US Cyber Command and Microsoft Are Both Disrupting TrickBot

Earlier this month, we learned that someone is disrupting the TrickBot botnet network.

Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations.

On Sept. 22, someone pushed out a new configuration file to Windows computers currently infected with Trickbot. The crooks running the Trickbot botnet typically use these config files to pass new instructions to their fleet of infected PCs, such as the Internet address where hacked systems should download new updates to the malware.

But the new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a “localhost” address that is not reachable over the public Internet, according to an analysis by cyber intelligence firm Intel 471.

A few days ago, the Washington Post reported that it’s the work of US Cyber Command:

U.S. Cyber Command’s campaign against the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals, is not expected to permanently dismantle the network, said four U.S. officials, who spoke on the condition of anonymity because of the matter’s sensitivity. But it is one way to distract them at least for a while as they seek to restore operations.

The network is controlled by “Russian speaking criminals,” and the fear is that it will be used to disrupt the US election next month.

The effort is part of what Gen. Paul Nakasone, the head of Cyber Command, calls “persistent engagement,” or the imposition of cumulative costs on an adversary by keeping them constantly engaged. And that is a key feature of CyberCom’s activities to help protect the election against foreign threats, officials said.

Here’s General Nakasone talking about persistent engagement.

Microsoft is also disrupting Trickbot:

We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.

[…]

We took today’s action after the United States District Court for the Eastern District of Virginia granted our request for a court order to halt Trickbot’s operations.

During the investigation that underpinned our case, we were able to identify operational details including the infrastructure Trickbot used to communicate with and control victim computers, the way infected computers talk with each other, and Trickbot’s mechanisms to evade detection and attempts to disrupt its operation. As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.

To execute this action, Microsoft formed an international group of industry and telecommunications providers. Our Digital Crimes Unit (DCU) led investigation efforts including detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen our legal case from a global network of partners including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec, a division of Broadcom, in addition to our Microsoft Defender team. Further action to remediate victims will be supported by internet service providers (ISPs) and computer emergency readiness teams (CERTs) around the world.

This action also represents a new legal approach that our DCU is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.

Brian Krebs comments:

In legal filings, Microsoft argued that Trickbot irreparably harms the company “by damaging its reputation, brands, and customer goodwill. Defendants physically alter and corrupt Microsoft products such as the Microsoft Windows products. Once infected, altered and controlled by Trickbot, the Windows operating system ceases to operate normally and becomes tools for Defendants to conduct their theft.”

This is a novel use of trademark law.

Tags: , ,

Posted on October 15, 2020 at 6:01 AM33 Comments

Comments

Random Internet User October 15, 2020 7:30 AM

More like abuse of trademark law.

While its great to take down these botnets (the fact that they were not successful is another story) it worries me that abuse of trademark and copyright will become accepted.

Like site blocking originally only going to be used to block child images and such, only for the technology to be used by everyone from Hollywood to watch makers, botnets are the start as it seems acceptable to use against them.

Trademark and copyright law are so ridiculous now and no doubt with Mickey mouse coming out of copyright…again…in a year a too, lobbying will be done to extend or change the law to keep Disney rich.

Both trademark and copyright law need a reboot.

Clive Robinson October 15, 2020 8:52 AM

@ Bruce, ALL,

This is a novel use of trademark law.

To put it mildly…

Once it is legaly accepted and established, then it can be used to stop any software Microsoft choses to not have run on your computer that has an MS OS on it.

In the past MicroSoft has resorted to very underhanded and illegal techniques to stop other software such as Web Browsers and has paid large fines in the process (and is still doing so).

Thus there is every reason to think that they will now use this new weapon the court has added to their armory to carry on with their same underhanded techniques.

Clive Robinson October 15, 2020 9:23 AM

@ Bruce,

This grabbed my attention,

“But the new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a “localhost” address”

It begs the question as to “how?” was it pushed. I’ve not been able to find out and as the old saying has it “nobody’s talking”.

But lets take a sidways look and see how it might be done.

First off this bot has been running one way or another for quite sone time, and it’s control structure is known to be very decentralized. Further those who rate these things put forward the argument that those in charge are technically sophisticated and skilled.

Thus you would expect them to be knowledgeable about authentication and code signing.

Lets assume for the moment they use some form of code signing on their command updates.

What would a third party have to do to send out a fake command update with the “localhost” IP address and have the bot software act on it?

Well either break or fake a valid signiture or exploit some software weakness in the bot software.

Assuming it was not the latter then the two possibilities are,

1, Break a PubKey system by the equivalent of finding the private key

2, Using an old valid command find a collision for a new payload.

Hence my curiosity about how the bot software works and the method used to get around any command authentication system.

Mike K October 15, 2020 9:46 AM

I suppose it makes sense for Microsoft to be able to use copyright and claims related to damage of reputation, since malware is essentially exploiting bugs to covertly modify the windows OS itself.

This does not mean that Microsoft could successfully pursue the same idea against other legitimate software programs, even if MS wanted;

Presumably developers of software applications designed to be deliberately installed would be forthright in disclosing what the software will do through accompanying documentation and on-screen prompts within software.

Even if for some reason legitimate 3rd party software had to make modifications to Windows not unauthorized by Microsoft: those programs could be expected to disclose the fact that they are doing so, and the conditions associated with it, Which ought to make it fair use and avoid MS having anything to say about it.

The issue with malware is that its operation is completely covert in making unauthorized changes, and the hidden nature makes operation of malware come to appear to be a native behavior of the system – covertly changing somebody else’s creation to make it harmful and trying to pass it off as if nothing changed is not a legitimate fair use or dealing, and distributing programs the user can deliberately choose to run that disclose their operation and obtain consent for changes to the system before making them is a completely different animal.

Withheld October 15, 2020 10:54 AM

In a reply to Clive’s question of “how”.

I used to work for Windows security. The mantra there was “Users who buy Windows trust us to be their IT administrator.” Inside Windows, there are several reserve mechanisms for looking into a particular computer, running software silently on a specific computer, pushing updates to a particular computer. For the most part outside of National coordination, these kinds of capabilities are only used to support the business, and the changes are done to groups of computers by region or by set of systems affected by a specific bug. In this case the security team either already had telemetry related to the malware or updated every suspected machine to collect additional telemetry related to the malware. Then they launches some processes to push silent changes to each of the machines in question. Another possible route, if the change is not damaging to normal users, is that they could have silently pushed the changes to every Windows computer in a less targeted fashion.

There were debates among staff about whether having these abilities was okay, but after a certain rung of the business the mantra is what would win out. That said, the debate wasn’t that robust either.

JonKnowsNothing October 15, 2020 10:55 AM

@Clive @All

re: This grabbed my attention,
But the new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a localhost address

It begs the question as to how? was it pushed.

There were two pushes of the altered config file per the Krebs article. First reported on Sept. 22, 2020, then there was a second push on Oct. 1, 2020.

If there was one overarching master config that could have spammed the entire botnet one might think there would be no need for a second hit on it.

Either the botnet is segmented requiring different configs for each segment or the bot-owners blocked the attack.

If the bot-owners blocked the first attack from spreading through their entire system, why did they leave it in a vulnerable state for the second push.

More questions.

SocraticGadfly October 15, 2020 11:06 AM

Agree with others. This isn’t a good use of copyright law.

Oh?

Buy a Mac.

Or a Linux box.

Phaete October 15, 2020 11:56 AM

Some more info on the inner workings of Trickbot.

hxxps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/

hxxps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/

C2 comms seems to be mostly EMPIRE.

Mr H. October 15, 2020 12:09 PM

@Mr. Schneier, @all
Mr. Schneier, I would like to express my respect and gratitude to you for allowing me to be your guest here on this (YOUR) property/blog. I also thank you for “being there” for all of us, the whole World, when it comes to the ENLIGHTENING part, and for IMPROVING the security and the QUALITY of LIFE for many of us who are very GRATEFUL and feel privileged and blessed for having you in our lives, daily! Thank you from the bottom of my heart.

I have said this because I will no longer be posting here because INFORMATION IS MONEY and I will no longer give it for free. There’s something in it for you but not for me.

For the common good of human race, I will now disclose to the world how this “stuff” is being planted onto Windows PCs and how all the unsuspecting sheeple is being tricked into installing FREE Windows 7 Extended Updates (which as of beginning of 2020 have to be PAID for to Microsoft). As you know, (some, probably most of ya here) these Extended Updates cost I believe $100 first year (Per Host/license/product key) and they go up the second year, and cost even more the third year. There are some guys out there offering these updates for FREE. NOTHING is for free.

Here’s a link to the forum/site where you can download FREE updates and if you’re into reverse-engineering like me, you’ll find out that these updates, after being applied to your W7 PC, will “make you a member of a special club” (THE BOTNET).

https://www.deskmodder.de/blog/2020/10/14/windows-7-esu-updates-kb4580345-kb4580387-oktober-update-funktionieren-weiterhin-mit-dem-bypass-v9/

(Deutsch ist einfach viel zuviel SPASS!)

I will keep lurking and reading, but post I shall not again.

God bless you Mr. Schneier and thank you for allowing me to post here.

TRX October 15, 2020 10:34 PM

In the past MicroSoft has resorted to very underhanded and illegal techniques

Anyone else remember the Microsoft “licensing raids” with Microsoft security goons backed up by police? They were technically legal, since the judges accepted an accusation by Microsoft as reasonable cause and signed the warrants.

[clickety] Looks like Microsoft is still doing that, just mostly outside the USA now.

Ismar October 16, 2020 2:52 AM

Amazing,
It takes a coordinated effort of a software giant + a large government agency to undo work done by a handful of skilled hackers.
Not very sustainable if you ask me

1&1~=Umm October 16, 2020 3:41 AM

@Ismar:

“… effort of a software giant + a large government agency to undo work done by a handful of skilled hackers.”

Ahhh “Job Creation” at work.

Also MicroSoft get to bend the law in their favour, free ‘good guy’ propaganda and much else besides. Likewise the Government Agency, gets publicity that is going to help come budget time to loosen the purse strings.

As,for the ‘handful of skilled hackers’ were they realy inconvenienced?

The way it reads the hackers were only fractionaly effected and were back in operation within a couple of days.

Which is way faster than MicroSoft generally fixes their software faults and specification failings.

1&1~=Umm October 16, 2020 4:44 AM

@Phaete:

“Some more info on the inner workings of Trickbot.”

The basic recomendation made in Part II to ‘segregate more’ to prevent lateral movment is the most sensible piece of advice that can be most easily followed by many organisations.

The question becomes ‘How far to segregate?’ as Microsoft’s products are way more difficult to harden than they should be. It makes the logical conclusion of ‘turn into Bastion Hosts’ difficult to near impossible. So the other end of the line is ‘Segregate from all external connections’.

The general issue is ‘connectivity’ if the attackers can not see or reach your machines then their ability to attack them remotely becomes near impossible. So they would have to go via an intentional or unintentional insider attack.

That is they would have to,

1) Suborn a suitably placed employee.

2) Somehow trick an employee to upload the required attack code off of a USB thumb drive or similar memory device.

As those suspected of being behind this are Russian’s protected by the Russian Government whilst in Russia. It is unlikely that they are going to switch from ‘remote semi-targeted’ to ‘local direct targeted’ operation, as this would put them at significant risk.

So where ever possible segregating the organisations computers not just from each other to minimise lateral movment but also external communications to minimise or renove remote attack vectors would appear to be a sensible policy.

However ‘The making money desire’ all to frequently overrides many risk reducing ‘sensible policies’.

SpaceLifeForm October 16, 2020 2:28 PM

@ Clive, All

TradeMark != Copyright

It starts with a phish.

A phish that references Microsoft is all they needed for Trademark ruling.

Emotet involved.

I believe the bot, while distributed, is also multi-level.

But, I doubt there is code-signing between levels.

So, you temporarily seize a server that is not a low-level leaf.

Clone it. Allow original server to go back live on net. Those in control see a temporary outage. They believe all is good.

Poison the cloned server.

Put on net.

Globaly coordinate BGP poison.

Bobs your uncle.

xcv October 16, 2020 4:22 PM

@ SpaceLifeForm • October 16, 2020 2:28 PM

@ Clive, All

TradeMark != Copyright

Sure it is. It all falls under the umbrella category of “intellectual property.”

There’s a “boss” or head of the department at the workplace who in collaboration with family, community, and concerned neighbors and friends can always have you committed to a mental hospital and revoke your gun rights for life if you think to infringe on corporate intellectual property.

That’s the right of any business or corporation with “human resources” as assets on its books.

Sancho_P October 16, 2020 4:49 PM

Um.
Mi$o only changed the malware’s C&C-IP (Command and Control)?
So the malware is still in?
-> OK, that is part of the OS itself, ready to be exploited by “the good ones”.
“They” would change that IP again to “theirs” and there you go.

So what they wrote is the official statement that:
No Win computer connected to internet can be secured because of Mi$o’s code and copyright.

But how come Win systems accept any OS update from other IPs as from designated Mi$o C&Cs:
-> What’s called OS is an app, that’s the simple cause of the problem.

And in a broader form that means:
Any device capable of direct SW update over the internet is insecure and may be exploited.
(Mac Linux, I’m looking at you!)

PubKey and code signing attacks are for the minor criminals.
Yep, BGP is the access for “the good ones”.
https://en.wikipedia.org/wiki/Border_Gateway_Protocol

TRX October 16, 2020 7:33 PM

coordinated effort

Back in the days before the WWW, a security guy said “It is hard to defend against a highly distributed enemy.”

Thirty-odd years later, that still applies.

Clive Robinson October 17, 2020 12:30 AM

@ TRX,

a security guy said “It is hard to defend against a highly distributed enemy.”

More people die a year from insect bites than swords… and always have done.

And the much smaller SARS-CoV-2 and the slightly larger pneumonia bacteria will kill an even greater number still and it’s years still only 2/3rds run…

It would appear that small and highly distributed, does not need brains to have an effective strategy…

xcv October 20, 2020 7:01 PM

This is a novel use of trademark law.

That is disconcerting to me in and of itself.

https://www.foxnews.com/politics/lawmakers-doj-antitrust-lawsuit-google
“Today’s lawsuit is the most important antitrust case in a generation,” Sen. Josh Hawley, R-Mo., said in a statement. “Google and its fellow Big Tech monopolists exercise unprecedented power over the lives of ordinary Americans, controlling everything from the news we read to the security of our most personal information. And Google in particular has gathered and maintained that power through illegal means.”

https://www.cnbc.com/2020/10/20/tim-wu-dojs-google-lawsuit-almost-an-exact-copy-of-microsoft-case.html
“The challenge I think for this suit is even though I think they chose their best lawsuit, it’s almost an exact copy of the Microsoft case they won in the ’90s,” said Wu, who is credited with coining the term “net neutrality.” He has taught at Columbia Law School since 2006 and has worked at the Federal Trade Commission, including when it conducted a probe of Google that resulted in no charges in 2013.

The crooks running the Trickbot botnet

Here we have to include the Big Tech cártel bosses who force consumers to submit to proprietary operating systems with lax or non-existent “security” choices for end-users who value privacy and security for banking, online shopping, or other purposes.

Clive Robinson October 20, 2020 9:13 PM

@ xcv,

That is disconcerting to me in and of itself.

And so it should.

The technique being employed is to move the balance point little by little using case law.

Basically by selectively puting cases infront of slightly compliant judges, you get a ruling handed down. You then use this rulling as part of thr argument in the next selected case, which produces a ruling even more favourable to you. After three or four such steps you have a situation where you walk into court and win a case –using the case law,– that you could never have won.

As the corporations all want this shift of rights away from citizens towards corporations, they are all happy to do their own little bit thus the cases will get brought by different corporations. But the effect is the same to walk judicial judgment in their favour step by step.

It was the same sort of trick the FBI and DoJ tried on Apple, not expecting just how vigorously Apple would foght back. It very nearly got to the point where case law would have gone against the FBI and DoJ, which is why they pulled the rip cord and bailed out in effect ending the case without any ruling.

If you keep your eyes open you will see many such cases. What judges should do is terminate such cases with a very clear message. But such cases can be quite lucrative so you can guess what happens.

One such “corporate judge” is currently being assessed for a place on the Supreme Court, the fact she is a raving religious loonie that bables “in tounges” apparently is not an impediment because she is pro-corporate anti individual rights and anti right of association… Not the sort of person the average US Citizen wants or needs in SCOTUS, but “a god send” for corporates.

xcv October 20, 2020 9:32 PM

@Clive Robinson

One such “corporate judge” is currently being assessed for a place on the Supreme Court, the fact she is a raving religious loonie that bables “in tounges” apparently is not an impediment because she is pro-corporate anti individual rights and anti right of association… Not the sort of person the average US Citizen wants or needs in SCOTUS, but “a god send” for corporates

The corps want CONTROL over healthcare, she will let RvW + gun control stand, which doesn’t really comport with the religious fervor and official dogma from the Vatican. The top officials at DOJ are all members of the same church, too, and I get the impression that they’re preaching the law in vain, (as church canon,) while enforcing the Mob rule of their religion on everybody else.

The guilty-plea only “deal” with the D.A. is part of the “confession” required by their religion. A defense based on innocence of the particular crime or matter is not allowed, because the judge will inflict cruel and unusual punishments on an “unrepentant sinner” and the process is not set up for a “not guilty” verdict from a jury to set the defendant free.

Additional charges are almost always filed in such cases, or else a mistrial is declared, and the defendant is tried again on the same charges, until a jury votes to convict on something.

SpaceLifeForm October 21, 2020 12:35 AM

@ xcv, Clive

Note: this is a technical question.

xcv • October 16, 2020 4:22 PM

@ SpaceLifeForm • October 16, 2020 2:28 PM

@ Clive, All

TradeMark != Copyright

Sure it is. It all falls under the umbrella category of “intellectual property.”

Interesting cut and paste results.

Which browser did you use?
Confirm if you recall, but I think you did not do Preview.

SpaceLifeForm October 21, 2020 1:04 AM

@ xcv, Clive

The reason I ask is because the html that you allegedly wrote
does not match what I originally did.

Did you actually take the time to do the triple backtick stuff? Twice?
And how did you blockquote it?

Because the html of what you posted is:

<blockquote><p>
<code>@ Clive, All</code></p>
<p> <code>TradeMark != Copyright</code>
</p></blockquote>

I originally put everything under one big block of code.

So, it's interesting that two lines have their own code block.

What I originally wrote came out as thus (only one code and /code):

<p><code>@ Clive, All</p>
<p>TradeMark != Copyright</p>
<p>It starts with a phish.</p>
<p>A phish that references Microsoft is all they needed for Trademark ruling.</p>
<p>Emotet involved.</p>
<p>I believe the bot, while distributed, is also multi-level.</p>
<p>But, I doubt there is code-signing between levels.</p>
<p>So, you temporarily seize a server that is not a low-level leaf.</p>
<p>Clone it. Allow original server to go back live on net. Those in control see a temporary outage. They believe all is good.</p>
<p>Poison the cloned server.</p>
<p>Put on net.</p>
<p>Globaly coordinate BGP poison.</p>
<p>Bobs your uncle.<br />
</code></p>

(note: posting with no Preview, all under triple backtick block)

JonKnowsNothing October 21, 2020 1:47 AM

@xcv @ SpaceLifeForm @ Clive, @All

re: TradeMark != Copyright

Sure it is. It all falls under the umbrella category of “intellectual property.”

No… Trademarks are completely different than Copyright. They have different laws and apply to different things.

  * Copyright is for literary, artistic, educational, or musical form.

  * Trademark is a recognizable sign, design, or expression which identifies products or services of a particular source from those of others.

Recently Bansky the street artist, lost the legal rights to his “Trademark” in the EU courts over an image of one of his artworks. The image was grabbed by a greeting card company and since Bansky is anonymous, they don’t pay a nickle to reuse his work for their profit. The courts had said Trademarks are for “trade” and since he didn’t sell direct (being annonymous) the Trademark was invalid. So Bansky opened a store “Gross Domestic Product” to show he did want to sell stuff. The EU courts didn’t like what he put up for sale (classic Bansky double twisters) and said he did not qualify for artistic protection.

The European Union Intellectual Property Office (EUIPO) panel said it ruled against the artist because he could not be identified as the unquestionable owner of such works because his identity remained hidden.

“Banksy has chosen to remain anonymous and, for the most part, to paint graffiti on other people’s property without their permission, rather than to paint it on canvases or his own property,” the panel said.

The panel of three judges said they found “his intention was not to use the mark as a trademark to commercialise goods .

It seems that even though the detached walls sell for $$$ the EU courts didn’t think it was enough to grant control to his representatives: Pest Control Office.

ht tps://en.wikipedia.org/wiki/Copyright
ht tps://en.wikipedia.org/wiki/Trademark
ht tps://en.wikipedia.org/wiki/Banksy

ht tps://www.theguardian.com/artanddesign/2019/oct/01/banksy-launches-homewares-shop-in-dispute-over-trademark

ht tps://www.theguardian.com/artanddesign/2020/sep/17/banksy-trademark-risk-street-artist-loses-legal-battle-flower-thrower-graffiti
(url fractured to prevent autorun)

xcv October 21, 2020 5:45 PM

@JonKnowsNothing

re: TradeMark != Copyright

Sure it is. It all falls under the umbrella category of “intellectual property.”

No… Trademarks are completely different than Copyright. They have different laws and apply to different things.

The details as expounded on in court do not matter. It’s all the same thing. It’s “intellectual property” and there’s something wrong with your thinking. The corporation can have to committed to an insane asylum, mental hospital, or psychiatric ward if you violate it. If you’re mentally competent to stand trial, it’s a ten-year felony sentence. That’s why the corporations and government offer mandatory health insurance coverage for involuntary mental health care, and there’s a dentist to pull your teeth for that.

name.withheld.for.obvious.reasons October 22, 2020 6:56 AM

22 OCT 2020 — NO BASIS FOR SPECIAL RIGHTS
Here is a quandry, what came first the person or the corporation?

As a corporation has, by government edict, attained citizenship by way of statue and case law is at best a fabricated assignment by government to an entity. The Declaration of Independence makes clear that natural rights are inherently held by natural citizens. The assignment of citizen to a body drafted from a document does not constitute fidelity to law as the Declaration of Independence requires. A corporation is “gifted” by the state with an unnatural status of citizen. This is direct government involvement in BIRTH OF A CITIZEN, and this act should be the basis in which measuring the application of rights in courts.

There is absolutely no reason that corporate organizations, falsely recognized by the courts and law as a person, though not a government body has asserted that corporate rights allow them to deny others their rights. No basis exists for the legally assigned status as citizen applies to corporations (inalienable rights applied to corporations–this is an invention). Given this aberration to constitutional egis, skewing the law to “endow” corporations with personhood means that the state has exercised “gifting special rights” to a fabricated entity. In doing, the government should restrict the impact that these special citizens have on “natural citizens”. For example, as the state has artificially anointed a citizen from a piece of paper, the right of the artificial citizen cannot deny or subvert the “natural citizens” rights–especially as they are inalienable.

JonKnowsNothing October 22, 2020 9:54 AM

@xcv

re: That’s why the corporations and government offer mandatory health insurance coverage for involuntary mental health care

tbh: I don’t totally get your response but…

As to Mental Health Coverage in the USA you are mostly mistaken. There is little or none. Until fairly recently, a provision called “pre-existing condition” barred people with mental health, previous cancer treatments and many other chronic illness from have any coverage at all. If they did manage to procure coverage the policy would exclude these conditions.

Currently, in a number of states, barring pre-existing conditions from health coverage is no longer allowed.

I posted a while back an explanation of how health care is apportioned in the USA, as preface to the Bank of Mom and Dad analysis. It maybe in the archives or on the wayback machine.

However a short summary of how this works in the USA as folks that have NHS service do not understand why and how we have millions of people in the USA with no health coverage at all, and millions of others with limited coverage, while our congress, senate and president get the best care and coverage as a perk for their jobs.

First things: In the USA we pay for everything. There are no free lunches. We pay directly and indirectly but mostly directly out of pocket. Health care is seen as a “perk” and not a necessity.

There are 2 pathways to healthcare: business group policy and private treaty.

Business Group Policies are employer provided health insurance. Employers negotiate a group rate for all their employees and generally offer tiers of coverage: solo, family, add on dental, add on vision care. Sometimes you get a smorgasbord of options sometimes you get one-size-fits all. If you lose your job, or your work hours fall below a certain level or you are classified as Independent Contractor you do not qualify for coverage. Generally the company picks up @30%-60% of the costs and the employee pays the residual.

Private Treaty Policies are individually purchased polices direct from the health insurance company. You pay 100% of the costs. Health Insurance companies offer tiered coverage where you can select from options: CoPay Amt, Premium Cost, Benefits, Coverage Cap, Out of Pocket Cost Caps. You get what you pay for.

As to mental health coverage. In the last 20 years some states have enacted no- pre-existing condition rules for their health insurance providers. This means that the health insurance providers cannot refuse to cover cancer and other chronic illnesses. Some mental health conditions are now included.

If you have business group policy and actually read all the way to the end of the very fine print, you will find that mental health provisions are excluded from many aspects of long-term health provisions. If you have a heart attack and become unable to work, you will have coverage extended until your retirement age (@68 USA). If you have a mental health crisis and can no longer work you will have your coverage terminated in 2 years, regardless of your current age.

The same holds true for private treaty, there are caps and adjustments on co-pays and prescription medications as well as hospital care for serious incidents.

In both cases the out-of-pocket expenses can be ruinous and if you don’t pay the premium as the base rate goes up, you lose coverage, your doctors, and access to medications.

There is a fall-back for people at the poverty income level, but when you are that poor you cannot put food on the table much less purchase drugs that cost more than the rent on the slum apartment.

There is a group of people who wish to repeal these limited enhancements which they call “Obama Care”.

This is one reason the cops get called out for Psychiatric Emergencies. They are not doctors. They do not know anything about mental health treatments. They do not prescribe medications. They only thing they know how to do is shoot the person. This they do regularly.

xcv October 22, 2020 12:29 PM

@JonKnowsNothing

Until fairly recently, a provision called “pre-existing condition” barred people with mental health

People with mental health are barred from airports and train stations as “terroristic” threats, by the gentlemen of the district who don’t want anyone to scare the ladies away from them, or witness the exchanges of sex for money among strangers.

People with mental health are completely barred from employment at any medium to large corporation in business die to intellectual property restrictions.

xcv October 22, 2020 3:46 PM

“US Cyber Command and Microsoft …”

http://www.ajc.state.ak.us/retention/ret20dickson.html

Leslie Dickson is an Air Force judge, reportedly born at Wright Patterson Air Force Base in Ohio.

She has had some official involvement with the Air Force, though not, apparently, as an actual servicemember.
https://www.arnold.af.mil/News/Article-Display/Article/1428017/aflcmc-entwined-with-senior-leader-goals/

Her father served in the Air Force: https://www.startribune.com/obituaries/detail/0000247296/

Should an Air Force judge sit on the civilian bench at the borough courthouse downtown Fairbanks to try cases among civilians which are not brought at court-martial? It’s an Establishment-only G.O.P. corker party in that judicial district.

JonKnowsNothing October 22, 2020 4:33 PM

@xcv

re: People with mental health are barred from airports and train stations as “terroristic” threats

People with mental health are completely barred from employment

I do not know which country you are referring to, but for the most part this is untrue. Depending on the severity of illness, the type of treatment and medications for it, the vast number of people with mental health issues are working and do work in all fields from high academia through the spectrum to gig economy workers.

1/4 of the population experiences a mental health issue or crisis at any given time. That’s 25% on a rolling average.

In countries with some wealth, and for people with access to care and medications, these conditions do not have any significant effect on the ability to work.

Where there is no care or access to medications, stigma and ignorance some countries still resort to chains.

xcv October 22, 2020 6:32 PM

@JonKnowsNothing

Depending on the severity of illness, the type of treatment and medications for it, the vast number of people with mental health issues are working

Which constitutes slavery over and above the pre-existing involuntary servitude of civil commitment and/or other mental health adjudication, in violation of the Thirteenth Amendment of the Constitution of the United States.

Depending on the severity of illness, the type of treatment and medications for it,
There’s a medication for that, as well as authorization to use force to administer that medication against the patient’s will.

the vast number of people with mental health issues are working and do work in all fields from high academia through the spectrum to gig economy workers.

People with “mental health issues” as you put it are not to the best of my knowledge employed as tenure-track faculty anywhere in “high academia.”

The “gig economy” of juggling bowling pins, playing guitar, or panhandling on the street corner is not supportive of being “warmed and filled” according to James 2:16 and getting off the property without being arrested, let alone finding supportive employment such as most people without a superior court mental health commitment record are able to find.

these conditions do not have any significant effect on the ability to work
Which is a very good reason that such conditions ought not to exist at all, given that they are legal conditions imposed and inflicted by a court of law, not conditions of a state or health of mind — or even so much as “attitude” — that would prevent a person from working, possessing firearms, and defending one’s own person and property, let alone marry and have children.

TomS. October 26, 2020 12:57 AM

Greetings

The closing comment noting “novel use of trademark law” doesn’t seem to match the strategy of Microsoft and its coalition partners in their action against Trickbot.

MS explains their use of copyright law in an Oct 15th blog post
“With this civil action, we have leveraged a new legal strategy that allows us to enforce copyright law to prevent Microsoft infrastructure, in this case our software code, from being used to commit crime. As copyright law is more common than computer crime law, this new approach helps us pursue bad actors in more jurisdictions around the world.”

From Pacermonitor.com [1], the type of action filed in tbe court is copyright infringement.

Among other things, the coalition plaintiffs have won a preliminary injunction against the botnet operators.
“ORDER – PRELIMINARY INJUNCTION – IT IS THEREFORE ORDERED that, Defendants, their representatives and persons who are in active concert or participation with them are restrained and enjoined from: (1) intentionally accessing and sending malicious software or code to Plaintiffs and the protected computers and operating systems of Plaintiffs’ customers and associated member organizations, without authorization, in order to infect those computers and make them part of any botnet. Signed by District Judge Anthony J Trenga on 10/20/2020. (see order for details)(dvanm, )”

[1] https://www.pacermonitor.com/public/case/36708804/Microsoft_Corporation_et_al_v_John_Does_1_et_al

TomS. October 26, 2020 1:10 AM

@Clive

Re: how the updated config file was distributed

MS publicly reports the analysis of ~61k Trickbot samples and an inventory of related infrastructure. I suspect they, or coalition partners, compromised one or more C2 servers and used native botnet commands to publish the config. If the malware sophistication is as robust as you suggest, easier to catch an operator than attack the architecture or crypto. The dumps of hacker password files are as equally depressing as user dumps.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.