Microsoft’s attempts to dismantle Trickbot’s infrastructure underscores the fact that taking down botnets require ongoing pressure to prevent operators from setting up new infrastructure.
More than a week ago, Microsoft and its partners obtained a court order from the U.S. District Court for the Eastern District of Virginia to seize the servers in the United States controlling Trickbot. Considering the size of the botnet and how it has been used to spread malware—especially ransomware—disrupting the botnet had an immediate impact on the volume of global malware activity. However, these kinds of takedowns often have a temporary effect, since the criminals are still free to obtain new servers and rebuild the infrastructure. Recognizing that, Microsoft has continued its efforts and recently seized Trickbot servers that were based outside the United States. In its latest update, the company said it had eliminated 94 percent of Trickbot’s “critical operational infrastructure.”
"As of October 18, we've worked with partners around the world to eliminate 94 percent of Trickbot's critical operational infrastructure, including both the command-and-control servers in use at the time our action began and new infrastructure Trickbot has attempted to bring online," said Tom Burt, Microsoft's corporate vice president for customer security and trust.
Botnets are networks of machines which have been infected and receive instructions from a remote command-and-control server on what to do—such as sending out spam, stealing information, and compromising more systems to grow the botnet. Microsoft estimated Trickbot to have at least 1 million infected computers, although other security analysts believe the number is closer to 3 million devices. Trickbot is malware that can steal financial and personal data and install other malicious software, such as ransomware (namely Ryuk), onto infected machines. Trickbot recently was behind the attack on Universal Healthcare Services.
Microsoft initially identified 69 servers that were used to operate Trickbot and disabled 62. As the operators sought to rebuild their infrastructure using servers located outside the United States, Microsoft researchers identified 59 new servers.
"We have now disabled all but one of these new servers. In sum, from the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world," Burt said.
Security researchers shortly after Microsoft’s first seizure warned that shutting down servers in the United States was just a temporary disruption, since data from threat-intelligence company Intel471 showed that Trickbot retained control of a small number of servers in Brazil, Colombia, Indonesia and Kyrgyzstan. While the total volume of Trickbot’s activity was lower than it used to be, that was normal after a takedown as operators take a few days to rebuild.
One reason Trickbot may be having a harder time rebuilding is because Microsoft isn’t the only one trying to dismantle the botnet. United States Cyber Command has also been targeting Trickbot, according to the Washington Post. Europol has also arrested 20 people for allegedly being part of an international money laundering ring that worked with Trickbot’s operators.
Microsoft said its operation was intended to disrupt Trickbot’s activities during the days leading up to the presidential election in the United States. Trickbot, believed to be run by Russian-speaking criminals, posed a “theoretical but real” threat to the integrity of the election by causing problems with state and local computer systems. Microsoft wasn’t worried Trickbot’s operators would alter the actual ballots and change the election results, but rather that the botnet would hobble election-reporting systems and other election infrastructure which could undermine voters’ confidence in the security (and the results) of the election.