Law enforcement and internet companies from around the world worked together to shut it down Avalanche, one of the biggest malware networks in cyberspace that have ever been discovered in the last decade.
Their attempts resulted in the arrest of five suspects, 37 server confiscation and the closure of other 221 servers.
According to statements by Europol and his US Department of Justice , the suspects used this infrastructure as a global criminal network that was responsible for spreading and hosting over 20 different malware families, ranging from ransomware up to banking trojans.
This network, to which the authorities had given the nickname "Avalanche(Avalanche), provided by its owners for rent for sending spam, hosting and spreading their malware, hosting and control (C&C) servers, but also to launder profits and stolen funds.
The overall effort has been contributed by researchers from more than 30 countries, law enforcement authorities from various countries including Europol, Eurojust, Interpol, the FBI, the US Department of Justice, organizations and internet companies such as ICANN, Symantec, Shadowserver Foundation, Registrar of Last Resort, and others.
Authorities say more than 800.000 domains used for various malware botnets have been seized or blocked. The large number of domains was because most of the botnets use a technique known as double fast flux DNS (DNS), which goes through a large number of domains per day to hide the position of the botnet's C&C server. .
According to US CERT, the Avalanche network was used to host the following malware families:
Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector, Rannoh, Ransomlock.P)
URLzone (aka Bebloh)
Citadel
VM-ZeuS (aka KINS)
Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)
newGOZ (aka GameOverZeuS)
Tinba (aka TinyBanker)
Nymaim / GozNym
Vawtrak (aka Neverquest)
Marcher
Pandabanker
Ranbyus
Smart App
TeslaCrypt
Trusteer App
Xswkit
According to Symantec , research on the Avalanche network began at the beginning of 2012 when the villains created and spread a ransomware that used a false warning from the police so that they could lock their victims' files and then ask for a ransom.
The name of the ransomware was Ransomlock.P, and appeared at the end of 2011. The German police formally launched the Avalanche survey because ransomware used its name.
German authorities also reported that fraudsters managed to steal over €6.000.000 from German banks alone. Europol estimated that fraudsters using the Avalanche network may have stolen hundreds millions euros worldwide.
Europol also estimates that Avalanche's botnets sent a total of one million spam messages a week. But in addition to bank fraud and spam, the authorities have announced that the Avalanche network was also used to host malware for DDoS attacks.
Researchers believe that over 500.000 users still have computers infected with various types of malware distributed through this network. These users should be aware that while the malware's backend infrastructure is down, the malware is still present on their computers, and they should remove it.
