International Authorities Take Down Massive 'Avalanche' Botnet, Sinkhole Over 800,000 Domains

plover writes: Investigators from the U.S. Department of Justice, the FBI, Eurojust, Europol, and other global partners announced the takedown of a massive botnet named "Avalanche," estimated to have involved as many as 500,000 infected computers worldwide on a daily basis. A Europol release says: "The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, five individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. In addition, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked." Sean Gallagher writes via Ars Technica: "The domains seized have been 'sinkholed' to terminate the operation of the botnet, which is estimated to have spanned over hundreds of thousands of compromised computers around the world. The Justice Department's Office for the Western Federal District of Pennsylvania and the FBI's Pittsburgh office led the U.S. portion of the takedown. 'The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network,' the FBI and DOJ said in their joint statement. In 2010, an Anti-Phishing Working Group report called out Avalanche as 'the world's most prolific phishing gang,' noting that the Avalanche botnet was responsible for two-thirds of all phishing attacks recorded in the second half of 2009 (84,250 out of 126,697). 'During that time, it targeted more than 40 major financial institutions, online services, and job search providers,' APWG reported. In December of 2009, the network used 959 distinct domains for its phishing campaigns. Avalanche also actively spread the Zeus financial fraud botnet at the time."

over 180 countries

Depending on who is doing the counting, that could be every country or even more countries than actually exist.

Re:over 180 countries

[AHuxley]

List of sovereign states: "193 member states, two observer states, and 11 other states." https://en.wikipedia.org/wiki/...
180 is covered AC. It just shows the reach of the "International Authorities" AC. If they can cooperate on this, how is any VPN secure in most nations?

Re: over 180 countries

Ah, well, today I learned. Thanks.

Sinkholing, WTF?

[rtb61]

"Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. "https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation. Hey, fuckers, you are meant to fix the end users computers not fucking keep a back door for yourselves, seriously, what the fuck?

Re:Sinkholing, WTF?

[AHuxley]

That must be for the few free nations the international authorities could not get into, so they just alter the internet a bit.

Re:Sinkholing, WTF?

[sl3xd]

It's not the government's job to repair the damage. They stop the criminals, and impound their stuff — including domains, and clear the roads so the rest of us can use them again.

They don't undo or make reparations for the damage the criminals did during thier spree.

So yeah, the backdoor changed hands, to a set the government feels is more responsible. Depending on the behavior of the botnet, it may be a bad idea to zero out the domain's DNS. We're into design a botnet, I'd certainly make it do something horrible if the command and control became unreachable. It may be better to just set up a long term honeypot to keep the swarm mollified.

Whether we like the decision or not is irrelevant unless you can convince enough of the population to make an issue of it. My money's on an an overwhelming attitude of "The police stopped hackers? Keep up the good work!"

So point your ire in the right direction: A population that doesn't care about computers, doesn't care about security, and wants stuff cheap. Blame manufacturers who pump out lousy insecure products and only give lip service to security in order to sell more insecure garbage.

It's a bad situation because neither consumers or producers have a reason to change thier behavior.

It's politically easy in a lot of nations to penalize manufacturers by creating regulations. Unless those against regulations come up with a better idea, regulation is likely what we'll get, because it's the most effective solution offered.

Re:Sinkholing, WTF?

[Dutch+Gun]

There's little choice but to seize command-and-control domains in order to stop these widely distributed botnets. My guess is that this is simply done at the DNS level, which would be pretty simple since they're apparently cooperating with ICANN authorities, according to the press release. Also, it's ridiculous to expect authorities to track down half a million victims and help them clean up their computers. Besides, in the US at least, I believe it would actually be illegal to do anything to a user's system without their express consent.

So, sorry, I don't see this as some nefarious plot by world governments to take over the internet... that's probably a different department. This is exactly what law enforcement needs to be doing to combat these fucking botnets operators and ransomware distributors who are ruining things for the rest of us.

Re:Sinkholing, WTF?

Besides, in the US at least, I believe it would actually be illegal to do anything to a user's system without their express consent..

Not anymore, I believe that's part of the rule41 changes

Re:Sinkholing, WTF?

Besides, in the US at least, I believe it would actually be illegal to do anything to a user's system without their express consent.

Seems to me, as of today, the FBI can just get a rubber stamp warrant for "all botnet infected computers in the United States and its territories," and deploy whatever the hell they want to them.

Re:Sinkholing, WTF?

[rectalfeeding]

Also, it's ridiculous to expect authorities to track down half a million victims and help them clean up their computers.

How about for a start posting a list of IP addresses, or possibly more nuanced evidential trace information, to a global database that anyone can check if they like? The early adopter power users might load the simple app that facilitates ensuring that they can at least pull such minimal notification if they are interested. That doesn't sound infeasible to me, though I invite comments explaining what is wrong with my theoretical reasonable solution.

Until I hear a much better story about why the authorities can get away with knowing computers are compromised with unauthorized accessors, while not notifying the owners so that they can remedy the situation including optionally exercising their right to prosecute the offender... Well, I'll assume something slightly less than fully above board policy is going on.

It seems to me that if the efforts were made to get the hacked victims notified, more effective and appropriate market pressures would travel upstream to the relevant insufficiently supported device manufacturers.

Re:Sinkholing, WTF?

Even better if there's a database of IP address of those malicious C&C servers. At least IT admins can check those weird outbound connections into malicious IP addresses from their LAN and so they (IT Admins) can notify the specific owner of infected devices. I keep on checking the outbound connections of all devices on my LAN but it's painful to check them one by one, which only points to Google or Microsoft or Amazon Data Services. I am serious there are something like 12 connections to Google and 4 to Microsoft on a specific device on my LAN right now.

Re:Sinkholing, WTF?

[Dutch+Gun]

Unfortunately, there's no convenient global IP-to-email or IP-to-person database, so it's not as easy as you may think to contact those affected. IPs are usually dynamically assigned to consumer users, meaning there's no simple one-to-one mapping. While it's certainly *possible* to track down a user by IP, it's by no means trivial to do so, or even possible in all cases. ISPs may be reluctant to hand out that information to law enforcement without a subpoena, and that's generally a good thing for our privacy.

Probably the most effective response to help individuals, now that the authorities have the command and control systems, is to instruct the malware to remotely disable itself and patch any known infection vector / vulnerability. This has been done on several occasions by the FBI and Microsoft in recent years, which has a dedicated anti cyber-crime lab that works with them on these sorts of cases. Of course, this is fraught with both technical and legal concerns, due to potential abuse or a slippery slope encroachment of privacy rights. And things are made more complicated because of the various international laws that may impact the ability of law enforcement to do this.

I certainly understand your skepticism regarding governments, law enforcement, and potential for abuse by overreach, but I really do think they're doing the right thing here. It's unfortunate that governments and law enforcement has undermined the public trust with their actions, such that we can't help but question their motivations, even when they're (I believe) legitimately stopping criminals like this.

Re:Sinkholing, WTF?

it's ridiculous to expect authorities to track down half a million victims

ridiculous, yes. within their capability? also yes.

Re:Sinkholing, WTF?

[Dutch+Gun]

Not anymore, I believe that's part of the rule41 changes

Hmm, it seems I was wrong, but not for that reason. In recent years (like, within the last five years or so) they've actually used botnet command and control systems to try to fix or patch up user systems. I've linked a legal paper in a different post that described some of these events.

I'm wondering if part of the intention of Rule 41 was to clarify the legal standing of the botnet issue. Will have to do a bit more reading on that, as it somehow slipped by my radar.

Re:Sinkholing, WTF?

[drinkypoo]

It's not the government's job to repair the damage. They stop the criminals, and impound their stuff â" including domains, and clear the roads so the rest of us can use them again.

Yes, but the idea is not that they become the criminals. Upon taking control of a botnet, they are illegally taking control of all the PCs in the net. Literally the only thing they should be doing with a botnet is uninstalling it.

Re:Sinkholing, WTF?

Yes, but the idea is not that they become the criminals. Upon taking control of a botnet, they are illegally taking control of all the PCs in the net. Literally the only thing they should be doing with a botnet is uninstalling it.

Which they can't do without taking control of said PC.

Re:Sinkholing, WTF?

[jabuzz]

Certainly under UK law that would be fine provided they didn't direct the botnet to actually do anything.

Re:Sinkholing, WTF?

We're into design a botnet, I'd certainly make it do something horrible if the command and control became unreachable

Or just design a P2P system

Re:Sinkholing, WTF?

Unfortunately, there's no convenient global IP-to-email or IP-to-person database, so it's not as easy as you may think to contact those affected. IPs are usually dynamically assigned to consumer users, meaning there's no simple one-to-one mapping. While it's certainly *possible* to track down a user by IP, it's by no means trivial to do so, or even possible in all cases. ISPs may be reluctant to hand out that information to law enforcement without a subpoena, and that's generally a good thing for our privacy.

There's no global ip-to-email or ip-to-person db. But there is a subnet-to-isp db, generally associated with an abuse@isp address. No information need pass from the ISP back to whatever authorities, but information most definitely should be flowing from the authorities to the ISPs which should take action.

Re:Sinkholing, WTF?

there's no convenient global IP-to-email or IP-to-person database

There's no public global IP-to-email or IP-to-person database.

Re:Sinkholing, WTF?

A good solution would be to do it backwards: Maintain and update a database of affected IPs, and promote apps that keep track of your own recent IP addresses and can look them up in the database and see if you are affected.

Sure it would take a little work, but it seems it could be something that would fit right into existing virus scanners.

Re:Sinkholing, WTF?

[Archangel+Michael]

"We have altered the internet. Pray we do not alter it further"

Re:Sinkholing, WTF?

[chispito]

"Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. "https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation. Hey, fuckers, you are meant to fix the end users computers not fucking keep a back door for yourselves, seriously, what the fuck?

Way to react without thinking it through or doing a semblance of research on the matter. Governments can't remotely scrub hundreds of thousands or millions of private computers all over the world. What governments CAN do, and often do, is use their power to change DNS so that the malware can't contact the command and control servers, in effect de-fanging the malware. Private companies like Microsoft do this a lot also.

Spin it however you want, but the world is a better place because it happens and there is no other feasible way to combat botnets on this scale.

Re:Sinkholing, WTF?

[klui]

I agree. It isn't practical to patch because if they haven't been patched before and most of their owners are probably ignorant of their pwnage. Wait 6 months and many of those devices would get out of date quickly. A whole government organization would be required to constantly monitor them and I don't think people would want that from the government. These botnets are globally spread out so there would be jurisdiction issues.

Re:Sinkholing, WTF?

Where does it say law enforcement used the infected computers to commit a crime? They redirected the communication from infected computers how is that 'taking control of all the PCs in the net'? If a car is driving down the road on 3 wheels (when it has 4) you don't think it might be a good idea for the police to pull it over & maybe point out that this isn't safe, or do you think that this is 'taking control of the car & committing a criminal act?'

I'm no fan of big government & intrusion by any means, but seriously law enforcement does have to do their job.

Now, if the government were to actually use what control they may have to attack a company, state or individual then they are committing an illegal act & should be punished for it just like any other criminal organization. But no where in the summary or article does it say they have done that.

Re:Sinkholing, WTF?

I will allow law enforcement a bit of leeway here especially as the linked to article refers to more information to be released 'next week' regarding 'dismantling the network', but I don't think its quite as hard to do as you make it. Yes the IP addresses are dynamically assigned and now we don't want service providers giving out our information to law enforcement but it doesn't have to be done that way. Law enforcement can notify the ISP about IP Addresses that belong to them that are part of the network (the ISP owns the IP address not the end-user). Since the service provider would have some record as to who any given IP address was assigned to, even if that is in a 'given period of time' the ISP themselves could notify 'potentially infected end-users'.

Heck, I just received an e-mail about a potential 'class action law suit' with a company I haven't done business with in years. Whether or not this law suit impacts me at all is entirely unknown to that company but they had to notify me. In the same way an ISP can send an e-mail blast to their potentially impacted end users, something to the effect of 'during a recent successful law enforcement investigation in to a hacker group IP addresses belonging to us were identified as being compromised, this may mean you have 1 or more computers infected by a virus. For more information and potential help in disinfecting your system please click here '. That may not be the best wording to avoid panic but I'm sure it wouldn't be difficult for someone to come up with something reasonable.

The WORST of all things would be for law enforcement or any private company using this compromise to hack in to the computer to 'fix' it. THAT is way too open to abuse regardless of how 'easy' it may seem to do (not to mention likely patently illegal). Just because something is 'easy' doesn't make it proper or the 'best way' to deal with something. We've been taking the 'easy way out' far too long leading to more issues & overreach then the original problem caused. In other words the 'slippery slope' really is slippery & we're sliding down it faster than a toboggan on a snowy hill.

attacking availability without defeating security

[rectalfeeding]

List of sovereign states: "193 member states, two observer states, and 11 other states." https://en.wikipedia.org/wiki/... 180 is covered AC. It just shows the reach of the "International Authorities" AC. If they can cooperate on this, how is any VPN secure in most nations?

The same way a VPN is secure generally? What you mean perhaps is- How is any VPN guaranteed to be reliable across national borders utilizing publicly available commercial infrastructure network interconnections even against a cooperating international community opposed to it? And the answer is that no such guarantee was ever implied or presumed by anyone who gave it much thought.

JAIL every one of these losers!

And I mean SERIOUS time - MINIMUM 10 years!

Re:JAIL every one of these losers!

[Streetlight]

The punishment could differ depending on the country in which each individual set up was located and the individuals running them. In some places they might get a bullet (which they must pay for) in the back of the head or a bullet from a firing squad in a prison located on an island. Others might become some kind of hero for the president of a large country.

Re:JAIL every one of these losers!

[jonwil]

The #1 reason malware is such a big problem is that the scumbags who create and distribute the malware are often located in countries like Russia where the criminal organizations producing and distributing the malware are in bed with the government and there is no willingness from anyone to actually stop this crap from happening.

in brazil the marketing botnet is money

reweb is a maketing company who uses twitter bots like this

First they came for the botnets

First they came for the botnet domains, and I didn't speak because I didn't operate a botnet...

Re:First they came for the botnets

i understand there are some openings now, go ahead and operate one...

As a result, five individuals were arrested

[hcs_$reboot]

From which country/ies?

Re:As a result, five individuals were arrested

My bet is at least one of them either originated from or currently resides in Ukraine or Estonia. Most of the ransomware botnets come from those countries for a reason. They have a culture of corruption and organized crime. Just an educated guess based on past trends.

Re:As a result, five individuals were arrested

Yeah, because there are no criminals in the USA, Europe, South Americas, Asia, Russia et al. Don't confuse a few organised ATM gangs with global botnets used by criminals and govt agencies.

Re:As a result, five individuals were arrested

Three arrests happened in Ukraine, the head of the group is from Ukraine, some photos and video made by local police: http://soft2secure.com/news/av... Other commentators were right about Ukraine. This country is famous for its hackers. What more interesting and sad that the guy already released by the judge and disappeared: http://poltava.to/news/40985/ and here: http://obozrevatel.com/crime/1... So, four years of investigation and now their boss may just restructure and launch Avalanche 2.0 with his money and connections and experience. FBI, Europol and 30+ other organization should have known Ukraine is totally corrupted. I am not surprised at all. Hacker steal our money and become politicians there: http://voices.washingtonpost.c... and here - http://wayback.archive.org/web...

Terrorists win ..

Maybe CS GO will be less laggy tonight.

Investigator take down 'computer' botnet

[khz6955]

"Investigators .. announced the takedown of a massive botnet named "Avalanche," estimated to have involved as many as 500,000 infected computers worldwide on a daily basis"

What was the name of the Operating System that facilitated this 'computer' botnet.

Re:Investigator take down 'computer' botnet

[Ol+Olsoc]

What was the name of the Operating System that facilitated this 'computer' botnet.

Mud.

Re:Investigator take down 'computer' botnet

IoT.

Seriously though, they'll facilitate their operation with several, including serverOSs. Like any scale operation. Stop fishing.

So much for Internet freedom

Who are they to decide botnets are bad. Maybe I joined this botnet and wasnt "infected" . More Internet tyranny from our oppressors.

Re:Another Trump victory!

[Highdude702]

This shit right here is the parasitic comments that are driving people away form slashdot. HE HASN'T EVEN BEEN INAUGURATED YET HE CANT BE THE WORST PRESIDENT WHEN HES NOT EVEN PRESIDENT YET!! You people, yes i said YOU PEOPLE are fucking bat shit crazy..

Re:Another Trump victory!

Hear hear.
I personally figured the paid shills would all be fired after the election but apparently they are already gearing up to the 2020 election. That shit ought to be illegal.

Backup for the Web

[Neuronwelder]

I don't know how it can be done. But at the rate of attacks I've been noticing, we need some sort of a backup Web system to keep things going when the system is down. Am I wrong??

Same infrastructure used by Spamit

This infrastructure seems very similar - nearly identical - to a very long-standing set of virtual / hacked servers operated by the former "Spamit" rogue pharmacy spam affiliate program. A variation of that is also used by the pharma affiliate spam group "EvaPharmacy". Both of these date back to 2007 or so.

I've been researching and attempting to report these servers ever since then, and I can tell you: ISP's don't care. Individual host operators don't care. These are often abandoned servers with extremely weak security that nobody has any interest in fixing.

Add to that the complexity and hassle of attempting to contact a significatnt number of Chinese hosting companies with dozens to hundreds of affected servers at the root level, who never respond, and you effectively have a "perfect" free hosting environment for the developers and sysadmins of any criminal operation to take advantage of.

Russian criminal groups invested a considerable amount of time in automating the entire process of finding these servers, installing their reverse proxy "fast flux" hosting environments, applying DNS to the servers, and then scanning from that host for any other vulnerable hosts. In the years I've been investigating this software has any ISP or hosting company cared to do anything about their infected servers.

So you can say that it's not cool that they ended up using a sinkhole, but honestly: what other options were there?

I'm glad someone finally took *any* kind of action.

SiL / IKS / concerned citizen

Look who is doing this

"Investigators from the U.S. Department of Justice, the FBI, Eurojust, Europol, and other global partners"

That is a list of known liars, scum-bags, and illegitimate departments with as much usefulness as a kickstand on a Carnival Cruise ship.

The people behind this is part of the 'Lead Crew' - that is, the first crew of people that we need to fill with Lead to make america great again.

You are now free to return to your oligarchical police state.

It's nothing in comparison.

[malditaenvidia]

Imagine the impact of taking down the google botnet.

Fastflux botnets = nullified by hosts

See subject: This one is & can't infect you OR talk back to their C&C via APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...

Ads rob speed, security (malvertising) & privacy (tracking).

Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively.

Works vs. caps & PUSH ads.

Avg. page = big as Doom http://www.theregister.co.uk/2... & ads = 40% of it.

Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity.

Compliments firewalls (blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load).

Gets data via 10 security sites.

APK

P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "seen the code & it's safe" http://forum.hosts-file.net/vi... )