Over 800,00 domains have been seized, sinkholed or blocked in global effort to takedown Avalanche botnet that was infecting up to 500,000 users every day.
Law enforcement organizations from around the world have co-ordinated in an operation to take down the global botnet known as Avalanche. The operation to takedown the Avalanche botnet and its associated criminal infrastructure, was formally revealed on December 1 and involved four years of investigation and co-operation between the U.S Federal Bureau of Investigation (FBI) and Europol, as well as prosecutors in over 30 countries.
According to Europol, Avalanche is responsible for malware infections in over 180 countries and is estimated to infect up to 500,00 system globally every day. The Avalanche botnet was first reported on by eWEEK in 2010, when it was identified by the Anti-Phishing Working Group (APWG) as a leading source of phishing attacks.
“The Avalanche network, which has been operating since at least 2010, is estimated to involve hundreds of thousands of infected computers worldwide,” the U.S Department of Justice stated. “The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network.”
The global effort to takedown the Avalanche network so far has involved the arrest of 5 individuals and the seizure of 39 servers, according to Europol. The total scope of the Avalanche takedown operation is vast, with over 800,000 internet domains involved that are now being either seized, sinkholed or blocked in an effort to protect users worldwide. With a sinkhole, users are redirected to servers controlled by law enforcement.
As to why it was so difficult and took so many years for the Avalanche network to be disabled by law enforcement, part of the reason is because of the sophisticated methods used by the botnet. The Avalanche network made use of what is known as a double fast flux technique, which is what helped it to evade law enforcement efforts at takedowns.
A botnet is a collection of compromised systems that an attacker controls through a command and control system to attack other users and sites on the Internet. Fast flux is a technique that abuses the Domain Name System (DNS) to hide the source of an attack. The way DNS is supposed to work is a domain name is referenced in a DNS resolver to forward to a specific IP address. With fast flux, attackers link multiple sets of IP addresses to a given domain name and swap new addresses in and out of the DNS records in an attempt to evade detection.
Among the organizations that worked on the Avalanche takedown is the Shadowserver Foundation which helped to build the sinkhole infrastructure needed for Avalanche. Though blocking and sinkholing malicious domains helps, users are still at some risk.
“While the sinkholed victims are now hopefully shielded from direct exploitation by this group of criminals – they are still infected with one or more families of malware and likely to be vulnerable to others,” the Shadowserver Foundation stated. “Law enforcement have worked with security companies globally to build disinfection tools and have provided an array of links to solutions that will enhance the protection of end users.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist
