Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/1/2016
05:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Avalanche Botnet Comes Tumbling Down In Largest-Ever Sinkholing Operation

800,000 domains seized, sinkholed, or blocked, and five individuals arrested, in international effort to bring down botnet linked to 17 major malware families.

The Avalanche botnet - linked to many of the world's most troublesome ransomware, RATs, and banking Trojans - has been dealt a critical blow in what Europol called today the "largest-ever use of sinkholing to combat botnet infrastructures." Five individuals were arrested and 800,000 domains seized, sinkholed, or blocked in an international takedown operation that began Wednesday. 

Active since 2009, the Avalanche botnet has been used for money muling schemes, distributing a wide variety of malware, and as a fast-flux communication infrastructure for other botnets. It was estimated to involve as many as 500,000 active infected devices worldwide on a daily basis. From the Europol statement:

What made the ’Avalanche’ infrastructure special was the use of the so-called double fast flux technique. The complex setup of the Avalanche network was popular amongst cybercriminals, because of the double fast flux technique offering enhanced resilience to takedowns and law enforcement action.

The double-fast flux technique was what made Avalanche attractive as a communication provider for other botnets - including TeslaCrypt, Nymaim, Rovnix, Qbot, Matsnu, and URLzone - and also what made it effective for securing cybercriminal proceeds.

According to Europol, Avalanche has cost the German banking industry EUR 6 million ($6.4 million USD) in online crime alone. Europol estimates that Avalanche is responsible for monetary losses amounting to hundreds of millions of dollars worldwide, but states that accurate numbers are difficult to come by because there is such a wide variety of malware associated with the botnet. 

Avalanche hosted 17 of the "the world’s most pernicious types of malware," as described by the Department of Justice, the FBI, and the US Attorney of the Western District of Pennsylvania in a joint statement. These malware include Citadel, Dridex, Vawtrak, TeslaCrypt, Pandabanker, GOZeuS, VM-ZeuS, Ransomlock, Bebloh, and Nymaim. A more complete list can be found in a technical alert released by US-CERT and the FBI today.

Investigation into Avalanche dates back to 2012. Symantec research into the Ransomlock ransomware and a German law enforcement probe into local Bebloh banking trojan infections united when they discovered that the two types of malware were both targeting German speakers and sharing a command-and-control infrastructure. (Symantec described this in a blog today.) The investigation expanded as other malware were connected to the same infrastructure.

The Luneberg, Germany police force and the public prosecutor's office in Verden, Germany led the investigation, working closely with investigators and prosecutors from more than 40 countries, Europol, Eurojust, the FBI, and the DoJ. The German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analyzed over 130 TB of captured data and identified the server structure of the botnet. 

Related Content:

 

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Strategist
12/5/2016 | 5:06:12 AM
Re: Crypt0L0cker
And as I can see from his driver license (probably fake, but anyway) his origin is Russia.
Nanireko
50%
50%
Nanireko,
User Rank: Apprentice
12/5/2016 | 3:38:21 AM
Avalanche
I do see fewer spam messages with malicious attachments this December. It looks like this operation was really successful. Does anybody else see the decrease in spam emails these days?
kbannan100
50%
50%
kbannan100,
User Rank: Moderator
12/4/2016 | 8:53:51 PM
Re: How Serious a Blow?
Totally agree! If they are truly out of the picture a new gang of criminals is going to pop up -- and soon. If they haven't already! And there are still some pretty nasty malware instances out there. (For instance, the one that took down Dyn using the IoT devices. Read more about that here: bit.ly/2ewIBtW)



People are going to need to be more careful and concentrate on shoring up network security and endpoints -- everything from printers to thermostats to mobile devices.


--Karen Bannan for IDG and HP
ClaireEllison
50%
50%
ClaireEllison,
User Rank: Apprentice
12/4/2016 | 3:52:44 PM
Re: Industry
Excellent article plus its information and I positively bookmark to this site because here I always get an amazing knowledge as I expect.
francois999
50%
50%
francois999,
User Rank: Apprentice
12/4/2016 | 1:47:07 PM
Thank you for the info
I really thank you for the valuable info on this great subject and look forward to more great posts. Thanks a lot for enjoying this beauty article with me. I am appreciating it very much! Looking forward to another great article. Good.

FRANCOIS
Dan Euritt
50%
50%
Dan Euritt,
User Rank: Apprentice
12/4/2016 | 11:13:14 AM
It surely must have helped, but...
Only five people stealing millions of dollars? I wonder how many criminals got away.

Thanks for the article.
Crypt0L0cker
100%
0%
Crypt0L0cker,
User Rank: Strategist
12/2/2016 | 2:01:33 PM
Re: How Serious a Blow?
I guess it's pretty serious  - they got organiser, Hennadiy Kapkanov. He was armed with Kalashnikov, dangerous and had different shoes :)
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
12/2/2016 | 3:55:28 AM
How Serious a Blow?
I have to wonder if the blow dealt was as serious as reported.  Don't get me wrong, this is a successful operation regardless and sets the stage for future ones (which there will have to be).  But Avalanche isn't just a small group and when it went "quiet" we were probably watching evolution, not the disappearance of the syndicate; this botnet may even have been an acceptable loss.  What should be happening now is the analysis of the infrastructure to understand how Avalanche evolved and into what.  You don't accomplish as much as this syndicate did and simply go belly up after a raid like this.  It's also worth noting timelines in terms of how many years this threat existed before this large raid hit.  Something's wrong with your security offensive procedures when you're stuck with a series of "legal" raids that either go nowhere or pull small fish from the pond, and you need to pull together a global task force to get anywhere ("legally").  We just can't assume the threat is completely contained from this group.     
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13640
PUBLISHED: 2019-07-17
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
CVE-2019-5222
PUBLISHED: 2019-07-17
There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An attacker tricks the user to install a malicious application and successful ...
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...