Home Security Massive botnet taken down after four-year operation

Arrests and searches in five countries have resulted in the takedown of a botnet known as Avalanche that has been behind phishing attacks and about 20 different malware variants over the last decade.

The countries involved in the operation were listed by the European Union law enforcement agency Europol as Armenia, Australia, Austria, Azerbaijan, Belgium, Belize, Bulgaria, Canada, Colombia, Finland, France, Germany, Gibraltar, Hungary, India, Italy, Lithuania, Luxembourg, Moldova, Montenegro, the Netherlands, Norway, Poland, Romania, Singapore, Sweden, Taiwan, Ukraine, UK and US.

There were a total of five arrests, 37 searches, 39 servers seized and 221 servers taken offline through abuse notifications.

Europol said the botnet had caused an estimated €6 million in damages in concentrated cyberattacks on online banking systems in Germany alone.

"In addition, the monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of euros worldwide, although exact calculations are difficult due to the high number of malware families managed through the platform," it said.

Europol said victims of malware infections were identified in more than 180 countries. "The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked," it said.

Sinkholing redirects traffic between infected computers and a criminal infrastructure to servers controlled by law enforcement authorities or an IT security company. This is achieved by assuming control of the domains used by the criminals or IP addresses.

The Shadowserver Foundation, a non-profit group of security professionals, said Avalanche was a double fast flux content delivery and management platform. Europol described the fast flux technique as an evasion technique used by botnet operators to quickly move a fully qualified domain name from one or more computers connected to the Internet to a different set of computers.

"Its aim is to delay or evade the detection of criminal infrastructure. In the double fast flux set-up, both the domain location and the name server queried for this location are changed," the organisation said.

Europol said Avalanche infrastructure had been used since 2009 for conducting malware, phishing and spam activities. "They sent more than 1 million e-mails with damaging attachments or links every week to unsuspecting victims."

Investigations began in 2012 in Germany, after ransomware known as the Windows Encryption Trojan infected computer systems. "Millions of private and business computer systems were also infected with malware, enabling the criminals operating the network to harvest bank and e-mail passwords."

The Shadowserver Foundation listed the following families of malware as being served up by the botnet:
Bolek
Citadel
CoreBot
Gozi2
Goznym
KINS/VMZeus
Marcher
Matsnu
Nymaim
Pandabanker
Ranbyus
Rovnix
Smart App
Smoke Loader/Dofoil
TeslaCrypt
Tiny Banker/Tinba
Fake Trusteer App
UrlZone
Vawtrak
Xswkit

Europol said: "In preparation for this joint action, the German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analysed over 130 TB of captured data and identified the server structure of the botnet, allowing for the shut-down of thousands of servers and, effectively, the collapse of the entire criminal network.

"The successful takedown of this server infrastructure was supported by Interpol, the Shadowserver Foundation, Registrar of Last Resort, ICANN and domain registries involved in the takedown phase. Interpol has also facilitated the cooperation with domain registries. Several anti-virus partners provided support concerning victim remediation."

avalanche double flux simple

HOW TOP MANAGERS MOTIVATE, ENERGISE EMPLOYEES

Download an in-depth guide to managing a healthy, motivated and energetic workforce without breaking the bank.

DOWNLOAD NOW!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

 

 

 

 

Connect

Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities