Microsoft, Military Tackle Bonet Preceding Elections

Microsoft says it has disrupted "one of the world's most persistent malware operations." The action against "Trickbot" reportedly involved working with the US military.

Trickbot is a botnet, created by infecting computers with malware then hijacking and combining their resources for further malicious activity. The operators largely built it using bogus emails that tricked users into opening a file attachment or clicking a link that downloaded and installed malware.

The uses of Trickbot have included stealing login details such as online banking credentials; accessing sensitive data; and running ransomware scams that remotely encrypt files and demand a payment to regain access.

Election Concerns

Microsoft says it was particularly important to tackle Trickbot now as it feared the ransomware could be used to attack election related computer systems including voter registration databases and official sites for reporting results. The goal wouldn't be to get the ransom payment as much as to cause significant disruption and create division and distrust in the electoral process and results.

According to Microsoft's account, the efforts to disrupt Trickbot were as much legal as technical. It gathered evidence on the IP addresses used to issue commands to the infected computers. It then got court approval to work with technical partners to block those addresses. It also used undisclosed techniques to "render the content stored on the command and control servers inaccessible."

As part of the court action, Microsoft used copyright law for the first time in such a campaign. It argued that because the Trickbot operators had used and adapted Microsoft code in their attacks, they'd effectively violated copyright as Microsoft doesn't allow such use. (Source: microsoft.com)

Military Involvement

While Microsoft hasn't gone into too much detail about the operation, media reports suggest the Department of Defense's US Cyber Command played a big role. It is said to have briefly hijacked Trickbot's servers to send out a message to infected machines telling them to disconnect from the botnet.

It's also said Cyber Command edited the Trickbot database of infected machines to add millions of bogus records that will cause disruptions as it tries to connect to non-existent machines. (Source: krebsonsecurity.com)

In both cases the techniques appear to be more about causing a temporary disruption rather than permanently disabling the botnet or stopping the malware spreading.

What's Your Opinion?

Is Microsoft right to time this operation to coincide with elections? Should there be any limits on the power courts give tech companies to tackle botnets? Is this an appropriate area for US Cyber Command involvement?