Law enforcement and Internet companies from around the world have worked together to close Avalanche, one of the largest malware networks in cyberspace ever discovered over the last decade.
Their attempts resulted in the arrest of five suspects, 37 server confiscation and the closure of other 221 servers.
According to statements by Europol and his US Department of Justice , the suspects used this infrastructure as a global criminal network responsible for spreading and hosting over 20 different malware families, ranging from ransomware to banking Trojans.
This network, to which the authorities had given the nickname "Avalanche(Avalanche), provided by its owners for rent for sending spam, hosting and spreading their malware, hosting and control (C&C) servers, but also to launder profits and stolen funds.
The overall effort has been contributed by researchers from more than 30 countries, law enforcement authorities from various countries including Europol, Eurojust, Interpol, the FBI, the US Department of Justice, organizations and internet companies such as ICANN, Symantec, Shadowserver Foundation, Registrar of Last Resort, and others.
Authorities reported that more than 800.000 domains used for various malware botnets were seized or blocked. The large number of domains was because most of the botnets use a technique known as double fast flux DNS, which goes through a large number of domains per day to hide the location of the C&C server botnet of.
According to US CERT, the Avalanche network was used to host the following malware families:
Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector, Rannoh, Ransomlock.P)
URLzone (aka Bebloh)
Citadel
VM-ZeuS (aka KINS)
Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)
newGOZ (aka GameOverZeuS)
Tinba (aka TinyBanker)
Nymaim / GozNym
Vawtrak (aka Neverquest)
Marcher
Pandabanker
Ranbyus
Smart App
TeslaCrypt
Trusteer App
Xswkit
According to Symantec , research on the Avalanche network began at the beginning of 2012 when the villains created and spread a ransomware that used a false warning from the police so that they could lock their victims' files and then ask for a ransom.
The name of the ransomware was Ransomlock.P, and appeared at the end of 2011. The German police formally launched the Avalanche survey because ransomware used its name.
The German authorities also reported that crooks managed to steal more than € 6.000.000 from the German banks alone. Europol is estimated that fraudsters who have used the Avalanche network may have stolen hundreds of millions of euros around the world.
Europol also estimated that the Avalanche botnets sent a total of one million spam messages per week. But in addition to bank fraud and spam, authorities said the Avalanche network was also used to host malware for DDoS attacks.
Researchers believe that over 500.000 users still have infected computers with various types of malware distributed through this network. These users should be aware that while the malware backend infrastructure is down, malware still exists on their computers, and they should be removed.
