October 24, 2020

Microsoft and law enforcement agencies destroyed the Trickbot botnet that infects millions of devices

2 min read

The Microsoft Defender team recently released a blog that revealed that the company has combined network operators and law enforcement agencies to destroy a botnet that infects millions of devices.

This botnet named Trickbot is also one of the most notorious botnets in the world, and the operation team behind it also runs ransomware and other businesses.

The researchers said that the botnet can infect specific target devices in a very hidden situation, and then implant ransomware to encrypt and destroy large amounts of data.

Based on its extremely harmfulness, Microsoft announced that it will unite network operators and law enforcement agencies around the world to track and destroy this large-scale botnet.

Microsoft blocked botnet
Image: Microsoft

After tracking, the Microsoft security team analyzed the infrastructure of the botnet. At the same time, Microsoft discovered from the tens of thousands of samples captured that botnet’s operation team is constantly developing.

The development team behind it constantly upgrades and maintains the virus, and its constantly evolving modular function also realizes the malware-as-a-service model.

In terms of malicious behavior, the most common service of this botnet is DDoS, which initiates a large number of requests to the target IP through millions of infected devices under its control.

This kind of malicious behavior is very common, but Trickbot also runs ransomware, and it also provides permissions for infected devices to sell to other hacking groups.

After completing the preliminary data tracking and analysis, Microsoft first applied to the U.S. District Court for the Eastern District of Virginia for a license order to disable the network.

After getting permission from the court, Microsoft contacted network operators in the United States and major operators in other parts of the world to block the connection to the botnet.

At present, the IP addresses and accounts associated with the botnet have been blocked by the operator, and the botnet operator may not be able to rent other servers to restore services.

Microsoft said that the botnet will gradually recover, but Microsoft will continue to cooperate with operators to monitor and block its network connection.