People outside of Microsoft agreed that the takedown appears to be achieving results. Marcus Hutchins, a researcher who closely follows botnets, said that Trickbot has two classes of servers. Command servers update configurations and send commands, while plugin servers download modular tools used for things like bank fraud, infecting new computers, or sending spam.
Even a single command server can rapidly tell all infected computers where to find new control servers, so the partial takedown of them isn’t much of a body blow, Hutchins said. In fact, in the hours leading up to the publishing of this post, the botnet operators were able to add 13 new command servers.
Also I just looked and they pushed a new server list with 100% working servers.
— MalwareTech (@MalwareTechBlog) October 20, 2020
Where things get more optimistic for the takedown members is that, for some reason, none of the plugin servers is being replaced.
“Without the plugin servers, the bot is just a loader with nothing to load,” Hutchins told me. “Essentially, the botnet is out of action for now. As long as they have working C2s, they could revive it. But as it stands, they have not.”
“I’m not dead yet”
Hutchins said that the victory is by no means complete. For one thing, it’s possible the plugin servers may still be restored. And for another, at the time this post was going live, the Trickbot operators were actively deploying ransomware using what’s called the BazarLoader.
It’s still too early to declare victory. It’s not clear precisely why the plugin servers aren’t being replaced. If the plugin servers return, Trickbot’s normal malicious tricks will likely return.
“It’s definitely not dead,” Hutchins said, “just incapacitated.”