People outside of Microsoft agreed that the withdrawal was achieving results. Marcus Hutchins, a researcher who closely follows botnet, says there are two classes of servers in the trickbot. Command servers update configurations and send commands, while plugin servers download modular tools used for things like bank fraud, infecting new computers, or sending spam.
Even a single control server can quickly tell all infected computers where to find new control servers, so partial withdrawal from them is not much of a physical blow, Hutchins said. In fact, in the hours leading up to the publication of this post, botnet operators were able to add 13 new command servers.
I saw and they pushed the new server list with 100% working servers.
– Malvertech (al Malvertechblog) October 20, 2020
Where things are more promising for withdrawal members, for some reason, none of the plugin servers will be replaced.
“Without plugin servers, the boat is just a loader with nothing to load,” Hutchins told me. “Essentially, botnet is not working right now. As long as they have working C2s, they can restore it. But as it is, they do not.”
“I’m not dead yet”
Hutchins said the victory was not complete in any way. For one thing, plugin servers can still be restored. For another, while this post is being streamed live, trickboat operators are actively running a ransomware called Bazaarloader.
It is still too early to announce victory. Not sure why plugin servers were not replaced. If the plugin servers come back, the usual malicious tricks of the trickbot will come back.
“It’s definitely not dead,” Hutchins said, “now incompetent.”