The TrickBot botnet has survived a takedown attempt[1] orchestrated by a coalition of tech companies on Monday.
TrickBot command and control (C&C) servers and domains seized yesterday have been replaced with new infrastructure earlier today, multiple sources in the infosec community have told ZDNet.
Sources from companies monitoring TrickBot activity described the takedown's effects as "temporal" and "limited," but praised Microsoft and its partners for the effort, regardless of its current results.
"Our estimate right now is what the takedown did was to give current victims a breather," a security researcher said.
While some companies agreed to go on the record, ZDNet decided to refrain from using any of our interviewed source's names to avoid indirectly criticizing the entities involved in the takedown (Microsoft's Defender[2] team, FS-ISAC[3], ESET[4], Lumen's Black Lotus Labs[5], NTT[6], and Broadcom's cyber-security division Symantec[7]).
But in private interviews, even security researchers at ESET, Microsoft, and Symantec told ZDNet that they never expected to take down TrickBot for good in one quick hit.
One source described Monday's action as "kneecapping" the botnet rather than "cutting its head. ZDNet was told that even from the early planning phases, the involved parties expected TrickBot to make a comeback, and planned ahead for follow-up actions.
"As we've seen with prior [takedown] operations, the results of a global disruption involving multiple partners shows up in stages," Tom Burt, CVP of Customer Security and Trust at Microsoft, told ZDNet in an email on Monday.
"We anticipate Trickbot's operators will attempt to revive their operations, and we will take additional legal and technical steps to stop them if necessary," Burt added.
This multi-phased approach to disrupting TrickBot is a direct result of the botnet's complex infrastructure, much of which