[German]In a coordinated action, tech companies such as Microsoft, Symantec and others have gained control of the TrickBot botnet. The goal is to deactivate this botnet.
Advertising
Background to the TrickBot botnet
TrickBot was originally a banking Trojan that first became known in 2016. The advanced TrickBot malware has infected over one million Windows systems worldwide since the end of 2016. Although the exact identity of the operators is unknown, investigations suggest that they serve both nation states and criminal networks for a variety of purposes. The backers operate an entire infrastructure, the TrickBot botnet, to monitor and control the malware. The group is suspected to be based in Russia.
A tool kit of malicious features
Microsoft's security specialists have analyzed about 61,000 trick bot malware examples during the investigations. What makes Trickbot so dangerous is the fact that it has modular functions that are constantly being developed. These modules infect the victims for the purposes of the operators through a "Malware-as-a-Service" model. The TrickBot network operators could give their 'customers' access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Besides infecting end-user computers, Trickbot has also infected a number of "Internet of Things" IoT devices, such as routers, extending Trickbot's reach to households and organizations.
The gang behind the malware act flexibly
In addition to providing modular capabilities for a variety of deployment scenarios, the operators of the botnet are flexible and adapt their technologies to social developments. Trickbot operators immediately responded to issues such as Black Lives Matter and COVID-19 with spam and spear-phishing campaigns that enticed users to click on malicious documents or links. Based on the data Microsoft receives from Microsoft Office 365's advanced threat detection, Trickbot was the most productive malware operation using COVID-19 as bait.
Destroing the TrickBot botnet
During the analysis of the TrickBot botnet, Microsoft and its partners succeeded in identifying operational details. These include information about the infrastructure that TrickBot uses to communicate with and control the victims' computers. It also includes knowledge of how infected computers communicate with each other. And the Trickbot mechanisms by which Trickbot evades detection and attempts to disrupt its operations have been explored.
When Microsoft observed how infected computers connected to and received instructions from command and control servers, the exact IP addresses of these servers could be determined. With this evidence, the court granted Microsoft and our partners permission to disable the IP addresses, make the content stored on the command and control servers inaccessible, suspend all services to the botnet operators and block all efforts by the trick-bot operators to buy or lease additional servers.
Advertising
In this article Microsoft announced the action to destroy the TrickBot botnet. Microsoft and its partners then took action to take over and deactivate the TrickBot botnet after the U.S. District Court for the Eastern District of Virginia granted the requested order to dismantle the TrickBot botnet..
Joint Action on destroyment
To carry out this action, Microsoft formed an international group of industrial and telecommunications providers. Involved was a global network of partners including FS-ISAC, ESET, Lumen's Black Lotus Labs, NTT, and Symantec, a division of Broadcom, in addition to the Microsoft Defender team. Microsoft's Digital Crimes Unit (DCU) led the investigation, as well as detection, analysis, telemetry and reverse engineering.
This action also represents a new legal approach that Microsoft's DCU is adopting for the first time. In the case, copyright claims against the malicious use of Microsoft's software codes by Trickbot were also asserted in court to obtain the court order. This approach is an important development in the efforts of Microsoft and other security companies to stop the spread of malware. According to Microsoft, the court order now issued also allows for civil actions to be filed to protect customers around the world.
Microsoft expects that the operators of Trickbot will make efforts to revive the operation of the botnet. However, the consortium intends to monitor the activities of the TrickBot gang and take additional legal and technical steps to stop the spread of malware.
There was a slightly different story from Washington Post,saying, that since the end of September 2020, the US military has been conducting an operation against the TrickBot malware and its botnet. With several attacks, the bots are said to have been snatched from the network and the database on its control server filled with non-existing bots. The backers of the gang, who are suspected to be in Russia, are supposed to be 'employed' in the context of the US presidential elections.
Advertising