Threat Intelligence
12/1/2016
05:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Avalanche Botnet Comes Tumbling Down In Largest-Ever Sinkholing Operation

800,000 domains seized, sinkholed, or blocked, and five individuals arrested, in international effort to bring down botnet linked to 17 major malware families.

The Avalanche botnet - linked to many of the world's most troublesome ransomware, RATs, and banking Trojans - has been dealt a critical blow in what Europol called today the "largest-ever use of sinkholing to combat botnet infrastructures." Five individuals were arrested and 800,000 domains seized, sinkholed, or blocked in an international takedown operation that began Wednesday. 

Active since 2009, the Avalanche botnet has been used for money muling schemes, distributing a wide variety of malware, and as a fast-flux communication infrastructure for other botnets. It was estimated to involve as many as 500,000 active infected devices worldwide on a daily basis. From the Europol statement:

What made the ’Avalanche’ infrastructure special was the use of the so-called double fast flux technique. The complex setup of the Avalanche network was popular amongst cybercriminals, because of the double fast flux technique offering enhanced resilience to takedowns and law enforcement action.

The double-fast flux technique was what made Avalanche attractive as a communication provider for other botnets - including TeslaCrypt, Nymaim, Rovnix, Qbot, Matsnu, and URLzone - and also what made it effective for securing cybercriminal proceeds.

According to Europol, Avalanche has cost the German banking industry EUR 6 million ($6.4 million USD) in online crime alone. Europol estimates that Avalanche is responsible for monetary losses amounting to hundreds of millions of dollars worldwide, but states that accurate numbers are difficult to come by because there is such a wide variety of malware associated with the botnet. 

Avalanche hosted 17 of the "the world’s most pernicious types of malware," as described by the Department of Justice, the FBI, and the US Attorney of the Western District of Pennsylvania in a joint statement. These malware include Citadel, Dridex, Vawtrak, TeslaCrypt, Pandabanker, GOZeuS, VM-ZeuS, Ransomlock, Bebloh, and Nymaim. A more complete list can be found in a technical alert released by US-CERT and the FBI today.

Investigation into Avalanche dates back to 2012. Symantec research into the Ransomlock ransomware and a German law enforcement probe into local Bebloh banking trojan infections united when they discovered that the two types of malware were both targeting German speakers and sharing a command-and-control infrastructure. (Symantec described this in a blog today.) The investigation expanded as other malware were connected to the same infrastructure.

The Luneberg, Germany police force and the public prosecutor's office in Verden, Germany led the investigation, working closely with investigators and prosecutors from more than 40 countries, Europol, Eurojust, the FBI, and the DoJ. The German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analyzed over 130 TB of captured data and identified the server structure of the botnet. 

Related Content:

 

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Apprentice
12/5/2016 | 5:06:12 AM
Re: Crypt0L0cker
And as I can see from his driver license (probably fake, but anyway) his origin is Russia.
Nanireko
50%
50%
Nanireko,
User Rank: Apprentice
12/5/2016 | 3:38:21 AM
Avalanche
I do see fewer spam messages with malicious attachments this December. It looks like this operation was really successful. Does anybody else see the decrease in spam emails these days?
kbannan100
50%
50%
kbannan100,
User Rank: Apprentice
12/4/2016 | 8:53:51 PM
Re: How Serious a Blow?
Totally agree! If they are truly out of the picture a new gang of criminals is going to pop up -- and soon. If they haven't already! And there are still some pretty nasty malware instances out there. (For instance, the one that took down Dyn using the IoT devices. Read more about that here: bit.ly/2ewIBtW)



People are going to need to be more careful and concentrate on shoring up network security and endpoints -- everything from printers to thermostats to mobile devices.


--Karen Bannan for IDG and HP
ClaireEllison
50%
50%
ClaireEllison,
User Rank: Apprentice
12/4/2016 | 3:52:44 PM
Re: Industry
Excellent article plus its information and I positively bookmark to this site because here I always get an amazing knowledge as I expect.
francois999
50%
50%
francois999,
User Rank: Apprentice
12/4/2016 | 1:47:07 PM
Thank you for the info
I really thank you for the valuable info on this great subject and look forward to more great posts. Thanks a lot for enjoying this beauty article with me. I am appreciating it very much! Looking forward to another great article. Good.

FRANCOIS
Dan Euritt
50%
50%
Dan Euritt,
User Rank: Apprentice
12/4/2016 | 11:13:14 AM
It surely must have helped, but...
Only five people stealing millions of dollars? I wonder how many criminals got away.

Thanks for the article.
Crypt0L0cker
100%
0%
Crypt0L0cker,
User Rank: Apprentice
12/2/2016 | 2:01:33 PM
Re: How Serious a Blow?
I guess it's pretty serious  - they got organiser, Hennadiy Kapkanov. He was armed with Kalashnikov, dangerous and had different shoes :)
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
12/2/2016 | 3:55:28 AM
How Serious a Blow?
I have to wonder if the blow dealt was as serious as reported.  Don't get me wrong, this is a successful operation regardless and sets the stage for future ones (which there will have to be).  But Avalanche isn't just a small group and when it went "quiet" we were probably watching evolution, not the disappearance of the syndicate; this botnet may even have been an acceptable loss.  What should be happening now is the analysis of the infrastructure to understand how Avalanche evolved and into what.  You don't accomplish as much as this syndicate did and simply go belly up after a raid like this.  It's also worth noting timelines in terms of how many years this threat existed before this large raid hit.  Something's wrong with your security offensive procedures when you're stuck with a series of "legal" raids that either go nowhere or pull small fish from the pond, and you need to pull together a global task force to get anywhere ("legally").  We just can't assume the threat is completely contained from this group.     
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.