Microsoft attempts takedown of global criminal botnet
Microsoft announced legal action Monday seeking to disrupt a major cybercrime digital network that usesmore than 1 million zombie computers to loot bank accounts and spread ransomware, which experts consider a major threat to the U.S. presidential election.
The operation to knock offline command-and-control servers for a global botnet that uses an infrastructure known as Trick bot to infect computers with mal ware was initiated with a court order that Microsoft obtained in Virginia federal court on Oct. 6. Microsoft argued that the crime network is abusing its trademark.
“It is very hard to tell how effective it will be but we are confident it will have a very long-lasting effect,” said JeanIan Boutin, head of threat research at ESET, one of several cybersecurity firms that partnered with Microsoft to map the command-and-control servers. “We’re sure that they are going to notice and it will be hard for them to get back to the state that the botnet was in.”
Cybersecurity experts said that Microsoft’s use of a U.S. court order to persuade internet providers to take down the botnet servers is laudable. But they add that it’s not apt to be successful because too many won’t comply and because Trickbot’s operators have a decentralized fall-back system and employ encrypted routing.
Paul Vixie of Farsight Security said via email “experience tells me it won’t scale — there are too many IP’s behind uncooperative national borders.” And the cybersecurity firmIntel 471 reported no significant hit on Trickbot operations Monday and predicted “little medium- to long-termimpact” in a report shared with The Associated Press.
But ransomware expert Brett Callow of the cybersecurity firm Emsisoft said that a temporary Trickbot disruption could, at least during the election, limit attacks.
The announcement follows a Washington Post report Friday of a major — but ultimately unsuccessful — effort by the U.S. military’s Cyber Command to dismantle Trickbot beginning lastmonthwith direct attacks rather than asking online services to deny hosting to domains used by command-and-control servers.