Authorities Disrupt Massive Malware Management Platform

Thursday, December 01, 2016

Ionut Arghire


Europol this week announced that it managed to disrupt an online platform used for the distribution and management of around 20 malware families, including botnets, banking Trojans, and ransomware.

As part of a four-year long investigation, Europol and global partners disrupted the international criminal infrastructure platform known as “Avalanche,” which supposedly caused monetary losses of hundreds of millions of Euros. On November 30, authorities arrested 5 individuals as part of this operation and also seized 39 servers.

The sweep, however, was extensive: with help from prosecutors and investigators from 30 countries, 37 premises were searched and a total of over 830,000 domains were seized, sinkholed or blocked. Notifications sent to hosting providers also resulted in 221 servers being taken offline.

Europol didn’t say where the five arrests were made, but it did reveal the list of the 30 involved countries: Armenia, Australia, Austria, Azerbaijan, Belgium, Belize, Bulgaria, Canada, Colombia, Finland, France, Germany, Gibraltar, Hungary, India, Italy, Lithuania, Luxembourg, Moldova, Montenegro, Netherlands, Norway, Poland, Romania, Singapore, Sweden, Taiwan, Ukraine, United Kingdom and United States of America.

In Germany, attacks on online banking systems are believed to have caused an estimated 6 million Euro in damages. The massive malware distribution and management campaign, however, has hit victims in over 180 countries worldwide, and authorities have yet to estimate the exact monetary damages caused by the botnet.

“The global cybercrime market rakes in billions of dollars a year. The Avalanche network alone is estimated to have yielded hundreds of millions, although the exact damage inflicted is almost impossible to establish because of the business ramifications of the network,” Bogdan Botezatu, senior e-threat analyst, Bitdefender, told SecurityWeek.

The Avalanche infrastructure is said to have been used for malware, phishing and spam activities since 2009 and to have been capable of sending over 1 million nefarious emails a week. The Avalanche botnet is said to have had control of over half a million computers around the world on a daily basis. Infected computers could be remotely controlled, could send information to attackers, or both.

Some of the malware families distributed and managed through Avalanche include well-known botnets and banking Trojans, including Bolek, Citadel, Goznym, Nymaim, Marcher, Dridex, Matsnu, URLZone, XSWKit, CoreBot, KBot, Vawtrack, Dofoil (Smoke Loader), Gozi2, Slempo, VMZeus and Panda Banker, along with ransomware families such as Cerber and TeslaCrypt.

The Avalanche network was available to cybercriminals who paid for access to various criminal services, including malware and ransomware distribution, money mule and phishing campaigns. A so-called double fast-flux network (which involves the automatic and frequent changing of IP address records associated with a domain name) was used to protect the platform from disruption and identification.

While the disruption of the platform was successful, the operation didn’t result in the cleaning of the infected computers, and users who believe they might have been infected are advised to take this matter into their own hands.

“Removal is a critical step that victims need to take in order to ensure the extinction of these malware families,” Catalin Cosoi, Chief Security Strategist at Bitdefender, said. Users are encouraged to use one of the available resources to ensure their machines are cleaned after the botnet.

Several online scanners, a series of webpages that provide assistance for disinfection, and free clean-up tools are available in this regard, from well-known anti-virus companies such as Avira, BitDefender, Dr Web, ESET, F-Secure, Microsoft, Symantec, and others. 

Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.