Skip to content
Link copied to clipboard
Link copied to clipboard

Microsoft attempts takedown of global criminal botnet

Microsoft announced legal action Monday seeking to disrupt a major cybercrime digital network that uses more than 1 million zombie computers to loot bank accounts and spread ransomware.

A man wearing a mask looks at this phone outside the Microsoft office in Beijing, China in a Friday, Aug. 7, 2020 file photo.
A man wearing a mask looks at this phone outside the Microsoft office in Beijing, China in a Friday, Aug. 7, 2020 file photo.Read moreNg Han Guan / AP

Microsoft announced legal action Monday seeking to disrupt a major cybercrime digital network that uses more than 1 million zombie computers to loot bank accounts and spread ransomware, which experts consider a major threat to the U.S. presidential election.

The operation to knock offline command-and-control servers for a global botnet that uses an infrastructure known as Trickbot to infect computers with malware was initiated with a court order Microsoft obtained in Virginia federal court on Oct. 6. Microsoft argued that the crime network is abusing its trademark.

“It is very hard to tell how effective it will be but we are confident it will have a very long-lasting effect,” said Jean-Ian Boutin, head of threat research at ESET, one of several cybersecurity firms that partnered with Microsoft to map the command-and-control servers. “We’re sure that they are going to notice and it will be hard for them to get back to the state that the botnet was in.”

Cybersecurity experts said that while Microsoft's use of a U.S. court order to persuade internet providers to take down the botnet servers is laudable, it's not apt to be successful because too many won't comply.

Paul Vixie of Farsight Security said via email "experience tells me it won’t scale -- there are too many IP’s behind uncooperative national borders.”

The announcement follows a Washington Post report Friday of a major — but ultimately unsuccessful — effort by U.S. Cyber Command to dismantle Trickbot beginning last month with direct attacks rather than asking online services to deny hosting to domains used by command-and-control servers.

A U.S. policy called “persistent engagement” authorizes U.S. cyberwarriors to engage hostile hackers in cyberspace and disrupt their operations with code, something Cybercom did against Russian misinformation jockeys during U.S. midterm elections in 2018.

Created in 2016 and used by a loose consortium of Russian-speaking cybercriminals, Trickbot is a digital superstructure for sowing malware in the computers of unwitting individuals and websites. In recent months, its operators have been increasingly renting it out to other criminals who have used it to sow ransomware, which encrypts data on target networks — crippling them until the victims pay up.

One of the biggest reported victims of ransomware sowed by Trickbot was the hospital chain Universal Health Services, which said all 250 of its U.S. facilities were hobbled in an attack last month that forced doctors and nurses to resort to paper and pencil.

U.S. Department of Homeland Security officials list ransomware as a major threat to the Nov. 3 presidential election. They fear an attack could freeze up state or local voter registration systems, disrupting voting, or knock out result-reporting websites.

Trickbot is a particularly robust internet nuisance. Called “malware-as a service,” its modular architecture lets it be used as a delivery mechanism for a wide array of criminal activity. It began mostly as a so-called banking trojan that attempts to steal credentials from online bank account so criminals can fraudulently transfer cash.

But recently, researchers have noted a rise in Trickbot’s use in ransomware attacks targeting everything from municipal and state governments to school districts and hospitals.

Alex Holden, founder of Milwaukee-based Hold Security, tracks Trickbot's operators closely and said the reported Cybercom disruption — involving efforts to confuse its configuration through code injections — succeeded in temporarily breaking down communications between command-and-control servers and most of the bots.

“But that’s hardly a decisive victory,” he said, adding that the botnet rebounded with new victims and ransomware.

The disruption — in two waves that began Sept. 22 — was first reported by cybersecurity journalist Bryan Krebs.

The Associated Press could not immediately confirm the reported Cybercom involvement.