International Authorities Take Down Massive 'Avalanche' Botnet, Sinkhole Over 800,000 Domains

plover writes: Investigators from the U.S. Department of Justice, the FBI, Eurojust, Europol, and other global partners announced the takedown of a massive botnet named "Avalanche," estimated to have involved as many as 500,000 infected computers worldwide on a daily basis. A Europol release says: "The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, five individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. In addition, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked." Sean Gallagher writes via Ars Technica: "The domains seized have been 'sinkholed' to terminate the operation of the botnet, which is estimated to have spanned over hundreds of thousands of compromised computers around the world. The Justice Department's Office for the Western Federal District of Pennsylvania and the FBI's Pittsburgh office led the U.S. portion of the takedown. 'The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network,' the FBI and DOJ said in their joint statement. In 2010, an Anti-Phishing Working Group report called out Avalanche as 'the world's most prolific phishing gang,' noting that the Avalanche botnet was responsible for two-thirds of all phishing attacks recorded in the second half of 2009 (84,250 out of 126,697). 'During that time, it targeted more than 40 major financial institutions, online services, and job search providers,' APWG reported. In December of 2009, the network used 959 distinct domains for its phishing campaigns. Avalanche also actively spread the Zeus financial fraud botnet at the time."

Re:over 180 countries

[AHuxley]

List of sovereign states: "193 member states, two observer states, and 11 other states." https://en.wikipedia.org/wiki/...
180 is covered AC. It just shows the reach of the "International Authorities" AC. If they can cooperate on this, how is any VPN secure in most nations?

Sinkholing, WTF?

[rtb61]

"Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. "https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation. Hey, fuckers, you are meant to fix the end users computers not fucking keep a back door for yourselves, seriously, what the fuck?

Re:Sinkholing, WTF?

[AHuxley]

That must be for the few free nations the international authorities could not get into, so they just alter the internet a bit.

Re:Sinkholing, WTF?

[sl3xd]

It's not the government's job to repair the damage. They stop the criminals, and impound their stuff — including domains, and clear the roads so the rest of us can use them again.

They don't undo or make reparations for the damage the criminals did during thier spree.

So yeah, the backdoor changed hands, to a set the government feels is more responsible. Depending on the behavior of the botnet, it may be a bad idea to zero out the domain's DNS. We're into design a botnet, I'd certainly make it do something horrible if the command and control became unreachable. It may be better to just set up a long term honeypot to keep the swarm mollified.

Whether we like the decision or not is irrelevant unless you can convince enough of the population to make an issue of it. My money's on an an overwhelming attitude of "The police stopped hackers? Keep up the good work!"

So point your ire in the right direction: A population that doesn't care about computers, doesn't care about security, and wants stuff cheap. Blame manufacturers who pump out lousy insecure products and only give lip service to security in order to sell more insecure garbage.

It's a bad situation because neither consumers or producers have a reason to change thier behavior.

It's politically easy in a lot of nations to penalize manufacturers by creating regulations. Unless those against regulations come up with a better idea, regulation is likely what we'll get, because it's the most effective solution offered.

Re:Sinkholing, WTF?

[Dutch+Gun]

There's little choice but to seize command-and-control domains in order to stop these widely distributed botnets. My guess is that this is simply done at the DNS level, which would be pretty simple since they're apparently cooperating with ICANN authorities, according to the press release. Also, it's ridiculous to expect authorities to track down half a million victims and help them clean up their computers. Besides, in the US at least, I believe it would actually be illegal to do anything to a user's system without their express consent.

So, sorry, I don't see this as some nefarious plot by world governments to take over the internet... that's probably a different department. This is exactly what law enforcement needs to be doing to combat these fucking botnets operators and ransomware distributors who are ruining things for the rest of us.

Re:Sinkholing, WTF?

[rectalfeeding]

Also, it's ridiculous to expect authorities to track down half a million victims and help them clean up their computers.

How about for a start posting a list of IP addresses, or possibly more nuanced evidential trace information, to a global database that anyone can check if they like? The early adopter power users might load the simple app that facilitates ensuring that they can at least pull such minimal notification if they are interested. That doesn't sound infeasible to me, though I invite comments explaining what is wrong with my theoretical reasonable solution.

Until I hear a much better story about why the authorities can get away with knowing computers are compromised with unauthorized accessors, while not notifying the owners so that they can remedy the situation including optionally exercising their right to prosecute the offender... Well, I'll assume something slightly less than fully above board policy is going on.

It seems to me that if the efforts were made to get the hacked victims notified, more effective and appropriate market pressures would travel upstream to the relevant insufficiently supported device manufacturers.

Re:Sinkholing, WTF?

[Dutch+Gun]

Unfortunately, there's no convenient global IP-to-email or IP-to-person database, so it's not as easy as you may think to contact those affected. IPs are usually dynamically assigned to consumer users, meaning there's no simple one-to-one mapping. While it's certainly *possible* to track down a user by IP, it's by no means trivial to do so, or even possible in all cases. ISPs may be reluctant to hand out that information to law enforcement without a subpoena, and that's generally a good thing for our privacy.

Probably the most effective response to help individuals, now that the authorities have the command and control systems, is to instruct the malware to remotely disable itself and patch any known infection vector / vulnerability. This has been done on several occasions by the FBI and Microsoft in recent years, which has a dedicated anti cyber-crime lab that works with them on these sorts of cases. Of course, this is fraught with both technical and legal concerns, due to potential abuse or a slippery slope encroachment of privacy rights. And things are made more complicated because of the various international laws that may impact the ability of law enforcement to do this.

I certainly understand your skepticism regarding governments, law enforcement, and potential for abuse by overreach, but I really do think they're doing the right thing here. It's unfortunate that governments and law enforcement has undermined the public trust with their actions, such that we can't help but question their motivations, even when they're (I believe) legitimately stopping criminals like this.

Re:Sinkholing, WTF?

[Dutch+Gun]

Not anymore, I believe that's part of the rule41 changes

Hmm, it seems I was wrong, but not for that reason. In recent years (like, within the last five years or so) they've actually used botnet command and control systems to try to fix or patch up user systems. I've linked a legal paper in a different post that described some of these events.

I'm wondering if part of the intention of Rule 41 was to clarify the legal standing of the botnet issue. Will have to do a bit more reading on that, as it somehow slipped by my radar.

Re:Sinkholing, WTF?

[drinkypoo]

It's not the government's job to repair the damage. They stop the criminals, and impound their stuff â" including domains, and clear the roads so the rest of us can use them again.

Yes, but the idea is not that they become the criminals. Upon taking control of a botnet, they are illegally taking control of all the PCs in the net. Literally the only thing they should be doing with a botnet is uninstalling it.

Re:Sinkholing, WTF?

[jabuzz]

Certainly under UK law that would be fine provided they didn't direct the botnet to actually do anything.

Re:Sinkholing, WTF?

[Archangel+Michael]

"We have altered the internet. Pray we do not alter it further"

Re:Sinkholing, WTF?

[chispito]

"Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. "https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation. Hey, fuckers, you are meant to fix the end users computers not fucking keep a back door for yourselves, seriously, what the fuck?

Way to react without thinking it through or doing a semblance of research on the matter. Governments can't remotely scrub hundreds of thousands or millions of private computers all over the world. What governments CAN do, and often do, is use their power to change DNS so that the malware can't contact the command and control servers, in effect de-fanging the malware. Private companies like Microsoft do this a lot also.

Spin it however you want, but the world is a better place because it happens and there is no other feasible way to combat botnets on this scale.

Re:Sinkholing, WTF?

[klui]

I agree. It isn't practical to patch because if they haven't been patched before and most of their owners are probably ignorant of their pwnage. Wait 6 months and many of those devices would get out of date quickly. A whole government organization would be required to constantly monitor them and I don't think people would want that from the government. These botnets are globally spread out so there would be jurisdiction issues.

attacking availability without defeating security

[rectalfeeding]

List of sovereign states: "193 member states, two observer states, and 11 other states." https://en.wikipedia.org/wiki/... 180 is covered AC. It just shows the reach of the "International Authorities" AC. If they can cooperate on this, how is any VPN secure in most nations?

The same way a VPN is secure generally? What you mean perhaps is- How is any VPN guaranteed to be reliable across national borders utilizing publicly available commercial infrastructure network interconnections even against a cooperating international community opposed to it? And the answer is that no such guarantee was ever implied or presumed by anyone who gave it much thought.

As a result, five individuals were arrested

[hcs_$reboot]

From which country/ies?

Re:JAIL every one of these losers!

[Streetlight]

The punishment could differ depending on the country in which each individual set up was located and the individuals running them. In some places they might get a bullet (which they must pay for) in the back of the head or a bullet from a firing squad in a prison located on an island. Others might become some kind of hero for the president of a large country.

Re:JAIL every one of these losers!

[jonwil]

The #1 reason malware is such a big problem is that the scumbags who create and distribute the malware are often located in countries like Russia where the criminal organizations producing and distributing the malware are in bed with the government and there is no willingness from anyone to actually stop this crap from happening.

Investigator take down 'computer' botnet

[khz6955]

"Investigators .. announced the takedown of a massive botnet named "Avalanche," estimated to have involved as many as 500,000 infected computers worldwide on a daily basis"

What was the name of the Operating System that facilitated this 'computer' botnet.

Re:Investigator take down 'computer' botnet

[Ol+Olsoc]

What was the name of the Operating System that facilitated this 'computer' botnet.

Mud.

Re:Another Trump victory!

[Highdude702]

This shit right here is the parasitic comments that are driving people away form slashdot. HE HASN'T EVEN BEEN INAUGURATED YET HE CANT BE THE WORST PRESIDENT WHEN HES NOT EVEN PRESIDENT YET!! You people, yes i said YOU PEOPLE are fucking bat shit crazy..

Backup for the Web

[Neuronwelder]

I don't know how it can be done. But at the rate of attacks I've been noticing, we need some sort of a backup Web system to keep things going when the system is down. Am I wrong??

It's nothing in comparison.

[malditaenvidia]

Imagine the impact of taking down the google botnet.