Law enforcement organizations from around the world have co-ordinated in an operation to takedown the global botnet known as Avalanche.
The operation to takedown the Avalanche botnet and its associated criminal infrastructure, was formally revealed on Dec. 1 and involved four years of investigation and co-operation between the U.S Federal Bureau of Investigation (FBI) and Europol, as well as prosecutors in over 30 countries.
According to Europol, Avalanche is responsible for malware infections in more than 180 countries and is estimated to infect up to 500,00 systems globally every day. The Avalanche botnet was first reported on by eWEEK in 2010, when it was identified by the Anti-Phishing Working Group (APWG) as a leading source of phishing attacks.
“The Avalanche network, which has been operating since at least 2010, is estimated to involve hundreds of thousands of infected computers worldwide,” the U.S Department of Justice stated. “The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network.”
The global effort to takedown the Avalanche network so far has involved the arrest of 5 individuals and the seizure of 39 servers, according to Europol. The total scope of the Avalanche takedown operation is vast, with more than 800,000 internet domains involved that are now being either seized, sinkholed or blocked in an effort to protect users worldwide. With a sinkhole, users are redirected to servers controlled by law enforcement.
As to why it was so difficult and took so many years for law enforcement to disable the Avalanche network, part of the reason is because of the sophisticated methods used by the botnet. The Avalanche network made use of what is known as a double fast flux technique, which is what helped it to evade law enforcement efforts at takedowns.
A botnet is a collection of compromised systems that an attacker controls through a command and control system to attack other users and sites on the Internet. Fast flux is a technique that abuses the Domain Name System (DNS) to hide the source of an attack.
The way DNS is supposed to work DNS resolver is supposed to refer a domain name to a specific IP address. With fast flux, attackers link multiple sets of IP addresses to a given domain name and swap new addresses in and out of the DNS records in an attempt to evade detection.
Among the organizations that worked on the Avalanche takedown is the Shadowserver Foundation which helped to build the sinkhole infrastructure needed for Avalanche. Though blocking and sinkholing malicious domains helps, users are still at some risk.
“While the sinkholed victims are now hopefully shielded from direct exploitation by this group of criminals, they are still infected with one or more families of malware and likely to be vulnerable to others,” the Shadowserver Foundation stated. “Law enforcement have worked with security companies globally to build disinfection tools and have provided an array of links to solutions that will enhance the protection of end users.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist