As part of a coordinated effort that began around a week and a half ago, Microsoft and its partners have almost completely disabled an elusive botnet that has infected over a million computing devices since late 2016.
“Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust,” Microsoft explained earlier this week.
Microsoft obtained a court order to coordinate its efforts with telecommunication providers around the globe. According to Microsoft, Trickbot is particularly dangerous because its modular makeup allows it to constantly evolve, making detection and removal more difficult than static malware.
In the past four years, Trickbot has infected computers and IoT devices, including wireless routers. In addition to doling out ransomware, which in once instance crippled the IT network of a hospital in Germany, Trickbot has been used to hijack web browsers to swipe login information for banking sites, and conduct spam and spear phishing campaigns.
Microsoft said it initially discovered 69 servers that were core to Trickbot’s various operation. In a short span, it has knocked 62 of them offline.
“The seven remaining servers are not traditional command-and-control servers but rather internet of things (IoT) devices Trickbot infected and was using as part of its server infrastructure; these are in the process of being disabled. As expected, the criminals operating Trickbot scrambled to replace the infrastructure we initially disabled,” Microsoft states in a new blog post.
Through ongoing tracking, Microsoft discovered 59 additional servers that Trickbot’s operators attempted to add into the mix, and subsequently disabled 58 of them. So in total, Microsoft has killed 120 of the 128 Trickbot servers it has discovered.
This is an ongoing offensive, and Microsoft says the numbers will inevitably change. “This is challenging work, and there is not always a straight line to success,” the company says. However, it has made a huge dent in Trickbot’s operations and is optimistic it will stay ahead of things.