Anti-Malware , Cloud Computing , Fraud

Police Shut Down Global Cybercriminal Fraud Service

'Avalanche' Provided Support for Malware Distribution
Police Shut Down Global Cybercriminal Fraud Service

Law enforcement officials in the U.S., Europe and Asia say they've dismantled a resilient network rented by cybercriminals in order to infect tens of millions of computers with code that stole bank account details and spread file-encrypting malware.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Germany began investigating the botnet, nicknamed Avalanche, in 2012 after a spate of ransomware attacks. The operation culminated on Nov. 30 with an expansive takedown operation involving private technical experts and law enforcement in more than 30 countries.

Fraud losses attributed to Avalanche are estimated in the hundreds of millions of dollars, the U.K.'s National Crime Agency says in a statement. As many as 500,000 computers worldwide were controlled by Avalanche at a time with victims in more than 180 countries, the agency says.

Authorities arrested five people. Investigators sought to shut down the network, physically seizing 39 servers while undertaking technical steps to prevent the cybercriminals from again reaching the hacked computers.

Europol estimates Avalanche's infrastructure, running since 2009, sent more than 1 million emails a week containing malicious links or attachments.

"Millions of private and business computer systems were also infected with malware, enabling criminals operating the network to harvest bank and email passwords," the agency says in a statement.

The network also was used to coordinate money mules - people who receive stolen funds and transfer the cash to fraudsters for a fee. Money mules often have little idea of the source of the money or the criminal activity behind it.

The Cybercriminal Cloud Platform

Avalanche was essentially a cloud-computing platform designed for cybercriminals. Similar to Amazon Web Services, which is rented by legitimate companies for application hosting, Avalanche offered hosting and networking services optimized to make it hard for law enforcement to trace and shut down. US-CERT terms Avalanche a "crimeware-as-a-service infrastructure."

Cybercriminals used Avalanche to create their own botnets by sending malicious emails to people around the world. The National Crime Agency says that at its peak, Avalanche distributed at least 17 different kinds of malware, including the ransomware Teslacrypt and the banking Trojan called Tiny Banker.

To make Avalanche resilient, its operators used a technique called double fast flux. It involves frequently changing the IP address to which a particular domain name resolves as well as those of the corresponding nameservers that deliver answers to Domain Name System queries. Changing that information every few minutes makes shutting down a botnet an endless game of chase.

To make a botnet takedown effective, investigators need to cut off every bit of infrastructure used to communicate with hacked computers. If they don't, it's possible for the hackers to quickly reconstitute their network, undercutting the shutdown effort.

More Than 830,000 Domains Seized

The operation against Avalanche represents remarkable cooperation and scale. The National Crime Agency says more than 830,000 domains were seized in a single day, "breaking the channel between criminals and the computers they controlled." The technique - known as sinkholing - causes infected computers to report computers controlled by law enforcement.

The Shadowserver Foundation, which researches and tracks botnets, says the operation was also the first large-scale use of the Registrar of Last Resort, a nonprofit organization dedicated to limiting abuse of the DNS. Seizing domain names has complicated legal consequences if a domain name registrar chooses not to cooperate with law enforcement.

Those legal complications, along with the cross-border nature of cybercrime, have made botnet interdictions difficult or unsuccessful. Domain name registrars and hosting companies in some countries can be unresponsive, but it appears some of those difficulties were overcome during the Avalanche investigation.

"Avalanche has shown that through this cooperation we can collectively make the internet a safer place for our businesses and citizens," says Rob Wainwright, Europol's director, in a news release.

Cleanup of Infected Machines

Europol says victims' computers are still infected with malware but will no longer be accessible to the cybercriminals. The law enforcement action did not encompass cleaning up computers - technically that would be illegal - so users will need to run their own anti-virus scans.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network