An enormous, complex criminal network that has begun millions of dollars in damages has been identified and targeted, thanks to a multi-national law enforcement effort announced on Thursday 30 November 2016, after more than four years of investigation, the Public Prosecutor’s Office and the Police (Germany) in close collaboration with the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice and the FBI, Europol, Euro-just and global associates, dismantled an international criminal infrastructure platform known as ‘Avalanche’.
The Avalanche network was used as a distribution platform to unveiling and manage mass global malware attacks and money mule recruiting movements. It has caused an estimated EUR 6 million in damages in concentrated cyber-attacks on online banking systems in Germany alone. In addition, the monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of euros worldwide, although exact calculations are difficult due to the high number of malware families managed through the platform.
The global effort to take down this network involved the critical support of prosecutors and investigators from 30 countries. As a result, 5 individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked. Avalanche is a Double Fast Flux content delivery and management platform designed for the so-called “bullet-proof management of botnets.” Sinkholing was used to destroy the botnet’s activities, which also disrupted malware families including Citadel, VMZeus, the ransomware TeslaCrypt, and Nymaim.
The global distribution of servers used in the Avalanche crime machine. Source: Shadowserver.org
Avalanche has been in operation since 2009. The platform has been utilized for a variety of malware, spam, and phishing campaigns, and over one million emails have been sent as part of phishing campaigns worldwide to potential victims. It’s impressive but it’s clear that gathering evidence and hunting down perpetrators is long and difficult work that functions on occasional sometimes spectacular successes. It’s the latest in a line of botnet busts, including that against Simda in 2015 and the famous action against the rapacious Gameover Zeus network a year earlier. Going back further in time were a number of key botnet take-downs starting with Zotob in 2005 and Waledec in 2010, both aided by Microsoft’s Digital Crimes Unit (DCU), But that history underlines how removing one network paves the way for rival criminals to move into the vacuum left behind. For the police, it’s like a never-ending digital whack-a-mole.
Cybercrime often seems to be a criminal enterprise whose perpetrators live just beyond the reach of the law. The rising number of arrests proves that accountability exists after all. But progress – even with exemplary international co-operation – remains painfully slow.
Built as a criminal cloud-hosting environment that was rented out to scammers, spammers other ne’er-do-wells, Avalanche has been a major source of cybercrime for years. In 2009, when investigators say the fraud network first opened for business, Avalanche was responsible for funneling roughly two-thirds of all phishing attacks aimed at stealing usernames and passwords for bank and e-commerce sites. By 2011, Avalanche was being heavily used by crooks to deploy banking Trojans. The Avalanche botnet infrastructure allowed notorious malware, like the Citadel financial crime malware and TeslaCrypt ransom ware, to operate, such as by locking users out of their files for ransom or enlisting devices into Distributed Denial-of-Service (DDoS) attacks to knock out infrastructure. It used a double fast-flux domain name service, which changes the IP address and name server records every five minutes, to hide the servers.