The countries involved in the operation were listed by the European Union law enforcement agency Europol as Armenia, Australia, Austria, Azerbaijan, Belgium, Belize, Bulgaria, Canada, Colombia, Finland, France, Germany, Gibraltar, Hungary, India, Italy, Lithuania, Luxembourg, Moldova, Montenegro, the Netherlands, Norway, Poland, Romania, Singapore, Sweden, Taiwan, Ukraine, UK and US.
There were a total of five arrests, 37 searches, 39 servers seized and 221 servers taken offline through abuse notifications.
Europol said the botnet had caused an estimated €6 million in damages in concentrated cyberattacks on online banking systems in Germany alone.
Europol said victims of malware infections were identified in more than 180 countries. "The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked," it said.
Sinkholing redirects traffic between infected computers and a criminal infrastructure to servers controlled by law enforcement authorities or an IT security company. This is achieved by assuming control of the domains used by the criminals or IP addresses.
The Shadowserver Foundation, a non-profit group of security professionals, said Avalanche was a double fast flux content delivery and management platform. Europol described the fast flux technique as an evasion technique used by botnet operators to quickly move a fully qualified domain name from one or more computers connected to the Internet to a different set of computers.
"Its aim is to delay or evade the detection of criminal infrastructure. In the double fast flux set-up, both the domain location and the name server queried for this location are changed," the organisation said.
Europol said Avalanche infrastructure had been used since 2009 for conducting malware, phishing and spam activities. "They sent more than 1 million e-mails with damaging attachments or links every week to unsuspecting victims."
Investigations began in 2012 in Germany, after ransomware known as the Windows Encryption Trojan infected computer systems. "Millions of private and business computer systems were also infected with malware, enabling the criminals operating the network to harvest bank and e-mail passwords."
The Shadowserver Foundation listed the following families of malware as being served up by the botnet:
Fake Trusteer App
Europol said: "In preparation for this joint action, the German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analysed over 130 TB of captured data and identified the server structure of the botnet, allowing for the shut-down of thousands of servers and, effectively, the collapse of the entire criminal network.
"The successful takedown of this server infrastructure was supported by Interpol, the Shadowserver Foundation, Registrar of Last Resort, ICANN and domain registries involved in the takedown phase. Interpol has also facilitated the cooperation with domain registries. Several anti-virus partners provided support concerning victim remediation."