Avalanche Botnet Comes Tumbling Down In Largest-Ever Sinkholing Operation

800,000 domains seized, sinkholed, or blocked, and five individuals arrested, in international effort to bring down botnet linked to 17 major malware families.

The Avalanche botnet - linked to many of the world's most troublesome ransomware, RATs, and banking Trojans - has been dealt a critical blow in what Europol called today the "largest-ever use of sinkholing to combat botnet infrastructures." Five individuals were arrested and 800,000 domains seized, sinkholed, or blocked in an international takedown operation that began Wednesday.

Active since 2009, the Avalanche botnet has been used for money muling schemes, distributing a wide variety of malware, and as a fast-flux communication infrastructure for other botnets. It was estimated to involve as many as 500,000 active infected devices worldwide on a daily basis. From the Europol statement:

What made the ’Avalanche’ infrastructure special was the use of the so-called double fast flux technique. The complex setup of the Avalanche network was popular amongst cybercriminals, because of the double fast flux technique offering enhanced resilience to takedowns and law enforcement action.

The double-fast flux technique was what made Avalanche attractive as a communication provider for other botnets - including TeslaCrypt, Nymaim, Rovnix, Qbot, Matsnu, and URLzone - and also what made it effective for securing cybercriminal proceeds.

According to Europol, Avalanche has cost the German banking industry EUR 6 million ($6.4 million USD) in online crime alone. Europol estimates that Avalanche is responsible for monetary losses amounting to hundreds of millions of dollars worldwide, but states that accurate numbers are difficult to come by because there is such a wide variety of malware associated with the botnet.

Avalanche hosted 17 of the "the world’s most pernicious types of malware," as described by the Department of Justice, the FBI, and the US Attorney of the Western District of Pennsylvania in a joint statement. These malware include Citadel, Dridex, Vawtrak, TeslaCrypt, Pandabanker, GOZeuS, VM-ZeuS, Ransomlock, Bebloh, and Nymaim. A more complete list can be found in a technical alert released by US-CERT and the FBI today.

Investigation into Avalanche dates back to 2012. Symantec research into the Ransomlock ransomware and a German law enforcement probe into local Bebloh banking trojan infections united when they discovered that the two types of malware were both targeting German speakers and sharing a command-and-control infrastructure. (Symantec described this in a blog today.) The investigation expanded as other malware were connected to the same infrastructure.

The Luneberg, Germany police force and the public prosecutor's office in Verden, Germany led the investigation, working closely with investigators and prosecutors from more than 40 countries, Europol, Eurojust, the FBI, and the DoJ. The German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analyzed over 130 TB of captured data and identified the server structure of the botnet.

Related Content:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading: