Microsoft claimed that it disrupted the infamous botnet named TrickBot, in partnership with other companies. The evidence shows that only part of the botnet was affected by the takedown. TrickBot first appeared back in 2016 and is believed to be in more than 1 million machines.
It was used to get banking credentials with malware using the same name. Since then, the botnet has grown into something else.
In 2017, a new version of the botnet attacked niche financial institutions. A year later, a new variant emerged, targeting cryptocurrency accounts, and in 2019, it was going after email accounts in a phishing campaign.
The fellowship of the botnet
In March this year, Ostap Trojan-downloader, another variant, was detected running Covid-19 scams. As recently as October, the botnet was being deployed to distribute ransomware and general malware.
Microsoft partnered with the Financial Services Information Sharing and Analysis Center, Lumen Technologies Inc’s Black Lotus Labs, ESET spol s.r.o, Nippon Telegraph, Symantec, and Telephone Corp. The companies studied the botnet and its activities to try and take it down.
After gathering evidence, Microsoft got a court order that allowed it to disable the IP addresses, make the content stored on the command and control servers inaccessible, stop all services to the botnet operators and ensure that the operators cannot buy or lease additional servers.
This is not the first time that the software giant has gone after a botnet. In March, it was successful in taking down the Nucleus botnet.
The legal battles get more interesting when one looks at the arguments put forth by the company. The case included copyright claims against TrickBot maliciously using Microsoft software code. The approach is an important development in Microsoft’s efforts to stop the spread of malware by taking civil action.