News Insights: Microsoft Uses Trademark Law to Disrupt Trickbot Botnet — Krebs on Security

Hugh Taylor |

Microsoft Corp. has executed a coordinated legal sneak attack in a bid to disrupt the malware-as-a-service botnet Trickbot, a global menace that has infected millions of computers and is used to spread ransomware. A court in Virginia granted Microsoft control over many Internet servers Trickbot uses to plunder infected systems, based on novel claims that the crime machine abused the software giant’s trademarks. However, it appears the operation has not completely disabled the botnet.

Microsoft Uses Trademark Law to Disrupt Trickbot Botnet — Krebs on Security

Saryu Nayyar
Saryu Nayyar, CEO, Gurucul

The coordinated effort to take down TrickBot shows that there is hope to counter malicious actors at scale. When organizations cooperate in support of everyone’s shared best interests, we can all benefit. But this is just a first step. It will take more to put a real dent in Cybercrime, starting with a solid security posture in our own environments, and ending with coordinated industry and law enforcement efforts to prosecute the attackers.


Chloé Messdaghi, VP of Strategy, Point3 Security

Microsoft has truly done an important service in thwarting Trickbot – it’s especially important because so many cities, towns and tribal jurisdictions across the US rely on outdated technology including systems that have reached effective end-of-life, meaning that vendors no longer issue patches and security updates, leaving them even more vulnerable to the kinds of ransomware attacks spread by Trickbot. It’s a great start but a new Gallup study finds that only 59% of Americans have full confidence in our election process and faith that our votes are going to be accurately tallied nationwide. Misinformation plays a serious role in this doubt. It’s an enormous problem that will almost certainly cause some suppression of votes. It’s imperative that the public and private sectors come together and work closely on this.  Also, our political parties must help by rejecting disinformation, because we’re now in an era when people don’t know what to trust. Near-real-time fact checking is urgently needed, as are greater reliance on open source technologies, a strong emphasis on vulnerability reporting programs and disclosure, and close collaboration with the hacker community.

At DefCon’s Voting Village (@VotingVillageDC), we saw hackers from around the world focusing on voting technologies to find and help fix vulnerabilities, and ensure that voting systems are safe. Hackers come at this with a zero trust mindset that informs our skepticism and strengthens our commitment to harden our systems – against ransomware, misinformation campaigns, and other types of threats.  Hackers – not to be confused with attackers – have an important role to play moving forward.


Suzanne Spaulding, Advisor and Former DHS Undersecretary, Nozomi Networks

The Microsoft take-down is an example of exactly the kind of whole-of-nation, even whole-of world, approach we need. The private sector working with government at all levels, including state and local governments who’ve been victims and multiple federal entities, including the courts, as well as international partners, all coming together to identify and disrupt the bad guys. Microsoft has done previous botnet take-downs but this one is particularly important in the midst of the 2020 election because ransomware is a threat that CISA Director Chris Krebs says keeps him up at night. If malicious actors were able to disrupt the election, by locking up voter registration databases or systems involved in vote tabulation or reporting, they could undermine public confidence in the legitimacy of the election.


Mr. Andrea Carcano, co-founder, Nozomi Networks

This isn’t the first time that Microsoft has leveraging trademark laws to chase down botnets operators, they used the tactic back in 2011 to takedown Rustock. IoT botnets are among the fastest growing categories of attacks, and Trickbot alone has impacted millions of computers. While botnet operators are using every trick in the book to expand their malicious activity, defenders for obvious reasons have to comply with the law when implementing the countermeasures. But as Microsoft’s actions show, this doesn’t mean that you cannot be creative with the technical and non-technical tools available. The beauty of this latest approach is that while defenders have to suffer the asymmetry of attackers operating behind the limits of the law, by taking the case to court, Microsoft gained a legal advantage to regain control.

In general, it can be quite challenging to disrupt the malicious activities of botnets. And Microsoft has a history of stepping up with aggressive countermeasures. In March, Microsoft called on its technical and legal partners in 35 countries to disrupt Necurs, a popular hybrid peer-to-peer botnet. By analyzing the algorithm Necurs used to systematically generate new domains, Microsoft was able to accurately predict the 6+ million unique domains that would be created within the next 25 months. Microsoft reported these domains to their respective registries worldwide, allowing the websites to be blocked and preventing them from becoming part of the Necurs infrastructure. By proactively getting in front of Necurs, Microsoft was able to significantly disrupted the botnet.

Trickbot Botnet
External Link: News Insights: Microsoft Uses Trademark Law to Disrupt Trickbot Botnet — Krebs on Security

Share this page:

Related Posts