Microsoft Joins Offensive Against Major Botnet

Microsoft Joins Offensive Against Major Botnet

Microsoft Corp. is well-known for making products to defend computers that run its software from attacks, but on Monday (Oct. 12) the company announced that it led a major offensive operation against one of the world’s most notorious botnets.

The target was systems linked to the dissemination of Trickbot, a botnet that has been used by some sophisticated players since late 2016 to deploy ransomware, especially in attacks on financial institutions (FIs). U.S. government officials recently said they feared botnets would be used to interfere with the upcoming presidential election. Victims attacked with Trickbot also have included municipalities and healthcare systems.

Payment systems also have become an increasingly common target of ransomware, which freezes computer systems and usually can only be deactivated by the perpetrators who caused it to be installed.

Microsoft and a who’s who list of technology companies “have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” Tom Burt, Microsoft’s corporate vice president for customer security and trust, wrote in a blog post on Monday.

In addition to attacking Trickbot with technology, Microsoft also went to court with copyright claims against the authors of Trickbot, since it includes a portion of Microsoft code.

“This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place,” Burt wrote.

Burt’s blog post also offered new insight, at least for lay readers, into the ways Trickbot has thwarted conventional approaches to computer security.

“Trickbot’s spam and spear-phishing campaigns used to distribute malware have included topics such as Black Lives Matter and COVID-19, enticing people to click on malicious documents or links. Based on the data we see through Microsoft Office 365 Advanced Threat Detection, Trickbot has been the most prolific malware operation using COVID-19-themed lures,” he wrote.

Burt’s post ended with a pledge of ongoing vigilance: “We fully anticipate Trickbot’s operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them.”

Organizations involved in the action with Microsoft include Symantec, NTT Ltd., Lumen, ESET and FS-ISAC.