Security News
Days after the US Government took steps to disrupt the notorious TrickBot botnet, a group of cybersecurity and tech companies has detailed a separate coordinated effort to take down the malware's back-end infrastructure. Microsoft and its partners analyzed over 186,000 TrickBot samples, using it to track down the malware's command-and-control infrastructure employed to communicate with the victim machines and identify the IP addresses of the C2 servers and other TTPs applied to evade detection.
Microsoft on Monday revealed that it worked together with industry partners to shut down the infrastructure used by TrickBot operators and block efforts to revive the botnet. The Washington Post reported last week that the U.S. Cyber Command too attempted to hack TrickBot's C&C servers, in an attempt to take the botnet down to prevent attacks seeking to disrupt the U.S. presidential elections.
"We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems," shared Tom Burt, corporate VP, Customer Security and Trust, Microsoft. "In recent times, Trickbot has been implicated in targeted ransomware attacks, where credentials stolen by the malware were used by the Ryuk ransomware operators to compromise victims' networks and encrypt all accessible computers. This assessment has been confirmed by Europol, which recently noted that 'the relationship between Emotet , Ryuk and Trickbot is considered one of the most notable in the cybercrime world'," Symantec researchers noted.
Microsoft Corp. has executed a coordinated legal sneak attack in a bid to disrupt the malware-as-a-service botnet Trickbot, a global menace that has infected millions of computers and is used to spread ransomware. A court in Virginia granted Microsoft control over many Internet servers Trickbot uses to plunder infected systems, based on novel claims that the crime machine abused the software giant's trademarks.
The Trickbot operation started hitting serious snags towards the end of September when enslaved computers received an update that cut them off from the botnet by changing the command and control server address to 127.0.0.1. On October 10, The Washington Post reported that the U.S. Cyber Command carried out a campaign seeking to disrupt the Trickbot botnet ahead of the presidential elections.
The Trickbot operation started hitting serious snags towards the end of September when enslaved computers received an update that cut them off from the botnet by changing the command and control server address to 127.0.0.1. On October 10, The Washington Post reported that the U.S. Cyber Command carried out a campaign seeking to disrupt the Trickbot botnet ahead of the presidential elections.
At the Virus Bulletin Conference last week, two security researchers explained how they were able to compromise the command and control panels of 10 Internet of Things botnets. The researchers, Aditya K. Sood and Rohit Bansal of SecNiche Security Labs, revealed at the online conference that they were able to access the C&C panels of the Mana, Vivid, Kawaii, Verizon, Goon, 911-Net, Purge Net, Direct, 0xSec, and Dark botnets.
In the case of HEH, the P2P module itself includes three components, starting with one that pings for all other nodes in the botnet at 0.1-second intervals and waits for a pong back; and one that updates the node with the latest peer addresses. For the former, "The UDP service port of HEH botnet is not fixed, nor is it randomly generated, but is calculated based on [the] peer's own public network IP," explained the firm.
Cybersecurity researchers have taken the wraps off a new botnet hijacking Internet-connected smart devices in the wild to perform nefarious tasks, mostly DDoS attacks, and illicit cryptocurrency coin mining. The researchers said the HEH botnet samples discovered so far support a wide variety of CPU architectures, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III), and PowerPC. The botnet, despite being in its early stages of development, comes with three functional modules: a propagation module, a local HTTP service module, and a P2P module.
A new Mirai-based botnet is targeting zero-day vulnerabilities in Tenda routers, according to researchers at 360 Netlab, a unit of Chinese cybersecurity company Qihoo 360. In order to circumvent detection of typical traffic generated by Mirai botnets, Ttint uses the WSS protocol for communication with the command and control server, and also uses encryption.