The Avalanche malware-hosting network has been dealt a severe blow following the takedown of infrastructure used by at least 17 malware families. The takedown operation, which was a combined effort by multiple international law enforcement agencies, public prosecutors, and security and IT organizations including Symantec, resulted in the seizure of 39 servers and several hundred thousand domains that were being used by the criminal organization behind the Avalanche network.
In 2012, Symantec published research on law enforcement ransomware. Such ransomware was the predominant malware at the time, with a number of different attacker groups utilizing it to attack various countries. As part of our research for the paper, the primary countries targeted by the various groups were identified. One particular group, using the ransomware Trojan.Ransomlock.P, was predominantly targeting German speakers in Germany, Austria, and parts of Switzerland.
It was also noted in the paper that at least one of the command and control (C&C) servers used by the ransomware was also used by malware know as Trojan.Bebloh, or URLZone. Bebloh is a banking Trojan that, at the time, was targeting the same set of victims as Trojan.Ransomlock.P; German speakers in Germany, Austria, and Switzerland. At the same time of the 2012 publication, a team of police from the German town of Luneberg and the Public Prosecutor’s Office from the German town of Verden were investigating the Bebloh malware. Given the shared used of network infrastructure by the two malware families, it was assumed that there was a connection between the two sets of activity.
Symantec provided technical assistance to the police during these early stages of the investigation by reverse engineering malware and identifying malicious infrastructure. A number of additional malware families were also discovered sharing the same C&C infrastructure, and the Luneberg police began to expand their investigation into these families.
The police investigation discovered that the various malware families were all hosted on what has been termed the Avalanche botnet. This is a network of compromised computers that are rented out to facilitate the C&C infrastructure for a number of different actors.
A combined effort
Over the following years, the Luneberg police and the Verden Public Prosecutor’s Office, in combination with the BSI, FKIE, BFK, and numerous other law enforcement and industry partners, continued investigating the Avalanche network, discovering a massive operation responsible for controlling a large number of compromised computers across the world.
The investigation culminated yesterday on November 30 and resulted in the takedown of infrastructure providing support for at least 17 different malware families as well as the arrests of multiple individuals suspected to be participating in the activity.
The Luneberg police and the Verden Public Prosecutor’s Office investigation is a prime example of how the dogged persistence of a team of experienced law enforcement investigators, combined with assistance from government, academia, and private industry, can result in highly-effective action against cybercriminals. Symantec was pleased to have been able to assist in this work, and is ready to provide technical assistance to law enforcement as required in future investigations.
Protection and removal
Symantec and Norton products provide protection against malware associated with the Avalanche botnet.
The Norton Power Eraser (NPE) tool also scans for and removes Avalanche-related infections. If customers experience difficulties removing some infections, NPE should be run in safe mode.