News Hub

Microsoft attempts takedown of Trickbot botnet infrastructure

Written by Tue 13 Oct 2020

Experts consider criminal digital network a major threat to the US election

Microsoft has announced legal action seeking to disrupt a major cybercrime digital network that uses more than a million zombie computers to loot bank accounts and spread ransomware, which experts consider a major threat to the US presidential election.

The operation to knock offline the command-and-control servers for a global botnet that uses an infrastructure known as Trickbot to infect computers with malware was initiated on Monday.

It was begun under an order Microsoft obtained in Virginia federal court on October 6. Microsoft argued the crime network was abusing its trademark.

“It is very hard to tell how effective it will be but we are confident it will have a very long-lasting effect,” said Jean-Ian Boutin, head of threat research at ESET, one of several cybersecurity firms that partnered with Microsoft to map the command-and-control servers.

“We’re sure that they are going to notice and it will be hard for them to get back to the state that the botnet was in.”

Cybersecurity experts said Microsoft’s use of a US court order to persuade internet providers to take down the botnet servers was laudable.

But they added it was unlikely to succeed because too many providers will not comply, and because Trickbot’s operators have a decentralised fall-back system and employ encrypted routing.

Paul Vixie of Farsight Security said via email “experience tells me it won’t scale — there are too many IP’s behind uncooperative national borders”.

And the cybersecurity firm Intel 471 reported no significant hit on Trickbot operations Monday and predicted “little medium- to long-term impact” in a report shared with The Associated Press.

But ransomware expert Brett Callow of the cybersecurity firm Emsisoft said a temporary Trickbot disruption could, at least during the election, limit attacks and prevent the activation of ransomware on systems already infected.

The announcement follows a Washington Post report on Friday of a major — but ultimately unsuccessful — effort by the US military’s Cyber Command to dismantle Trickbot beginning last month with direct attacks, rather than asking providers to deny hosting to domains used by command-and-control servers.

A US policy called “persistent engagement” authorises American cyberwarriors to engage hostile hackers in cyberspace and disrupt their operations with code, something Cybercom did against Russian misinformation agents during US midterm elections in 2018.

Created in 2016 and used by a loose consortium of Russian-speaking cybercriminals, Trickbot is a digital superstructure for sowing malware in the computers of unwitting individuals and websites.

In recent months, its operators have been increasingly renting it out to other criminals who have used it to sow ransomware, which encrypts data on target networks, crippling them until the victims pay up.

One of the biggest reported victims of a ransomware variety sowed by Trickbot called Ryuk was the hospital chain Universal Health Services, which said all 250 of its US facilities were hobbled in an attack last month that forced doctors and nurses to resort to using paper and pencil.

Written by Tue 13 Oct 2020

Send us a correction Send us a news tip