Microsoft announced legal action Monday seeking to disrupt a major cybercrime digital network that uses more than one million zombie computers to loot bank accounts and spread ransomware, which experts consider a major threat to the US presidential election.
The operation to knock offline command-and-control servers for a global botnet that uses an infrastructure known as Trickbot to infect computers with malware was initiated with an order that Microsoft obtained in Virginia federal court on October 6. Microsoft argued that the crime network is abusing its trademark.
“It is very hard to tell how effective it will be but we are confident it will have a very long-lasting effect,” said Jean-Ian Boutin, head of threat research at ESET, one of several cybersecurity firms that partnered with Microsoft to map the command-and-control servers.
“We’re sure that they are going to notice and it will be hard for them to get back to the state that the botnet was in.”
Cybersecurity experts said that Microsoft’s use of a US court order to persuade internet providers to take down the botnet servers is laudable. But it will be difficult to achieve because too many won’t comply and because Trickbot’s operators have a decentralized fall-back system and employ encrypted routing.
Paul Vixie of Farsight Security said via email “experience tells me it won’t scale — there are too many IP’s behind uncooperative national borders.” And the cybersecurity firm Intel 471 reported no significant hit on Trickbot operations Monday and predicted ”little medium- to long-term impact” in a report shared with The Associated Press.
But ransomware expert Brett Callow of the cybersecurity firm Emsisoft said that a temporary Trickbot disruption could, at least during the election, limit attacks and prevent the activation of ransomware on systems already infected.
The announcement follows a Washington Post report Friday of a major — but ultimately unsuccessful — effort by the US military’s Cyber Command to dismantle Trickbot beginning last month with direct attacks rather than asking providers to deny hosting to domains used by command-and-control servers.