Tech by VICE

Authorities Just Shut Down One of the World’s Largest Malware Networks

More than 800,000 domains were seized, sinkholed , or blocked in 'Operation Avalanche', an effort by law enforcement authorities and researchers in 30 countries.

by Andrada Fiscutean
Dec 1 2016, 11:08pm

Image: Tristan Schmurr/Flickr/CC-By-2.0

One of the largest botnet infrastructures in the world was finally annihilated in a joint effort by law-enforcement authorities and cybersecurity researchers in 30 countries. Over 800,000 domains have been seized, sinkholed or blocked, in "Operation Avalanche," as the law-enforcement sting was known. A total of 39 servers have been seized, eight of them located in Romania. Another 221 have been put offline.

Victims attacked using the Avalanche infrastructure have lost hundreds of millions of dollars, according to estimates byEuropol, the European Union's law enforcement agency. Over 40 major financial institutions have been targeted, announced CERT-US.

During the past seven years, criminal groups conducted malware distribution, phishing and spam campaigns using this infrastructure. Every week there were over a million malicious emails sent to people all around the world.

"Estimated to involve as many as 500,000 infected computers worldwide on a daily basis."

The botnet "was estimated to involve as many as 500,000 infected computers worldwide on a daily basis," the Europol said. "The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns."

There were 20 different malware families hosted, among which were GozNym, Marcher, Dridex, Matsnu, URLZone, XSWKit, Pandabanker, Cerber and Teslacrypt.

Fernando Ruiz, the head of operations at Europol's Cybercrime Center, told The Associated Press that five suspects have been arrested. "We have arrested the top, the head of the snake," Ruiz said, adding that the Avalanche infrastructure is "the perfect example of crime as a service."

Law-enforcement have been working for four years to take down the botnet. It all started in 2012, in Germany. Symantec and the local police were investigating different trojans, but they discovered that the two malware families shared the network infrastructure.

The German police learned there were millions of computers infected. Attackers have harvested sensitive data such as online banking and email credentials, and transferred money from the victims' accounts. The loss is estimated at 6 million euros (6.4 million USD) in Germany alone.

The Avalanche infrastructure used a technique meant to delay and evade detection called double fast flux. There were a number of quickly changing IP addresses associated with one domain name.

Cybersecurity companies are now focusing on cleaning the computers that had been part of the Avalanche botnet. Bitdefender, Symantec, ESET, F-Secure and Microsoft are among those who offer free tools.

Operation Avalanche is just the beginning, said Catalin Cosoi, Chief Security Researcher at Bitdefender, a Romanian-based company who was part of the investigation. "We will witness several other massive takedown operations such as Avalanche during 2017," Cosoi said (translated from Romanian).

Operation Avalanche was carried out by Public Prosecutor's Office Verden and the Lüneburg Police (Germany) together with the United States Attorney's Office for the Western District of Pennsylvania, the Department of Justice, the FBI, Europol, Eurojust, and cybersecurity companies.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.