Botnets Leaning on Competing Platforms to Survive Takedown Operations
Recently, multiple teams in our industry worked together to dismantle the Trickbot botnet. Incidentally, the teams involved use Team Cymru data in their research, investigations and solutions. We are well known in the industry for our botnet tracking. However, TrickBot has survived the takedown effort by briefly leveraging what are effectively competing botnet platforms. To give us an idea of what those other platforms consist of, we can look to our Reputation Feed.
On the day I wrote this, our sensors detected nearly 350,000 Ponyloader bots and nearly 525,000 Smokeloader bots. While we don’t see specific evidence that these specific families have been used as part of Trickbot, either of them would make an ideal mechanism to help spread a new variant of Trickbot, and analysts routinely use our data to track the movement and evolution of operations like this one.
It may seem obvious, when we consider that a normal business with operational problems would make use of outsourcing as a solution. Cyber-criminal business is no different. In a time of need, even these kinds of businesses sometimes make use of others who may be competitors.
To stay informed about the complete threat landscape – for example, so you can see an operation like TrickBot transition to another platform – one needs to have access to the most holistic view possible. We call this Pure Signal™. Our Reputation Feed, which is derived from our Pure Signal, tracks more than forty bot families and provides that holistic view. Aside from the hundreds of thousands of “loader” bots we tracked this week, we also tracked an additional 15,000,000 other bots of various families, shapes and sizes.
By using a broad intelligence source like our Reputation Feed, it’s possible not just to study and understand the scope of threats like loaders on the Internet, but also to do all kinds of other things. For example, subscribers to our reputation data track infections in their own supplier networks, verify visitors to their websites, and even implement their own zero-trust network policies.
If you would like more information about our Pure Signal™ offerings, such as our Reputation feed, our Botnet Analysis and Reporting feed, or our reconnaissance solution for elite analysts, email us at mailto: firstname.lastname@example.org.