After more than four years of research, coordinated action between various agencies and international authorities has culminated in the macro-operation against the international infrastructure ‘Avalanche’. For years, this network has allowed several operators malware and botnets benefit from an extra layer of security against raids and bans domains.
This network had for years allowed the sending of more than one million phishing emails with files or malicious links with which to add victims to botnet networks. According to the BBC, Europol said that during the operation records have been conducted in 37 local and have seized 39 servers. It is estimated that the network had control of 500,000 computers infected with victims in about 180 countries.
The investigation has been carried out by the Verden Public Ministry and the Lüneburg Police (Germany), in close collaboration with the US Attorney’s Office for the Western District of Pennsylvania, the US Department of Justice, the FBI, Europol, Eurojust and several partners from up to 30 countries.
In Germany alone, Europol estimated that the damage caused by its operations amounting to six million euros, a figure that could reach hundreds of millions of euros in damages worldwide, but has not been able to calculate an exact amount.
How did this group operate?
The ‘Avalanche’ group operated a network of fast-flux concealment techniques. This term could be defined as a DNS technique used by botnets to hide all those pages by which they deliver malware and phishing. The they are hidden behind a network of compromised home computers constantly changing acting as proxies.
The operators of the botnets used this network to hide command and control infrastructure with operating botnets. This means that if a security company tried to map its attacks to repel them, the fact that these controls were hidden in different layers of proxies would make them almost impossible to detect.
Under the protection layer of ‘Avalanche’ have been working various types of malware, such as credential thieves, ransomware and bank Trojans. So they have several families of botnets , as TeslaCrypt, Nymaim, CoreBot, GetTiny, Matsnu, Rovnix, URLZone or Qakbot (aka Qbot, Pinkslip Bot).
If you walk a little confused with the term, we remember that the botnets are networks of zombie computers . Private computers that have been infected with a malware to be massively controlled and perform various types of attacks, especially massive DDoS.
The timing of this macro-raid could not have been better as it comes just at the time that the attacks by botnets are becoming increasingly powerful, reaching leave without Internet to one million users in Germany or even an entire country, not to mention when knocked Dyn DNS making services like Twitter or become inoperable Spotify worldwide.
Still, all these recent attacks have been conducted by the family of botnets Mirai, which are not on the list of ‘Avalanche’. This means that 2017 will continue to be a year moved in this type of attacks. If you suspect that your computer may be being utilization in a botnet here’s a guide to find out for sure. ESET also has presented a number of specific prevention tools to see if ‘Avalanche’ has affected us.