Avalanche Botnet Shut Down

• Author
• Recent Posts

DavidBalaban

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Latest posts by DavidBalaban (see all)

• Returning Net Neutrality: How to Fix the Internet with Blockchain Technologies - April 17, 2018
• Learn How You Can Earn Bitcoins in a Good Way and How Hackers Earn Them in Bad Ways - February 24, 2018
• Avalanche Botnet Shut Down - December 2, 2016

Europol, FBI and law enforcement agencies from more than 30 countries put a major botnet offline on December the 1st. The Avalanche botnet was used by cybercriminals to spread banking Trojans and Crypt0L0cker ransomware. The Avalanche botnet consisted of around 500,000 infected computers.

According to Europol, attacking the German banks, the botnet caused more than 6 million Euros in loses. Worldwide damage is still unclear but Europol estimates it may be hundreds of millions of Euros.

To shut down the criminal network, more than 830,000 domains were taken offline simultaneously. These domains were used by the malware operators to communicate with infected computers. The botnet, which first appeared in 2009, consisted of 600 command and control servers worldwide and was used to host 800,000+ domains simultaneously.

Cybercriminals from different countries could rent Avalanche servers and use it to launch their own malware campaigns. At its peak, the network was used to host many different types of malware, such as Citadel, Goznym, Virut, Rovnix, and Vawtrack. 500,000 of infected computers were used daily to distribute those viruses. The botnet consisted primarily of Windows computers and Android phones.

Using the fast-flux DNS technique, the Avalanche administrators could quickly change the IP addresses and name-servers, making it difficult to trace the location of the server. Despite the use of this tactic, the investigators still managed to map the infrastructure of the botnet.

The international investigation began four years ago in Germany after the Crypt0L0cker ransomware had infected a large number of computers in the country. Security companies such as Symantec were involved in the investigation.

The Avalanche operators worked closely with so-called money mules. People called money mules made their accounts available to criminals for receiving and forwarding stolen money.

In total, 5 people were arrested, 39 servers confiscated 221 servers taken offline. Infections were found in more than 180 countries.