Online criminals iced as cops bury malware-spewing Avalanche

Four-year op by US and EU culminates in arrests, server seizures

On November 30, simultaneous raids in five countries by the FBI, Europol, and the UK's National Crime Agency (NCA) finally shuttered the Avalanche criminal network that has been spewing malware and money laundering campaigns for the past seven years.

The Avalanche network was a system of 600 servers around the world that were available for hire to online criminals. They could be used for launching malware infection campaigns, funneling funds from phishing scams, and controlling more than 500,000 infected PCs a day, police estimate. They also spammed out a million emails carrying viruses every week.

"The volume of fraudulent activity made possible by Avalanche was incredible. But the scale of the global law enforcement response was unprecedented, as 20 strains of malware and 800,000 domains were targeted on one day," said Mike Hulett, of the NCA's National Cyber Crime Unit.

"Unfortunately, taking down Avalanche doesn't clean computers already infected with malware, so while the criminals are scrabbling around inevitably trying to rebuild their operations, computer users should use this window to install anti-virus software and make sure they're protected."

The raids on Wednesday seized 39 servers and took another 221 offline. Thirty-seven premises were searched, and 830,000 malicious domains were shut down. Police found 20 different malware families on the network, including goznym, marcher, matsnu, urlzone, xswkit, and pandabanker.

The Avalanche operation started in 2012, when German police investigating a large ransomware outbreak found evidence that the source of their woes was the rogue network. The way Avalanche was set up made it very difficult to map and penetrate due to a technique called double fast flux.

Fast flux is a common criminal technique designed to stymie police investigations by swapping the IP address attached to a domain regularly, sometimes every few minutes, between different servers.

Avalanche augmented this by making sure that both the domain location and the name server queried for this location changed, making it doubly hard for investigators to locate and identify criminal operations.

To combat this, investigators in the EU and US used a technique called sinkholing, where data traffic from infected machines is redirected through servers controlled by the police and analyzed. Police around the world sifted through 130TB of data to find the information needed to identify the Avalanche architecture.

"Avalanche has been a highly significant operation involving international law enforcement, prosecutors and industry resources to tackle the global nature of cybercrime," said Europol Director Rob Wainwright.

"The complex trans-national nature of cyber investigations requires international cooperation between public and private organisations at an unprecedented level to successfully impact on top-level cybercriminals. Avalanche has shown that through this cooperation, we can collectively make the internet a safer place for our businesses and citizens." ®

Similar topics

Broader topics

Other stories you might like

Biting the hand that feeds IT © 1998–2022