International Authorities Take Down Massive 'Avalanche' Botnet, Sinkhole Over 800,000 Domains

plover writes: Investigators from the U.S. Department of Justice, the FBI, Eurojust, Europol, and other global partners announced the takedown of a massive botnet named "Avalanche," estimated to have involved as many as 500,000 infected computers worldwide on a daily basis. A Europol release says: "The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, five individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. In addition, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked." Sean Gallagher writes via Ars Technica: "The domains seized have been 'sinkholed' to terminate the operation of the botnet, which is estimated to have spanned over hundreds of thousands of compromised computers around the world. The Justice Department's Office for the Western Federal District of Pennsylvania and the FBI's Pittsburgh office led the U.S. portion of the takedown. 'The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network,' the FBI and DOJ said in their joint statement. In 2010, an Anti-Phishing Working Group report called out Avalanche as 'the world's most prolific phishing gang,' noting that the Avalanche botnet was responsible for two-thirds of all phishing attacks recorded in the second half of 2009 (84,250 out of 126,697). 'During that time, it targeted more than 40 major financial institutions, online services, and job search providers,' APWG reported. In December of 2009, the network used 959 distinct domains for its phishing campaigns. Avalanche also actively spread the Zeus financial fraud botnet at the time."

Re:Sinkholing, WTF?

[sl3xd]

It's not the government's job to repair the damage. They stop the criminals, and impound their stuff — including domains, and clear the roads so the rest of us can use them again.

They don't undo or make reparations for the damage the criminals did during thier spree.

So yeah, the backdoor changed hands, to a set the government feels is more responsible. Depending on the behavior of the botnet, it may be a bad idea to zero out the domain's DNS. We're into design a botnet, I'd certainly make it do something horrible if the command and control became unreachable. It may be better to just set up a long term honeypot to keep the swarm mollified.

Whether we like the decision or not is irrelevant unless you can convince enough of the population to make an issue of it. My money's on an an overwhelming attitude of "The police stopped hackers? Keep up the good work!"

So point your ire in the right direction: A population that doesn't care about computers, doesn't care about security, and wants stuff cheap. Blame manufacturers who pump out lousy insecure products and only give lip service to security in order to sell more insecure garbage.

It's a bad situation because neither consumers or producers have a reason to change thier behavior.

It's politically easy in a lot of nations to penalize manufacturers by creating regulations. Unless those against regulations come up with a better idea, regulation is likely what we'll get, because it's the most effective solution offered.