Microsoft and other global infosec companies have mounted a joint operation to sabotage command-and-control (C2) infrastructure used by the Trickbot malware, which injects, among other things, ransomware into victims' PCs.
Coming on the heels of a US government operation to disrupt the Windows botnet late last week, as reported by infosec blogger Brian Krebs, the multinational effort to take down C2 infrastructure is being billed as part of an attempt to prevent systems involved in the American presidential elections, taking place on 3 November, from being infected with ransomware by the bots.
"We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world," blogged MS veep Tom Burt. "We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems."
An order granted by the US District Court for Eastern Virginia authorised Microsoft and chums to "disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers."
Fighting an online malware network in this way is rather like trying to kill a Hydra by cutting off its heads: you'll slow it down, but it's unlikely to roll over and die.
Slovakian infosec firm ESET was one of Redmond's partners. Jean-Ian Boutin, head of threat research, said: "Over the years we've tracked it, Trickbot compromises have been reported in a steady manner, making it one of the largest and longest-lived botnets out there. Trickbot is one of the most prevalent banking malware families, and this malware strain represents a threat for internet users globally."
Yes, there's lots of COVID-19-themed scuminess around – but otherwise the level of cybercrime is the sameREAD MORE
Trickbot is malware-as-a-service. Originally a banking trojan known as Dyre, the malware is now capable of being used to infiltrate a target network and drop other malware, such as ransomware. Britain's National Cyber Security Centre has a clear and detailed explanation and plain-language mitigation information here.
Additional firms involved in the counter-Trickbot effort included Lumen's Black Lotus Labs, NTT, Broadcom-owned Symantec, and others.
Companies notable by their absence from the list were ones from Britain, however. Although Microsoft's legal counsel managed to use US trademark law to seize and take down Trickbot's C2 infrastructure on the grounds that the malware occasionally impersonates the Windows operating system, UK criminal law doesn't help British companies take strong action against malware operators.
The Computer Misuse Act 1990 makes it a criminal offence to log into any system without the owner/operator's permission as well as doing any "unauthorised acts" to a computer that create a risk of causing "serious damage". As such, academics and security businesses have called for a reform.
The sloppily worded law was drafted in the late 1980s and has not kept pace with modern technology; there is a at least theoretical risk that a person or company in the UK deliberately disrupting malware C2 infrastructure could commit a crime in the process no matter how pure their motives.
Krebs, for what it's worth, reckons some of the Trickbot C2 servers remain online in spite of this crackdown and associated PR flurry. ®