Microsoft, Military Tackle Bonet Preceding Elections

John Lister's picture

Microsoft says it has disrupted "one of the world's most persistent malware operations." The action against "Trickbot" reportedly involved working with the US military.

Trickbot is a botnet, created by infecting computers with malware then hijacking and combining their resources for further malicious activity. The operators largely built it using bogus emails that tricked users into opening a file attachment or clicking a link that downloaded and installed malware.

The uses of Trickbot have included stealing login details such as online banking credentials; accessing sensitive data; and running ransomware scams that remotely encrypt files and demand a payment to regain access.

Election Concerns

Microsoft says it was particularly important to tackle Trickbot now as it feared the ransomware could be used to attack election related computer systems including voter registration databases and official sites for reporting results. The goal wouldn't be to get the ransom payment as much as to cause significant disruption and create division and distrust in the electoral process and results.

According to Microsoft's account, the efforts to disrupt Trickbot were as much legal as technical. It gathered evidence on the IP addresses used to issue commands to the infected computers. It then got court approval to work with technical partners to block those addresses. It also used undisclosed techniques to "render the content stored on the command and control servers inaccessible."

As part of the court action, Microsoft used copyright law for the first time in such a campaign. It argued that because the Trickbot operators had used and adapted Microsoft code in their attacks, they'd effectively violated copyright as Microsoft doesn't allow such use. (Source: microsoft.com)

Military Involvement

While Microsoft hasn't gone into too much detail about the operation, media reports suggest the Department of Defense's US Cyber Command played a big role. It is said to have briefly hijacked Trickbot's servers to send out a message to infected machines telling them to disconnect from the botnet.

It's also said Cyber Command edited the Trickbot database of infected machines to add millions of bogus records that will cause disruptions as it tries to connect to non-existent machines. (Source: krebsonsecurity.com)

In both cases the techniques appear to be more about causing a temporary disruption rather than permanently disabling the botnet or stopping the malware spreading.

What's Your Opinion?

Is Microsoft right to time this operation to coincide with elections? Should there be any limits on the power courts give tech companies to tackle botnets? Is this an appropriate area for US Cyber Command involvement?

Rate this article: 
Average: 4.9 (12 votes)

Comments

anniew's picture

I'm trying to follow instructions I've seen online about how to remove the pin after the computer boots up, to get out of the initial screen (with a landscape scene). I went to settings and chose remove pin, checked OK, and now it's worse than ever! Now it not only wants the pin, but the user name as well.

When you set up my other computer with W 10 this year, Dennis, there's nothing to enter - pin or password. I choose W 10 (not Macrum)and I'm ready to open the browser; no pin, etc.

Is there a solution? Others must have this problem once in a while. Hope you have some easy steps you can show us.

Thank you,
Annie

anniew's picture

PS I can answer my own question now. After looking at so many tips online, only ONE finally explained that you have to eliminate the password as well as the pin, or you'll still be asked for the password!