Microsoft Takes Down Massive Botnet Before 2020 Elections

A building on the Microsoft campus in Redmond, Washington in 2014.

A building on the Microsoft campus in Redmond, Washington in 2014.
Photo: Stephen Brashear (Getty Images)

Microsoft has obtained a court order to seize servers the company says are part of the Trickbot botnet ahead of the 2020 elections, the Washington Post reported on Monday.

Microsoft vice president of customer security and trust Tom Burt told the Post the botnet poses a “theoretical but real” threat to election security, as it is known to be run by Russian-speaking criminals and could be used to launch ransomware attacks. Ransomware is a type of malware that hijacks computer networks, and typically holds the data hostage in exchange for some kind of payment—although attackers could just forego the ransom element and permanently lock users out of their own computers. While a ransomware attack on voting machines, election officials, or political campaigns would be unprecedented, gangs of cybercriminals have targeted municipal and state governments, as well as large institutions like hospitals in recent years.

Microsoft wrote in a blog post that observing computers infected by Trickbot allowed it to determine how the compromised devices talked to each other, and attempted to obfuscate those communications. This analysis also netted the company to identify the IP addresses of the command and control servers which distribute and direct Trickbot. 

On Monday, the company obtained a restraining order against eight U.S. service providers, citing Trickbot infringement of Microsoft trademarks. That in turn allowed it to take those IP addresses offline, rendering the estimated 1 million Trickbot-infected devices useless and irrecoverable to those running the botnet. Per the blog post:

As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval

Microsoft thwarts massive botnet that could have targeted elections

  • Microsoft announced Monday that it had taken action to significantly disrupt Trickbot, one of the most notorious bot networks that could have been used to target elections infrastructure.
  • Trickbot was previously used to distribute ransomware, which experts and government officials warned posed a serious threat to elections and could have been used to target polling places’ computer systems.
  • Microsoft got permission from a federal court to take over the IP addresses associated with Trickbot’s servers in order to quash the network, which the company said is a “new legal approach.”
  • Visit Business Insider’s homepage for more stories.

Microsoft has quashed a sprawling network of bots that could have been used to target voting infrastructure ahead of the Nov. 3 election, it said on Monday.

The company disrupted servers that were used to run Trickbot, a notorious botnet that has been used to deploy ransomware. Ransomware attacks against local governments have become increasingly common, and experts have warned that a ransomware attack targeting elections offices could cause chaos on election day.

Microsoft said it was able to stamp out Trickbot after it obtained a court order granting permission to take control of the servers that hosted the botnet, and worked with telecom companies to quash the botnet. The action comes after the US military escalated its efforts to take down Trickbot earlier this month.

“We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” Microsoft vice president of security Tom Burt wrote in a blog post on the matter.

Trickbot had used malicious code to infect more than a million devices across the globe. The hackers behind the botnet would sell their services to other hackers, using the bots to deploy Ryuk ransomware

Microsoft attempts takedown of global criminal botnet

Microsoft announced legal action Monday seeking to disrupt a major cybercrime digital network that uses more than 1 million zombie computers to loot bank accounts and spread ransomware, which experts consider a major threat to the U.S. presidential election.

The operation to knock offline command-and-control servers for a global botnet that uses an infrastructure known as Trickbot to infect computers with malware was initiated with a court order Microsoft obtained in Virginia federal court on Oct. 6. Microsoft argued that the crime network is abusing its trademark.

“It is very hard to tell how effective it will be but we are confident it will have a very long-lasting effect,” said Jean-Ian Boutin, head of threat research at ESET, one of several cybersecurity firms that partnered with Microsoft to map the command-and-control servers. “We’re sure that they are going to notice and it will be hard for them to get back to the state that the botnet was in.”

Cybersecurity experts said that while Microsoft’s use of a U.S. court order to persuade internet providers to take down the botnet servers is laudable, it’s not apt to be successful because too many won’t comply.

Paul Vixie of Farsight Security said via email “experience tells me it won’t scale — there are too many IP’s behind uncooperative national borders.”

The announcement follows a Washington Post report Friday of a major — but ultimately unsuccessful — effort by U.S. Cyber Command to dismantle Trickbot beginning last month with direct attacks rather than asking online services to deny hosting to domains used by command-and-control servers.

A U.S. policy called “persistent engagement” authorizes U.S. cyberwarriors to engage hostile hackers in cyberspace and disrupt their operations with code, something Cybercom did against Russian misinformation jockeys during U.S. midterm elections in 2018.

Created in 2016 and used

Court Orders Seizure of Ransomware Botnet Controls as U.S. Election Nears | Technology News

SAN FRANCISCO (Reuters) – Microsoft said Monday it had used a court order to take control of computers that were installing ransomware and other malicious software on local government networks and threatening to disrupt the November election.

The maker of the Windows operating system said it seized a series of internet protocol addresses hosted by U.S. companies that had been directing activity on computers infected with Trickbot, one of the most common pieces of malware in the world.

More than a million computers have been infected with Trickbot, and the operators use the software to install more pernicious programs, including ransomware, for both criminal groups and national governments that pay for the access, researchers said.

Trickbot has shown up in a number of public governments, which could be hurt worse if the operators encrypt files or install programs that interfere with voter registration records or the display and public reporting of election results, Microsoft said.

“Ransomware is one of the largest threats to the upcoming election,” said Microsoft Corporate Vice President Tom Burt. Among other programs, Trickbot has been used to deliver Ryuk ransomware, which has been blamed in attacks on the city of Durham, N.C., and hospitals during the COVID-19 pandemic.

Microsoft worked with Broadcom’s Symantec, security firm ESET and other companies to dissect Trickbot installations and trace them to the command addresses, the companies said. Microsoft for the first time used strict provisions in copyright law to convince a federal judge in the Eastern District of Virginia that since Trickbot used Microsoft code, the company should be able to seize the operator’s infrastructure from their unknowing hosting providers.

The seizure follows mechanical attempts to disrupt Trickbot last week by sending the operators bad information, researchers said. The Washington Post reported that U.S. Cyber Command was behind that effort,

Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election

The effort is part of what Gen. Paul Nakasone, the head of Cyber Command, calls “persistent engagement,” or the imposition of cumulative costs on an adversary by keeping them constantly engaged. And that is a key feature of CyberCom’s activities to help protect the election against foreign threats, officials said.

“Right now, my top priority is for a safe, secure, and legitimate 2020 election,” Nakasone said in August in a set of written responses to Washington Post questions. “The Department of Defense, and Cyber Command specifically, are supporting a broader ‘whole-of-government’ approach to secure our elections.”

Trickbot is malware that can steal financial data and drop other malicious software onto infected systems. Cyber criminals have used it to install ransomware, a particularly nasty form of malware that encrypts users’ data and for which the criminals then demand payment — usually in cryptocurrency — to unlock.

Brian Krebs, who writes the blog KrebsonSecurity, first reported on the existence of the operation. Cyber Command’s role was previously unreported. The command declined to comment.

Department of Homeland Security Officials fear that a ransomware attack on state or local voter registration offices and related systems could disrupt preparations for Nov. 3 or cause confusion or long lines on Election Day. They also note that ransomware is a major threat beyond elections.

Trickbot was used last month in a damaging attack against a major health-care provider, Universal Health Services, whose systems were locked up by the ransomware known as Ryuk. The attack forced personnel to resort to manual systems and paper records, according to reports. UHS runs more than 400 facilities across the United States and Britain. Some patients reportedly were rerouted to other emergency rooms and experienced delays in getting test results.

On Sept. 22, cyber threat researchers who monitor the Trickbot network noticed