Partner Perspectives //

bitdefender

12/5/2016
09:35 AM
Bogdan Botezatu
Bogdan Botezatu
Partner Perspectives
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

Avalanche Cybercrime Platform Takedown Leaves A Lot To Clean Up

Help us wipe out the remaining bots and put an end to Avalanche once and for all.

The last day of November was also the last day of activity for one of the largest cybercrime platforms in the world. Dubbed Operation Avalanche, this extremely complex, cross-jurisdiction, cross-industry takedown has finally taken place after almost five years of investigation.

Led by Europol and its global partners, Operation Avalanche has disrupted the command and control of 20 big botnets, including Goznym, Marcher, Dridex, Matsnu, URLZone, XSWKit, and Pandabanker, as well as newer and better known ones such as the Cerber or Teslacrypt families of crypto-ransomware. Throughout its years of operation, the Avalanche cybercrime platform -- which involved more than 500,000 computers every day -- has yielded hundreds of millions of Euros in revenue for its operators.

During the takedown, Europol seized, sinkholed, or blocked over 800,000 Web domains used by malware to call home, confiscated over 30 servers, and put offline more than 220 servers via abuse notification protocols.

As of Dec. 1, all the computers infected with any of these 20 malware families can’t receive commands from cybercriminals. Still, while this operation marks an unprecedented achievement in botnet takedowns, it does not make malware magically disappear from infected computers.

To support the cleanup, Bitdefender has released a free disinfection toolkit that detects and eliminates these 20 malware families.  All you need to do is download it, start a scan, grab a cup of coffee, and let it work its magic. If you have friends or family who use PCs to surf the Web, ask them to run a proactive scan as well. The more computers that get clean, the smaller the chance of the botnet resurfacing from the dead. 

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the Web without protection or how to rodeo with wild ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
12/5/2016 | 11:25:07 AM
Dormant, not Dead
This is an important step since, truth be told, the public can't be 100% assured that everyone who participated in Avalanche was captured.  It's almost guarenteed that one or more are on the loose still.  That means the longer you leave these dormant bots on your system, the more time these individuals have to raise their systems again on another network and start sending commands, receiving information and rebuilding their platform.

Additionally, as long as these bots have been out there hackers who aren't even part of the original Avalanche team have likely obtained the code, reversed engineered it and could potentially leverage their own platform against existing bots.  This is not only possible but a sensible thing for other cybercrime teams out there to try to jump in on, with the key Avalanche players and servers out of commision. 

Don't wait - clean those systems now before the next wave jumps in and takes advantage of the few who feel there's nothing to still be concerned about.
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
7 Ways to Keep DNS Safe
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Locked device, Ha! I knew there was another way in.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14337
PUBLISHED: 2018-07-17
The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 contains a signed integer overflow, possibly leading to out-of-bounds memory access because the mrb_str_resize function in string.c does not check for a negative length.
CVE-2018-14329
PUBLISHED: 2018-07-17
In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink attack.
CVE-2018-14331
PUBLISHED: 2018-07-17
An issue was discovered in XiaoCms X1 v20140305. There is a CSRF vulnerability to change the administrator account password via admin/index.php?c=index&a=my.
CVE-2018-14333
PUBLISHED: 2018-07-17
TeamViewer through 13.1.1548 stores a password in Unicode format within TeamViewer.exe process memory between "[00 88] and "[00 00 00]" delimiters, which might make it easier for attackers to obtain sensitive information by leveraging an unattended workstation on which TeamViewer has ...
CVE-2018-14334
PUBLISHED: 2018-07-17
manager/editor/upload.php in joyplus-cms 1.6.0 allows arbitrary file upload because detection of a prohibited file extension simply sets the $errm value, and does not otherwise alter the flow of control. Consequently, one can upload and execute a .php file, a similar issue to CVE-2018-8766.