International Authorities Take Down Massive 'Avalanche' Botnet, Sinkhole Over 800,000 Domains

plover writes: Investigators from the U.S. Department of Justice, the FBI, Eurojust, Europol, and other global partners announced the takedown of a massive botnet named "Avalanche," estimated to have involved as many as 500,000 infected computers worldwide on a daily basis. A Europol release says: "The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, five individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. In addition, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked." Sean Gallagher writes via Ars Technica: "The domains seized have been 'sinkholed' to terminate the operation of the botnet, which is estimated to have spanned over hundreds of thousands of compromised computers around the world. The Justice Department's Office for the Western Federal District of Pennsylvania and the FBI's Pittsburgh office led the U.S. portion of the takedown. 'The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network,' the FBI and DOJ said in their joint statement. In 2010, an Anti-Phishing Working Group report called out Avalanche as 'the world's most prolific phishing gang,' noting that the Avalanche botnet was responsible for two-thirds of all phishing attacks recorded in the second half of 2009 (84,250 out of 126,697). 'During that time, it targeted more than 40 major financial institutions, online services, and job search providers,' APWG reported. In December of 2009, the network used 959 distinct domains for its phishing campaigns. Avalanche also actively spread the Zeus financial fraud botnet at the time."

Re:Sinkholing, WTF?

[Dutch+Gun]

There's little choice but to seize command-and-control domains in order to stop these widely distributed botnets. My guess is that this is simply done at the DNS level, which would be pretty simple since they're apparently cooperating with ICANN authorities, according to the press release. Also, it's ridiculous to expect authorities to track down half a million victims and help them clean up their computers. Besides, in the US at least, I believe it would actually be illegal to do anything to a user's system without their express consent.

So, sorry, I don't see this as some nefarious plot by world governments to take over the internet... that's probably a different department. This is exactly what law enforcement needs to be doing to combat these fucking botnets operators and ransomware distributors who are ruining things for the rest of us.

Re:Sinkholing, WTF?

[Dutch+Gun]

Unfortunately, there's no convenient global IP-to-email or IP-to-person database, so it's not as easy as you may think to contact those affected. IPs are usually dynamically assigned to consumer users, meaning there's no simple one-to-one mapping. While it's certainly *possible* to track down a user by IP, it's by no means trivial to do so, or even possible in all cases. ISPs may be reluctant to hand out that information to law enforcement without a subpoena, and that's generally a good thing for our privacy.

Probably the most effective response to help individuals, now that the authorities have the command and control systems, is to instruct the malware to remotely disable itself and patch any known infection vector / vulnerability. This has been done on several occasions by the FBI and Microsoft in recent years, which has a dedicated anti cyber-crime lab that works with them on these sorts of cases. Of course, this is fraught with both technical and legal concerns, due to potential abuse or a slippery slope encroachment of privacy rights. And things are made more complicated because of the various international laws that may impact the ability of law enforcement to do this.

I certainly understand your skepticism regarding governments, law enforcement, and potential for abuse by overreach, but I really do think they're doing the right thing here. It's unfortunate that governments and law enforcement has undermined the public trust with their actions, such that we can't help but question their motivations, even when they're (I believe) legitimately stopping criminals like this.