US Cyber Command and Microsoft Are Both Disrupting TrickBot

Earlier this month, we learned that someone is disrupting the TrickBot botnet network.

Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations.

On Sept. 22, someone pushed out a new configuration file to Windows computers currently infected with Trickbot. The crooks running the Trickbot botnet typically use these config files to pass new instructions to their fleet of infected PCs, such as the Internet address where hacked systems should download new updates to the malware.

But the new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a “localhost” address that is not reachable over the public Internet, according to an analysis by cyber intelligence firm Intel 471.

A few days ago, the Washington Post reported that it’s the work of US Cyber Command:

U.S. Cyber Command’s campaign against the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals, is not expected to permanently dismantle the network, said four U.S. officials, who spoke on the condition of anonymity because of the matter’s sensitivity. But it is one way to distract them at least for a while as they seek to restore operations.

The network is controlled by “Russian speaking criminals,” and the fear is that it will be used to disrupt the US election next month.

The effort is part of what Gen. Paul Nakasone, the head of Cyber Command, calls “persistent engagement,” or the imposition of cumulative costs on an adversary by keeping them constantly engaged. And that is a key feature of CyberCom’s activities to help protect the election against foreign threats, officials said.

Here’s General Nakasone talking about persistent engagement.

Microsoft is also disrupting Trickbot:

We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.

[…]

We took today’s action after the United States District Court for the Eastern District of Virginia granted our request for a court order to halt Trickbot’s operations.

During the investigation that underpinned our case, we were able to identify operational details including the infrastructure Trickbot used to communicate with and control victim computers, the way infected computers talk with each other, and Trickbot’s mechanisms to evade detection and attempts to disrupt its operation. As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.

To execute this action, Microsoft formed an international group of industry and telecommunications providers. Our Digital Crimes Unit (DCU) led investigation efforts including detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen our legal case from a global network of partners including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec, a division of Broadcom, in addition to our Microsoft Defender team. Further action to remediate victims will be supported by internet service providers (ISPs) and computer emergency readiness teams (CERTs) around the world.

This action also represents a new legal approach that our DCU is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.

Brian Krebs comments:

In legal filings, Microsoft argued that Trickbot irreparably harms the company “by damaging its reputation, brands, and customer goodwill. Defendants physically alter and corrupt Microsoft products such as the Microsoft Windows products. Once infected, altered and controlled by Trickbot, the Windows operating system ceases to operate normally and becomes tools for Defendants to conduct their theft.”

This is a novel use of trademark law.

Posted on October 15, 2020 at 6:01 AM18 Comments

Comments

Random Internet User October 15, 2020 7:30 AM

More like abuse of trademark law.

While its great to take down these botnets (the fact that they were not successful is another story) it worries me that abuse of trademark and copyright will become accepted.

Like site blocking originally only going to be used to block child images and such, only for the technology to be used by everyone from Hollywood to watch makers, botnets are the start as it seems acceptable to use against them.

Trademark and copyright law are so ridiculous now and no doubt with Mickey mouse coming out of copyright…again…in a year a too, lobbying will be done to extend or change the law to keep Disney rich.

Both trademark and copyright law need a reboot.

Clive Robinson October 15, 2020 8:52 AM

@ Bruce, ALL,

This is a novel use of trademark law.

To put it mildly…

Once it is legaly accepted and established, then it can be used to stop any software Microsoft choses to not have run on your computer that has an MS OS on it.

In the past MicroSoft has resorted to very underhanded and illegal techniques to stop other software such as Web Browsers and has paid large fines in the process (and is still doing so).

Thus there is every reason to think that they will now use this new weapon the court has added to their armory to carry on with their same underhanded techniques.

Clive Robinson October 15, 2020 9:23 AM

@ Bruce,

This grabbed my attention,

“But the new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a “localhost” address”

It begs the question as to “how?” was it pushed. I’ve not been able to find out and as the old saying has it “nobody’s talking”.

But lets take a sidways look and see how it might be done.

First off this bot has been running one way or another for quite sone time, and it’s control structure is known to be very decentralized. Further those who rate these things put forward the argument that those in charge are technically sophisticated and skilled.

Thus you would expect them to be knowledgeable about authentication and code signing.

Lets assume for the moment they use some form of code signing on their command updates.

What would a third party have to do to send out a fake command update with the “localhost” IP address and have the bot software act on it?

Well either break or fake a valid signiture or exploit some software weakness in the bot software.

Assuming it was not the latter then the two possibilities are,

1, Break a PubKey system by the equivalent of finding the private key

2, Using an old valid command find a collision for a new payload.

Hence my curiosity about how the bot software works and the method used to get around any command authentication system.

Mike K October 15, 2020 9:46 AM

I suppose it makes sense for Microsoft to be able to use copyright and claims related to damage of reputation, since malware is essentially exploiting bugs to covertly modify the windows OS itself.

This does not mean that Microsoft could successfully pursue the same idea against other legitimate software programs, even if MS wanted;

Presumably developers of software applications designed to be deliberately installed would be forthright in disclosing what the software will do through accompanying documentation and on-screen prompts within software.

Even if for some reason legitimate 3rd party software had to make modifications to Windows not unauthorized by Microsoft: those programs could be expected to disclose the fact that they are doing so, and the conditions associated with it, Which ought to make it fair use and avoid MS having anything to say about it.

The issue with malware is that its operation is completely covert in making unauthorized changes, and the hidden nature makes operation of malware come to appear to be a native behavior of the system – covertly changing somebody else’s creation to make it harmful and trying to pass it off as if nothing changed is not a legitimate fair use or dealing, and distributing programs the user can deliberately choose to run that disclose their operation and obtain consent for changes to the system before making them is a completely different animal.

Withheld October 15, 2020 10:54 AM

In a reply to Clive’s question of “how”.

I used to work for Windows security. The mantra there was “Users who buy Windows trust us to be their IT administrator.” Inside Windows, there are several reserve mechanisms for looking into a particular computer, running software silently on a specific computer, pushing updates to a particular computer. For the most part outside of National coordination, these kinds of capabilities are only used to support the business, and the changes are done to groups of computers by region or by set of systems affected by a specific bug. In this case the security team either already had telemetry related to the malware or updated every suspected machine to collect additional telemetry related to the malware. Then they launches some processes to push silent changes to each of the machines in question. Another possible route, if the change is not damaging to normal users, is that they could have silently pushed the changes to every Windows computer in a less targeted fashion.

There were debates among staff about whether having these abilities was okay, but after a certain rung of the business the mantra is what would win out. That said, the debate wasn’t that robust either.

JonKnowsNothing October 15, 2020 10:55 AM

@Clive @All

re: This grabbed my attention,
But the new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a localhost address

It begs the question as to how? was it pushed.

There were two pushes of the altered config file per the Krebs article. First reported on Sept. 22, 2020, then there was a second push on Oct. 1, 2020.

If there was one overarching master config that could have spammed the entire botnet one might think there would be no need for a second hit on it.

Either the botnet is segmented requiring different configs for each segment or the bot-owners blocked the attack.

If the bot-owners blocked the first attack from spreading through their entire system, why did they leave it in a vulnerable state for the second push.

More questions.

SocraticGadfly October 15, 2020 11:06 AM

Agree with others. This isn’t a good use of copyright law.

Oh?

Buy a Mac.

Or a Linux box.

Phaete October 15, 2020 11:56 AM

Some more info on the inner workings of Trickbot.

hxxps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/

hxxps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/

C2 comms seems to be mostly EMPIRE.

Mr H. October 15, 2020 12:09 PM

@Mr. Schneier, @all
Mr. Schneier, I would like to express my respect and gratitude to you for allowing me to be your guest here on this (YOUR) property/blog. I also thank you for “being there” for all of us, the whole World, when it comes to the ENLIGHTENING part, and for IMPROVING the security and the QUALITY of LIFE for many of us who are very GRATEFUL and feel privileged and blessed for having you in our lives, daily! Thank you from the bottom of my heart.

I have said this because I will no longer be posting here because INFORMATION IS MONEY and I will no longer give it for free. There’s something in it for you but not for me.

For the common good of human race, I will now disclose to the world how this “stuff” is being planted onto Windows PCs and how all the unsuspecting sheeple is being tricked into installing FREE Windows 7 Extended Updates (which as of beginning of 2020 have to be PAID for to Microsoft). As you know, (some, probably most of ya here) these Extended Updates cost I believe $100 first year (Per Host/license/product key) and they go up the second year, and cost even more the third year. There are some guys out there offering these updates for FREE. NOTHING is for free.

Here’s a link to the forum/site where you can download FREE updates and if you’re into reverse-engineering like me, you’ll find out that these updates, after being applied to your W7 PC, will “make you a member of a special club” (THE BOTNET).

https://www.deskmodder.de/blog/2020/10/14/windows-7-esu-updates-kb4580345-kb4580387-oktober-update-funktionieren-weiterhin-mit-dem-bypass-v9/

(Deutsch ist einfach viel zuviel SPASS!)

I will keep lurking and reading, but post I shall not again.

God bless you Mr. Schneier and thank you for allowing me to post here.

TRX October 15, 2020 10:34 PM

In the past MicroSoft has resorted to very underhanded and illegal techniques

Anyone else remember the Microsoft “licensing raids” with Microsoft security goons backed up by police? They were technically legal, since the judges accepted an accusation by Microsoft as reasonable cause and signed the warrants.

[clickety] Looks like Microsoft is still doing that, just mostly outside the USA now.

Ismar October 16, 2020 2:52 AM

Amazing,
It takes a coordinated effort of a software giant + a large government agency to undo work done by a handful of skilled hackers.
Not very sustainable if you ask me

1&1~=Umm October 16, 2020 3:41 AM

@Ismar:

“… effort of a software giant + a large government agency to undo work done by a handful of skilled hackers.”

Ahhh “Job Creation” at work.

Also MicroSoft get to bend the law in their favour, free ‘good guy’ propaganda and much else besides. Likewise the Government Agency, gets publicity that is going to help come budget time to loosen the purse strings.

As,for the ‘handful of skilled hackers’ were they realy inconvenienced?

The way it reads the hackers were only fractionaly effected and were back in operation within a couple of days.

Which is way faster than MicroSoft generally fixes their software faults and specification failings.

1&1~=Umm October 16, 2020 4:44 AM

@Phaete:

“Some more info on the inner workings of Trickbot.”

The basic recomendation made in Part II to ‘segregate more’ to prevent lateral movment is the most sensible piece of advice that can be most easily followed by many organisations.

The question becomes ‘How far to segregate?’ as Microsoft’s products are way more difficult to harden than they should be. It makes the logical conclusion of ‘turn into Bastion Hosts’ difficult to near impossible. So the other end of the line is ‘Segregate from all external connections’.

The general issue is ‘connectivity’ if the attackers can not see or reach your machines then their ability to attack them remotely becomes near impossible. So they would have to go via an intentional or unintentional insider attack.

That is they would have to,

1) Suborn a suitably placed employee.

2) Somehow trick an employee to upload the required attack code off of a USB thumb drive or similar memory device.

As those suspected of being behind this are Russian’s protected by the Russian Government whilst in Russia. It is unlikely that they are going to switch from ‘remote semi-targeted’ to ‘local direct targeted’ operation, as this would put them at significant risk.

So where ever possible segregating the organisations computers not just from each other to minimise lateral movment but also external communications to minimise or renove remote attack vectors would appear to be a sensible policy.

However ‘The making money desire’ all to frequently overrides many risk reducing ‘sensible policies’.

SpaceLifeForm October 16, 2020 2:28 PM

@ Clive, All

TradeMark != Copyright

It starts with a phish.

A phish that references Microsoft is all they needed for Trademark ruling.

Emotet involved.

I believe the bot, while distributed, is also multi-level.

But, I doubt there is code-signing between levels.

So, you temporarily seize a server that is not a low-level leaf.

Clone it. Allow original server to go back live on net. Those in control see a temporary outage. They believe all is good.

Poison the cloned server.

Put on net.

Globaly coordinate BGP poison.

Bobs your uncle.

xcv October 16, 2020 4:22 PM

@ SpaceLifeForm • October 16, 2020 2:28 PM

@ Clive, All

TradeMark != Copyright

Sure it is. It all falls under the umbrella category of “intellectual property.”

There’s a “boss” or head of the department at the workplace who in collaboration with family, community, and concerned neighbors and friends can always have you committed to a mental hospital and revoke your gun rights for life if you think to infringe on corporate intellectual property.

That’s the right of any business or corporation with “human resources” as assets on its books.

Sancho_P October 16, 2020 4:49 PM

Um.
Mi$o only changed the malware’s C&C-IP (Command and Control)?
So the malware is still in?
-> OK, that is part of the OS itself, ready to be exploited by “the good ones”.
“They” would change that IP again to “theirs” and there you go.

So what they wrote is the official statement that:
No Win computer connected to internet can be secured because of Mi$o’s code and copyright.

But how come Win systems accept any OS update from other IPs as from designated Mi$o C&Cs:
-> What’s called OS is an app, that’s the simple cause of the problem.

And in a broader form that means:
Any device capable of direct SW update over the internet is insecure and may be exploited.
(Mac Linux, I’m looking at you!)

PubKey and code signing attacks are for the minor criminals.
Yep, BGP is the access for “the good ones”.
https://en.wikipedia.org/wiki/Border_Gateway_Protocol

TRX October 16, 2020 7:33 PM

coordinated effort

Back in the days before the WWW, a security guy said “It is hard to defend against a highly distributed enemy.”

Thirty-odd years later, that still applies.

Clive Robinson October 17, 2020 12:30 AM

@ TRX,

a security guy said “It is hard to defend against a highly distributed enemy.”

More people die a year from insect bites than swords… and always have done.

And the much smaller SARS-CoV-2 and the slightly larger pneumonia bacteria will kill an even greater number still and it’s years still only 2/3rds run…

It would appear that small and highly distributed, does not need brains to have an effective strategy…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.