A week ago, Microsoft and a coalition of security firms took down TrickBot. On a global mission, the companies removed one of the largest malware botnets. However, the work was not over for the Microsoft Defender team.

Despite taking down TrickBot infrastructure, Microsoft Defender employees knew the cybercrime community would fight back. It was expected the botnet would reappear and operators would bring new servers online.

Microsoft says it was waiting for this to happen and has been continuing to remove TrickBot services since last week’s announcement. Furthermore, the company will keep a clamp on the botnet in the coming weeks.

Other companies joining Microsoft Defender in the initial effort were ESET, FS-ISAC, NTT, Symantec, and Black Lotus Labs.

The Microsoft Defender team points out removing TrickBot was important as it is one of the biggest botnets. Indeed, the company says over one million machines have been infected by TrickBot malware.

Continuing to Fight

In a new blog post, the company says it will continue to fight against the botnet. In fact, 94% of all command and control (C&C) servers have been taken down.

“From the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world,” said Tom Burt, CVP of Customer Security and Trust at Microsoft. 62 were taken out by the initial movement, while 58 have been removed since last week’s effort.

Microsoft says the remaining seven services are related to IoT hardware. They could not be shut down because they are not located in web hosting data centers. In other words, Microsoft needs to collaborate with local internet service providers. That collaboration is currently happening.