December 5, 2016
An international team of law enforcement agencies and security firms just took down “Avalanche,” a botnet that has been engaged in phishing attacks and at least 17 different malware families since at least late 2009. The team took offline more than 221 servers and more than 800,000 domain names used by Avalanche, and conducted searches and arrests in five countries, according to a statement released by the FBI and U.S. Department of Justice. Avalanche malware impacted victims in over 180 countries.
Ars Technica reports that, “the operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale.” The botnet is “estimated to have spanned over hundreds of thousands of compromised computers around the world.”
The U.S. portion of the takedown was accomplished by the Justice Department’s Office for the Western Federal District of Pennsylvania and the FBI’s Pittsburgh office. A joint FBI/DOJ statement indicates “The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network.”
As far back as 2010, an Anti-Phishing Working Group report stated that Avalanche was “the world’s most prolific phishing gang,” and that its botnet was “responsible for two-thirds of all phishing attacks recorded in the second half of 2009 (84,250 out of 126,697).” The Group’s report details that, “during that time, it targeted more than 40 major financial institutions, online services, and job search providers.”
In December 2009, it used 959 domains to spoof emails from financial institutions, including USAA (a bank largely serving U.S. military and veterans) and HSBC. More than half its domains were live for less than 12 hours during that time frame. That “programmatic churning through domains” accounts for the 800,000 domains in this [last week]’s takedown.
A non-profit organization of security professionals, The Shadowserver Foundation, which assisted in the takedown, described Avalanche as a “Double Fast Flux” botnet, wherein individual nodes are registered and then quickly de-registered as the host associated with a Domain Name Service A address record for a single DNS name.
The destination addresses for a DNS record “often change as quickly as once every 5 minutes, and can cycle through hundreds or thousands of IP addresses.” The complexity of Avalanche, operated by a “criminal infrastructure in 30 countries and U.S. states … required unprecedented levels of effective international partnership,” said a Shadowserver Foundation spokesperson.
Presidential Commission Sounds Warning Over Botnet Threat, The Wall Street Journal, 12/3/16