Threat Intelligence

12/1/2016
05:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Avalanche Botnet Comes Tumbling Down In Largest-Ever Sinkholing Operation

800,000 domains seized, sinkholed, or blocked, and five individuals arrested, in international effort to bring down botnet linked to 17 major malware families.

The Avalanche botnet - linked to many of the world's most troublesome ransomware, RATs, and banking Trojans - has been dealt a critical blow in what Europol called today the "largest-ever use of sinkholing to combat botnet infrastructures." Five individuals were arrested and 800,000 domains seized, sinkholed, or blocked in an international takedown operation that began Wednesday. 

Active since 2009, the Avalanche botnet has been used for money muling schemes, distributing a wide variety of malware, and as a fast-flux communication infrastructure for other botnets. It was estimated to involve as many as 500,000 active infected devices worldwide on a daily basis. From the Europol statement:

What made the ’Avalanche’ infrastructure special was the use of the so-called double fast flux technique. The complex setup of the Avalanche network was popular amongst cybercriminals, because of the double fast flux technique offering enhanced resilience to takedowns and law enforcement action.

The double-fast flux technique was what made Avalanche attractive as a communication provider for other botnets - including TeslaCrypt, Nymaim, Rovnix, Qbot, Matsnu, and URLzone - and also what made it effective for securing cybercriminal proceeds.

According to Europol, Avalanche has cost the German banking industry EUR 6 million ($6.4 million USD) in online crime alone. Europol estimates that Avalanche is responsible for monetary losses amounting to hundreds of millions of dollars worldwide, but states that accurate numbers are difficult to come by because there is such a wide variety of malware associated with the botnet. 

Avalanche hosted 17 of the "the world’s most pernicious types of malware," as described by the Department of Justice, the FBI, and the US Attorney of the Western District of Pennsylvania in a joint statement. These malware include Citadel, Dridex, Vawtrak, TeslaCrypt, Pandabanker, GOZeuS, VM-ZeuS, Ransomlock, Bebloh, and Nymaim. A more complete list can be found in a technical alert released by US-CERT and the FBI today.

Investigation into Avalanche dates back to 2012. Symantec research into the Ransomlock ransomware and a German law enforcement probe into local Bebloh banking trojan infections united when they discovered that the two types of malware were both targeting German speakers and sharing a command-and-control infrastructure. (Symantec described this in a blog today.) The investigation expanded as other malware were connected to the same infrastructure.

The Luneberg, Germany police force and the public prosecutor's office in Verden, Germany led the investigation, working closely with investigators and prosecutors from more than 40 countries, Europol, Eurojust, the FBI, and the DoJ. The German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analyzed over 130 TB of captured data and identified the server structure of the botnet. 

Related Content:

 

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Strategist
12/5/2016 | 5:06:12 AM
Re: Crypt0L0cker
And as I can see from his driver license (probably fake, but anyway) his origin is Russia.
Nanireko
50%
50%
Nanireko,
User Rank: Apprentice
12/5/2016 | 3:38:21 AM
Avalanche
I do see fewer spam messages with malicious attachments this December. It looks like this operation was really successful. Does anybody else see the decrease in spam emails these days?
kbannan100
50%
50%
kbannan100,
User Rank: Apprentice
12/4/2016 | 8:53:51 PM
Re: How Serious a Blow?
Totally agree! If they are truly out of the picture a new gang of criminals is going to pop up -- and soon. If they haven't already! And there are still some pretty nasty malware instances out there. (For instance, the one that took down Dyn using the IoT devices. Read more about that here: bit.ly/2ewIBtW)



People are going to need to be more careful and concentrate on shoring up network security and endpoints -- everything from printers to thermostats to mobile devices.


--Karen Bannan for IDG and HP
ClaireEllison
50%
50%
ClaireEllison,
User Rank: Apprentice
12/4/2016 | 3:52:44 PM
Re: Industry
Excellent article plus its information and I positively bookmark to this site because here I always get an amazing knowledge as I expect.
francois999
50%
50%
francois999,
User Rank: Apprentice
12/4/2016 | 1:47:07 PM
Thank you for the info
I really thank you for the valuable info on this great subject and look forward to more great posts. Thanks a lot for enjoying this beauty article with me. I am appreciating it very much! Looking forward to another great article. Good.

FRANCOIS
Dan Euritt
50%
50%
Dan Euritt,
User Rank: Apprentice
12/4/2016 | 11:13:14 AM
It surely must have helped, but...
Only five people stealing millions of dollars? I wonder how many criminals got away.

Thanks for the article.
Crypt0L0cker
100%
0%
Crypt0L0cker,
User Rank: Strategist
12/2/2016 | 2:01:33 PM
Re: How Serious a Blow?
I guess it's pretty serious  - they got organiser, Hennadiy Kapkanov. He was armed with Kalashnikov, dangerous and had different shoes :)
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
12/2/2016 | 3:55:28 AM
How Serious a Blow?
I have to wonder if the blow dealt was as serious as reported.  Don't get me wrong, this is a successful operation regardless and sets the stage for future ones (which there will have to be).  But Avalanche isn't just a small group and when it went "quiet" we were probably watching evolution, not the disappearance of the syndicate; this botnet may even have been an acceptable loss.  What should be happening now is the analysis of the infrastructure to understand how Avalanche evolved and into what.  You don't accomplish as much as this syndicate did and simply go belly up after a raid like this.  It's also worth noting timelines in terms of how many years this threat existed before this large raid hit.  Something's wrong with your security offensive procedures when you're stuck with a series of "legal" raids that either go nowhere or pull small fish from the pond, and you need to pull together a global task force to get anywhere ("legally").  We just can't assume the threat is completely contained from this group.     
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.