Microsoft Corporation. It carried out a coordinated legal hacking attack in an attempt to disable a malicious bot as a service Bot trickIt is a global threat that has infected millions of computers and is used to spread ransomware. A Virginia court granted Microsoft control of several internet servers that Trickbot used to steal infected systems, based on new allegations that the crime machine misused the software giant’s trademarks. However, it appears that the process did not completely disable the robots.
“We disrupted Trickbot through a court order that we obtained in addition to a technical measure that we carried out in partnership with telecom service providers around the world,” writes Tom Burt, Corporate Vice President of Customer Security and Trust at Microsoft, at Blog post This morning about the legal gambit. “We have now cut off the main infrastructure so that those running Trickbot cannot start new infections or activate ransomware that has already been dropped in computer systems.”
Microsoft’s action comes just days after the establishment of the US Army Cyber leadership It carried out its own attack That sent all infected Trickbot systems a command telling them to disconnect themselves from the internet servers that Trickbot’s masters had used to control. The nearly 10-day operation by Cyber Command has also stuffed millions of fake records about new victims into the Trickbot database in an attempt to confuse botnet operators.
In legal filings, Microsoft has argued that Trickbot is irreparably harming the company “by harming its reputation, trademarks, and customer goodwill. Defendants alter and physically destroy Microsoft products like Microsoft Windows products. Once Trickbot is infected, altered, and controlled, the Windows operating system stops” Operate normally and become tools for defendants to carry out theft. “
From a civil complaint filed by Microsoft on October 6 to US District Court for the Eastern District of Virginia:
“However, they still carry Microsoft and Windows trademarks. This is clearly intended to really mislead and mislead Microsoft’s customers, and it causes severe damage to Microsoft’s trademarks and brands.”
Users exposed to the negative effects of these malicious apps mistakenly believe that Microsoft and Windows are the source of their PC’s problems. There is a great risk that users may attribute this problem to Microsoft and relate these problems to Microsoft Windows products, thus diluting and tarnishing the value of Microsoft and Windows trademarks and brands. “
Microsoft said it would take advantage of confiscated Trickbot servers to identify and assist Windows users affected by Trickbot malware clean up malware from their systems.
Trickbot has been used to steal passwords from millions of infected computers and reportedly to hijack access to over 250 million email accounts through which fresh copies of the malware are sent to the victim’s contacts.
Trickbot’s malware as a service feature has made it a reliable way to spread various strains of ransomware, and lock up infected systems on the company’s network unless the company agrees to pay an extortionate amount.
A particularly destructive strain of ransomware closely related to Trickbot – known as “Ryuk” or “Conti” – has been responsible for expensive attacks on countless organizations over the past year, including healthcare providers, medical research centers, and hospitals.
One of Ryuk’s recent victims is Universal Health Services (UHS), a Fortune 500 hospital and healthcare provider that operates more than 400 facilities in the United States and the United Kingdom.
On Sunday, September 27, UHS shut down its computer systems in healthcare facilities across the United States in an effort to stop the spread of malware. The disruption has caused some affected hospitals to redirect ambulances and move patients who need surgery to nearby hospitals.
Microsoft said it does not expect its work to permanently disable Trickbot, indicating that the scammers behind the botnet are likely to make efforts to revive their operations. But it is not yet clear if Microsoft succeeded in taking over all of Trickbot’s control servers, or when exactly coordinated hijacking of those servers occurred.
As the company notes in its legal files, the pool of internet addresses used as Trickbot consoles is dynamic, making attempts to disable bots even more difficult.
In fact, according to the real-time information published by Feudo tracker, A Swiss security site that tracks internet servers used as controllers for Trickbot and other botnet networks, nearly two dozen Trickbot control servers – some of which were first activated at the start of this month – are still alive and responding to requests at the time of this post.
An electronic intelligence company Intel 471 He says removing Trickbot entirely would require an unprecedented level of cooperation between parties and countries that most likely won’t cooperate anyway. This is partly because Trickbot’s primary control and control mechanism supports connectivity Onion router (TOR) – Distributed anonymization service is completely separate from regular internet.
“As a result, it is very likely that removing Trickbot’s infrastructure will have little to no effect in the medium to long term on Trickbot operation,” Intel 471 wrote in an analysis of Microsoft’s actions.
Moreover, Trickbot has a backup communications method that uses a decentralized domain name system called EmerDNS, Which allows people to create and use domains that cannot be changed, canceled, or suspended by any authority. Very popular cyber crime store Joker Stash – which sells millions of stolen credit cards – also use this setting.
From Intel Report 471 [malicious links and IP address defanged with brackets]:
“If all of Trickbot’s infrastructure was removed, the cybercriminals behind Trickbot would need to rebuild their servers and change the EmerDNS domain to point to their new servers. Hacked systems should be able to communicate with Trickbot’s new infrastructure. Trickbot’s EmerDNS Trust the Domain’s Security” Reserve[.]bazar was recently resolved to the IP address 195.123.237[.]156- It is no coincidence that this networked neighborhood also hosts Bazar servers to control malware. “
“ Researchers previously attributed the development of the Bazar malware family to the same group behind Trickbot, due to the similarities between the code with the Anchor malware family and its modus operandi, such as the shared infrastructure between Anchor and Bazar. On October 12, 2020, the IP backend range was resolved. 126.96.36.199[.]233, which was confirmed by Intel 471 Malware Intelligence Systems to be the URL for Trickbot Console in May 2019. This indicates that the back domain was still controlled by Trickbot operators at the time of this report. “
Intel 471 concluded that Microsoft’s action has done little so far to disrupt botnet activity.
The company wrote: “At the time of this report, the Intel 471 has not seen any significant impact on Trickbot’s infrastructure and its ability to communicate with infected Trickbot systems.”
Legal deposits are available from Microsoft Here.
Update, 9:51 am ET: Feodo Tracker now lists only six Trickbot Controllers in response. All six were first seen online in the past 48 hours. Perspective from Intel 471 added.