Microsoft, Others Dismantle Trickbot BotnetCourt Order Enables Takedown of Servers to Disrupt Malware, Protect Election
Microsoft collaborated with cybersecurity companies and government agencies to take down the million-device Trickbot botnet in an effort to help protect the Nov. 3 U.S. election and stop the global spread of ransomware and other malware.
The botnet has been used to distribute a variety of malicious code, including the Ryuk ransomware variant, which the U.S. government has cited as a potential threat vector against the election.
Microsoft obtained a court order from the U.S. District Court for the Eastern District of Virginia that allowed it to disable the servers that hosted Trickbot, says Tom Burt, the company’s corporate vice president of customer security and trust.
"We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,” Burt says. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”
The Washington Post, citing sources, reported last week that U.S. Cyber Command had launched a counterstrike designed to at least temporarily take down Trickbot in the run-up to the election.
Microsoft says the malicious operators behind Trickbot will immediately attempt to recover.
"We fully anticipate Trickbot’s operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them," Burt says.
Burt notes Microsoft was able to determine how the Trickbot botnet operated - including the infrastructure the malware used to communicate with and control victim computers, the way infected computers talk with each other and the botnet's mechanisms to evade detection and attempts to disrupt its operation.
This information enabled Microsoft's researchers to identify the exact IP addresses of the servers used to support the botnet so they could be disabled.
"With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators and block any effort by the Trickbot operators to purchase or lease additional servers," Burt says.
Microsoft's Digital Crimes Unit worked with Financial Services Information Sharing and Analysis Center, as well as security firms such as ESET, Lumen's Black Lotus Labs, NTT and Symantec, a division of Broadcom, to take down Trickbot, according to the report.
"In 2020 alone, our automatic platform analyzed more than 125,000 malicious samples and downloaded and decrypted more than 40,000 configuration files used by the different Trickbot modules, giving us an excellent viewpoint of the different [command and control] servers used by this botnet," the security firm ESET reports.
Microsoft’s Digital Crimes Unit used a new legal weapon against Trickbot, Burt says.
"Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place," Burt says.
Suzanne Spaulding, a former Department of Homeland Security undersecretary of cyber and infrastructure who now serves as a Nozomi Networks adviser, says: "The Microsoft takedown is an example of exactly the kind of 'whole of a nation' and even 'whole of the world' approach we need." The private sector must work with government agencies and the courts, as well as international partners, "to identify and disrupt the bad guys,” she adds.
Trickbot Over the Years
Trickbot was first unleashed in 2016 as a banking Trojan but has steadily evolved. More recently, the malware has been used to distribute a variety of other malicious code, including the Ryuk ransomware variant.
"Trickbot's modular architecture allows it to perform a vast array of malicious actions using a variety of plug-ins,” ESET reports. “It can steal all kinds of credentials from a compromised computer and, more recently, has been observed mostly as a delivery mechanism for more damaging attacks, such as ransomware."
Trickbot is spread primarily through phishing attacks; the emails contain malicious attached Microsoft Word or Excel documents.
The federal government has issued a steady stream of alerts regarding hackers attempting to disrupt the November elections.
Last week, the U.S. Cybersecurity and Infrastructure Security Agency warned of potential Emotet ransomware attacks. And on Oct. 1, CISA and the FBI warned of potential distributed denial-of-service attacks designed to disrupt the process.
These agencies also alerted the public to be wary of disinformation campaigns intended to either sway a person's vote or spread lies and rumors about the candidates.