Operators of Trickbot — a rentable botnet that has infected more than 1 million devices since 2016 — are looking for new ways to stay afloat after Microsoft and a host of industry partners took concerted action last week to disrupt it.
In an update published Tuesday, Microsoft Corporate VP for Security & Trust Tom Burt said the operation was initially successful in taking down 62 of the 69 servers Trickbot was known to use to control its extensive network of infected devices. to check. Trickbot operators responded by quickly setting up 59 new servers, and Microsoft was able to eliminate all but one of them.
In all, the industry-wide operation has taken down 120 of the 128 servers identified as belonging to Trickbot. Now Trickbot responds by using a competing criminal group to spread the Trickbot malware.
Fight to stay alive
“This is one of many signs that tell us that faced with critical infrastructure under repeated attack, Trickbot operators are trying to find other ways to stay active,” Burt wrote. “While an arrangement with other actors will not allow Trickbot to match its homegrown capabilities, it is also a reminder that there are many threats to keeping cyberspace safe and it matters to people – especially those involved in the security of our electoral processes – to remain vigilant.”
Burt, who has overseen several global botnet takedowns in the past, said the industry is getting better at it. After identifying new Trickbot servers, Microsoft and its partners were able to locate their respective hosting providers, take the necessary legal action, and shut down the new infrastructure in just three hours. With the coordination of the many partners, one removal took less than six minutes from the time the provider hosting the server was notified.
Burt also said that rebuilding a command server infrastructure is time consuming and not simply a matter of setting up new servers. “New servers need to be provisioned to start talking to the botnet’s infected devices and issuing commands, all of which takes time.” He said many of the servers left standing are routers or other types of internet-of-things devices that aren’t vulnerable to normal takedown procedures.
People outside of Microsoft agreed that the removal seems to be producing results. Marcus Hutchins, a researcher who closely monitors botnets, said Trickbot has two types of servers. Command servers update configurations and send commands, while plug-in servers download modular tools used for things like bank fraud, infecting new computers, or sending spam.
Even a single command server can quickly tell all infected computers where to find new control servers, so partially disabling it isn’t much of a blow, Hutchins said. In the hours leading up to the publication of this post, the botnet operators were even able to add 13 new command servers.
Where things get more optimistic for the takedown members is that for some reason none of the plugin servers are being replaced.
“Without the plugin servers, the bot is just a loader that doesn’t need to load anything,” Hutchins told me. “Essentially, the botnet is out of action for the time being. As long as they have working C2s, they can revive them. But as it stands now, they haven’t.
“I’m not dead yet”
Hutchins said the victory is by no means complete. For starters, it’s possible that the plugin servers are still being restored. And for another, at the time this post went live, the Trickbot operators were actively deploying ransomware using the so-called BazarLoader.
It is still too early to declare victory. It is not clear exactly why the plugin servers are not being replaced. If the plugin servers return, Trickbot’s normal malicious tricks will likely return.
“It’s definitely not dead,” Hutchins said, “just incapacitated.”