Disrupting a well-oiled botnet, or network of compromised computers used to launch attacks, isn’t easy.
It’s little surprise, then, that in the days after U.S. Cyber Command and Microsoft took aim at TrickBot, one of the world’s largest botnets, parts of the zombie computer army still appear to be active. The goal of the distinct operations carried out in recent weeks was to wound a vast, malicious network that Russian-speaking criminals had used to infect victims with ransomware.
Cyber Command, the offensive hacking unit within the U.S. Department of Defense, attacked the botnet’s infrastructure. In a separate action, Microsoft carried out a court order to disable some of TrickBot’s U.S.-based computer activity. The latter move appears to have taken large chunks of the botnet’s U.S.-based servers offline, forcing TrickBot’s puppet masters to reconfigure some of their operations, and seemed to give some organizations a reprieve to shore up digital defenses.
The dual actions sought to curb the ability of a criminal network to deploy ransomware on state and local IT systems in an election season, and also force TrickBot’s operators to invest resources in rebuilding infrastructure. In the longer term, for industry executives and law enforcement officials, it’s about pursuing a financially-motivated enterprise whose victims span numerous sectors.
In the days following the reported disruption attempts, “it wasn’t business as usual for TrickBot, but it wasn’t a deadly blow either,” said Alex Holden, chief information security officer of Hold Security, a Milwaukee-based company that tracks TrickBot.
Holden said the Trickbot infrastructure he follows is continuing to cause new infections, albeit in the hundreds per day rather than the thousands before the disruption attempts. “There is still functionality, there is still stolen data being added…there are still ransomware attempts going on,” he added.
Some analysts predicted that the botnet would adapt and continue to churn out infections and spam campaigns at a high rate, using different infrastructure. Richard Hummel, manager of threat research at Netscout’s Arbor Networks, said there was broad agreement among researchers that TrickBot’s operators would try to bounce back. And that could mean it becoming a potent vector for ransomware again.
Cybersecurity company Cofense on Wednesday reported seeing Emotet, a credential-stealing malicious software, again being used to distribute TrickBot.
The actions from Cyber Command and Microsoft and other tech firms were never meant to be a fatal blow to TrickBot. They were instead aimed at delivering a setback to the criminal network, with perhaps more punches to come.
Tom Burt, a vice president at Microsoft, said that as of Monday evening, all of the U.S.-based TrickBot infrastructure named in the court order had been taken offline. “We anticipate Trickbot’s operators will attempt to revive their operations, and we will take additional legal and technical steps to stop them if necessary,” he added.
Burt said his firm had made progress on Trickbot’s “non-U.S. infrastructure,” but did not elaborate on what that entailed. Symantec, another tech firm that worked with Microsoft on the disruption attempt, called the move “one step in an ongoing campaign.”
“Complete eradication of this botnet will likely require additional actions from government partners in multiple jurisdictions,” Symantec said in a blog post this week.
The offensive against TrickBot has cybersecurity experts reflecting on what works best against a global botnet.
In some cases, the best option might be to effectively smoke the botnet out, terminating some of its operations in one part of the world, forcing the attackers to resurface in a place where investigators have more visibility. In other cases, a well-timed court order can really do damage to the zombie computers, as when the Justice Department used a nonprofit organization to send a “kill signal” to disable the Coreflood botnet in 2011.
GameOver Zeus, a notorious botnet that stole millions of dollars from victims, survived multiple attempts by security researchers to hamper it before a FBI-assisted crackdown did the trick in 2014.
In April 2017, a Russian man named Peter Levashov was arrested in Spain for allegedly running the Kelihos botnet, one of the biggest and longest running spam operations to date. The Kelihos botnet hasn’t reared its head since, according to anti-virus company McAfee.
“[I]n our experience, the most successful botnet takedowns require both a technical blitz and physical arrests of the operating crew,” said Christiaan Beek, lead scientist and senior principal engineer at McAfee.