Operators of Trickbot—a for-hire botnet that has infected more than 1 million devices since 2016—are looking for new ways to stay afloat after Microsoft and a host of industry partners took coordinated action to disrupt it last week.
In an update published on Tuesday, Microsoft Corporate VP for Security & Trust Tom Burt said the operation initially managed to take down 62 of the 69 servers Trickbot was known to be using to control its vast network of infected devices. Trickbot operators responded by quickly spinning up 59 new servers, and Microsoft was able to eliminate all of them except for one.
In all, the industrywide operation has taken down 120 of 128 servers identified as belonging to Trickbot. Now, Trickbot is responding by using a competing criminal group to distribute the Trickbot malware.
Fighting to stay alive
“This is one of many signs that suggests to us that, faced with its critical infrastructure under repeated attack, Trickbot operators are scrambling to find other ways to stay active,” Burt wrote. “While an arrangement with other actors will not enable Trickbot to equal its homegrown capabilities, it’s also a reminder that there are many threats to keeping cyberspace secure and it’s important for people—especially those involved in the security of our electoral processes—to stay vigilant.”
Burt, who has overseen several global botnet takedowns in the past, said the industry is getting better at them. After identifying new Trickbot servers, Microsoft and its partners have been able to locate their respective hosting providers, initiated required legal actions, and taken down the new infrastructure in as little as three hours. With the coordination of the many partners, one takedown took less than six minutes from the time the provider hosting the server was notified.
Burt also said that rebuilding an infrastructure of command servers is time-consuming and isn’t simply a matter of setting up new servers. “New servers need to be provisioned to begin talking with the botnet’s infected devices and issuing commands, all of which takes time.” He said that many of the servers that remain standing are routers or other types of Internet-of-things devices that aren’t vulnerable to normal takedown procedures.
People outside of Microsoft agreed that the takedown appears to be achieving results. Marcus Hutchins, a researcher who closely follows botnets, said that Trickbot has two classes of servers. Command servers update configurations and send commands, while plugin servers download modular tools used for things like bank fraud, infecting new computers, or sending spam.
Even a single command server can rapidly tell all infected computers where to find new control servers, so the partial takedown of them isn’t much of a body blow, Hutchins said. In fact, in the hours leading up to the publishing of this post, the botnet operators were able to add 13 new command servers.
Also I just looked and they pushed a new server list with 100% working servers.
— MalwareTech (@MalwareTechBlog) October 20, 2020
Where things get more optimistic for the takedown members is that, for some reason, none of the plugin servers is being replaced.
“Without the plugin servers, the bot is just a loader with nothing to load,” Hutchins told me. “Essentially, the botnet is out of action for now. As long as they have working C2s, they could revive it. But as it stands, they have not.”
“I’m not dead yet”
Hutchins said that the victory is by no means complete. For one thing, it’s possible the plugin servers may still be restored. And for another, at the time this post was going live, the Trickbot operators were actively deploying ransomware using what’s called the BazarLoader.
It’s still too early to declare victory. It’s not clear precisely why the plugin servers aren’t being replaced. If the plugin servers return, Trickbot’s normal malicious tricks will likely return.
“It’s definitely not dead,” Hutchins said, “just incapacitated.”