case included copyright claims against the botnet’s malicious use of the company’s software code.
But Andrea Carcano, co-founder of security firm Nozomi Networks, says Microsoft’s Necurs takedown operation shows Microsoft could similarly prevent Trickbot from reemerging as a powerful botnet.
"By analyzing the algorithm Necurs used to systematically generate new domains, Microsoft was able to accurately predict the 6 million unique domains that would be created within the next 25 months,” he says. “Microsoft reported these domains to their respective registries worldwide, allowing the websites to be blocked and preventing them from becoming part of the Necurs infrastructure.”
Senior Correspondent Chinmay Rautmare contributed to this report.