Thoughts on the Future Implications of Microsoft’s Legal Approach towards the TrickBot Takedown

Just this week, Microsoft announced its takedown operation against the TrickBot botnet, in collaboration with other cybersecurity partners, such as FS-ISAC, ESET, and Symantec. This takedown followed Microsoft’s successful application for a court order this month, enabling them to enact technical disruption against the botnet. Such legal processes are typical and necessary precursors to such counter-operations.

However, what was of particular interest, in this case, was the legal precedent Microsoft (successfully) sought, which was based on breaches of copyright law. Specifically, they founded their claim on the alleged reuse (and misuse) of Microsoft’s copyrighted software – the Windows 8 SDK – by the TrickBot malware authors.

Now, it is clear that this takedown operation is not likely to cripple the entirety of the TrickBot operation. As numerous researchers have found (e.g., Stone-Gross et al., 2011; Edwards et al., 2015), a takedown operation often works well in the short-term, but the long-term effects are highly variable. More often than not, unless they are arrested, and their infrastructure is seized, botnet operators tend to respond to such counter-operations by redeploying their infrastructure to new servers and ISPs, moving their operations to other geographic regions or new targets, and/or adapting their malware to become more resistant to detection and analysis. In fact, these are just some of the behaviours we observed in a case-by-case longitudinal study on botnets targeted by law enforcement (one of which involved Dyre, a predecessor of the TrickBot malware). A pre-print of this study is soon to be released.

So, no, I’m not proposing to discuss the long-term efficacy of takedown operations such as this. That is for another blog post.

Rather, what I want to discuss (or, perhaps, more accurately, put forward as some initial thoughts) are the potential implications of Microsoft’s legal approach to obtaining the court order (which is incumbent for such operations) on future botnet takedowns, particularly in the area of malicious code reuse.

Of course, it must be noted at this point that I am not a lawyer but a computer scientist. As such, I am not in a position to assess, analyse, or verify the niceties of copyright law or any other area of law for that matter. However, as I put forward these thoughts, I invite others (especially those from a legal background) to contribute to this discussion and shed some light on the topic.

A Waymaker or A Restricted Use-Case?

Before now, the grounds for any legal action preceding a botnet takedown (such as a temporary restraining order or an injunction) typically included one or more references to (i) computer fraud and abuse (e.g., hacking, denial-of-service, tampering), (ii) trademark infringement and/or dilution (e.g., false use of logos in spam and phishing emails), (iii) false designation of origin (e.g., spoofing), (iv) trespass, and/or (v) theft and/or conversion. In addition, whether a public or private entity pursues the order, the argument of such a takedown “being in the public interest” is almost always cited.

Some examples of this general framework being applied can be seen in the legal documentation for the Necurs and Dridex/Bugat takedowns.

Likewise, Microsoft raised several issues in their argument for a temporary restraining order against the TrickBot operators and their infrastructure. However, the key difference with and novelty of their approach lies in their exploitation of the alleged reuse/misuse of the Windows 8 SDK by the TrickBot authors, effectively turning this into a copyright infringement matter. As noted by security journalists, and to the best of my own knowledge, this is a new legal precedent for companies to effect botnet takedowns.

In the referenced article, the author argues that one of the most significant results of this takedown attempt was the potential this new legal precedent gives to Microsoft to reuse this argument in other cases (and in any jurisdiction). This means that Microsoft could reuse this approach against other malware gangs for faster crackdowns in the future.

On the face of it, this new capability alone could be a significant breakthrough in the fight against botnet operations, especially for Microsoft and their customers. This is because, as it is quite well-known in the security community, Windows is still one of the most targeted operating systems by malicious actors. Furthermore, as the world has seen time and time again in malware, counter-terrorism, and perhaps most notably with the case of the COVID-19 pandemic, epidemiology research, speed and agility are often vital and necessary tools for mitigating the activities and spread of malicious, networked agents.

But, when we look beyond this solitary case of code reuse, I can’t help but wonder if this could only be the beginning? Below, I briefly consider three issues.

First, to date, millions of different malware families and strains have been observed in the wild, a proportion of which operate as botnets (e.g., ransomware, pay-per-install services, DDoS networks). It is hard to believe that only TrickBot utilised Microsoft software such as the Windows 8 SDK. Therefore, an interesting set of research questions could be to ask just how many other active botnets use such code in their infrastructures? Which of these botnets or groups of botnets could be an effective future target for Microsoft and their partners?

Second, code reuse is common in software development that extends far beyond the use of just Microsoft software, including other companies like Apple and Google, each of which provide SDK frameworks for their own devices. It happens in both the legal and the illegal context because it is just more efficient to do so. In fact, just last week, researchers quantified and mapped the reuse of open source offensive security tool (OST) code by various threat actors and malicious operations. This issue, therefore, begs the question, how many of these other software brands are reused by botnet malware, and how often? Surely, with code reuse and misuse being so (potentially) commonplace in the cybercriminal landscape, this legal precedent could be an open door for other software providers to tackle miscreant operations – not just Microsoft? Even in cases where the software providers do not have the financial resources to pursue such actions on their own, the possibility still remains that other, bigger companies and organisations can work with them to make a multi-party action against the perpetrators. Of course, this goes for the assumption that these companies would be able to put the long-term interests of the public above their own business and financial interests.

Finally, beyond considering the reuse of a claimant’s code (e.g. Microsoft in this instance), are there any legal frameworks that could enable a quicker and more effective approach to taking down botnets that reuse code from other defendant operations, (i.e., previously taken down botnets)? From a layman’s point of view, if a court has already granted an order against a specific botnet and its maliciously intended software, surely that would lend some weight to an application against another botnet that utilises some or all of the prior botnet’s code and/or infrastructure?

I am mindful that there could be other complexities in each case which would require careful disentanglement to show the relevance of this Microsoft-TrickBot precedent within them. For example, one may need to consider the nature and strength of the copyright licence and terms of use accompanying each party’s software to see whether they could meet the necessary legal tests for this precedent to apply. I leave such a task to a legal scholar or practitioner.

It must be said, however, that there is also the potential for (unintended) negative consequences as a result of this new legal precedent, the most obvious being botnet operators and malware authors taking note of this new strategy and adapting their operations to circumvent it. For instance, TrickBot (or other) malware operators may seek to rewrite their code using alternative software development frameworks (particularly ones produced by parties less likely to enforce legal action against them) or rewrite the code completely from scratch. They could also seek to increase their efforts to mask the malware code from analysts to make the distinction between portions of their code and other copyrighted software less clear. Chua et al. (2019) have already outlined in great detail the potential for unintended effects as a result of cybersecurity mitigations. Therefore, it remains to be seen how these malicious actors will respond to this latest legal strategy.

Nonetheless, any takedown against a botnet undoubtedly causes some positive effects, even if it is not totally cataclysmic or long-lived. From incurring additional costs to the botnet operators, to delaying current malware operations, to even damaging the botnet’s reputation in cybercriminal circles, each takedown can weaken cybercriminal operations in diverse ways (I previously talked about the application of the Situational Crime Prevention framework to tackle cybercriminal operations across multiple frontiers in another blog post and pre-print). Therefore, takedowns that can be achieved more rapidly can only be a plus to denting the cybercriminal economy.

Concluding, this novel legal approach that Microsoft has taken against the TrickBot operation is bound to cause some reverberations in the botnet takedown landscape. What and how extensive these reverberations are remain to be seen. However, I hope this post encourages the research community to answer these questions sooner rather than later.

Photograph by NASA on Unsplash. Thanks to Onyinye V. K. Ndekwu for some comments on this post.

2 thoughts on “Thoughts on the Future Implications of Microsoft’s Legal Approach towards the TrickBot Takedown”

  1. The binding effect of a precedent, in legal systems which recognise such an effect, is to be found in the legal reason for the decision. It can be evaluated only by studying the judgment stating that reason, which is why a citation, and preferably a link, to the judgment itself is essential. Can one be provided?

  2. Thanks for your comment.

    The case files were actually cited in the post with this URL: https://noticeofpleadings.com/trickbot/

    There were three orders granted for this pleading. The specific one to which you refer (Order Granting TRO and Order to show cause re PI) is accessible here: https://noticeofpleadings.com/trickbot/files/Court%20Orders/Order%20Granting%20Ex%20Parte%20TRO%20and%20to%20Show%20Cause%20re%20PI.pdf

    It also contains the flow of judgment.

Leave a Reply

Your email address will not be published.