Trickboat – leased botnet attacked by Microsoft – it was wandering to stay alive


People outside of Micro .ft agreed that the takedown seems to be achieving results. Marcus Hutchins, a researcher who closely follows botnets, said that trickbots have two classes of servers. Command servers update configurations and send commands, while plugin servers download modular tools used for things like bank fraud, infecting new computers, or sending spam.

Even a single command server can tell all infected computers to quickly find new control servers, so a partial takedown of them doesn’t hit the body hard, Hingins said. In fact, in the leading hours of the publication of this post, botnet operators were able to add 13 new command servers.

Where things become more optimistic for takedown members is that, for some reason, none of the plugin servers are changing.

“Without plugin servers, Butt is just a loader that doesn’t load anything,” Hutchins told me. “Essentially, the botnet is out of action right now. As long as they have a working C2, they will be able to revive it. But not as it stands. “

“I’m Not Dead Yet”

Hutchins said the victory is by no means complete. For one thing, it is possible that plugin servers can still be reinstalled. And for another, at the time, when this post was going live, trickboat administrators were actively deploying ransomware using a thing called buzzerloader.

It is too early to declare victory. It is not clear why the plugin servers have not been replaced. If the plugin servers come back, the common malicious tricks of the trickbot will likely come back.

“He’s definitely not dead,” Hutchins said, “just incapable.”