Law enforcement and Internet companies from around the world have worked together to close Avalanche, one of the largest malware networks in cyberspace ever discovered over the last decade.
Their attempts resulted in the arrest of five suspects, 37 server confiscation and the closure of other 221 servers.
According to statements by Europol and his US Department of Justice , suspects used this infrastructure as a global criminal network that was responsible for spreading and hosting over 20 different malware families ranging from ransomware to bank trojans.
This network, to which the authorities had given the nickname "Avalanche“(Avalanche), was provided by its owners for rent for spamming, receptionand spreading their malware, command and control (C&C) servers, but also to launder profits and stolen funds.
The overall effort has been contributed by researchers from more than 30 countries, law enforcement authorities from various countries including Europol, Eurojust, Interpol, the FBI, the US Department of Justice, organizations and internet companies such as ICANN, Symantec, Shadowserver Foundation, Registrar of Last Resort, and others.
Authorities said more than 800.000 were seized, or blocked domains which was used for various malware botnets. Ο μεγάλος αριθμός των domains ήταν επειδή τα περισσότερα από τα botnets χρησιμοποιούν μια technique γνωστή ως διπλή γρήγορη ροή DNS (double fast flux DNS), η οποία περνά μέσα από ένα μεγάλο αριθμό domains ανά ημέρα για να κρύψει τη θέση του C&C server του botnet του.
According to US CERT, the Avalanche network was used to host the following malware families:
Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector, Rannoh, Ransomlock.P)
URLzone (aka Bebloh)
Citadel
VM-ZeuS (aka KINS)
Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)
newGOZ (aka GameOverZeuS)
Tinba (aka TinyBanker)
Nymaim / GozNym
Vawtrak (aka Neverquest)
Marcher
Pandabanker
Ranbyus
Smart App
TeslaCrypt
Trusteer App
Xswkit
According to Symantec , research on the Avalanche network began at the beginning of 2012 when the villains created and spread a ransomware that used a false warning from the police so that they could lock their victims' files and then ask for a ransom.
The name of the ransomware was Ransomlock.P, and appeared at the end of 2011. The German police formally launched the Avalanche survey because ransomware used its name.
The German authorities also reported that crooks managed to steal more than € 6.000.000 from the German banks alone. Europol is estimated that fraudsters who have used the Avalanche network may have stolen hundreds of millions of euros around the world.
Europol also estimates that Avalanche's botnets sent a total of one million spam messages a week. But in addition to bank fraud and spam, the authorities have announced that the Avalanche network was also used to host malware for DDoS attacks.
Researchers believe that over 500.000 users still have infected computers with various types of malware distributed through this network. These users should be aware that while the malware backend infrastructure is down, malware still exists on their computers, and they should be removed.
