Avalanche was a
criminal
In ordinary language, a crime is an unlawful act punishable by a state or other authority. The term ''crime'' does not, in modern criminal law, have any simple and universally accepted definition,Farmer, Lindsay: "Crime, definitions of", in Can ...
syndicate involved in
phishing
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
attacks,
online bank fraud, and
ransomware
Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, ...
. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the
Microsoft Windows
Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
operating system.
In November 2016, the Avalanche
botnet
A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
was destroyed after a four-year project by an international consortium of law enforcement, commercial, academic, and private organizations.
History
Avalanche was discovered in December 2008, and may have been a replacement for a phishing group known as Rock Phish which stopped operating in 2008.
It was run from
Eastern Europe
Eastern Europe is a subregion of the Europe, European continent. As a largely ambiguous term, it has a wide range of geopolitical, geographical, ethnic, cultural, and socio-economic connotations. The vast majority of the region is covered by Russ ...
and was given its name by security researchers because of the high volume of its attacks.
Avalanche launched 24% of phishing attacks in the first half of 2009; in the second half of 2009, the
Anti-Phishing Working Group
The Anti-Phishing Working Group (APWG) is an international consortium that attempts to eliminate fraud and identity theft caused by phishing and related incidents It brings together businesses affected by phishing attacks: security products and ...
(APWG) recorded 84,250 attacks by Avalanche, constituting 66% of all phishing attacks. The number of total phishing attacks more than doubled, an increase which the APWG directly attributes to Avalanche.
Avalanche used
spam email
Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming).
The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...
purporting to come from trusted organisations such as financial institutions or employment websites. Victims were deceived into entering personal information on websites made to appear as though they belong to these organisations. They were sometimes tricked into installing software attached to the emails or at a website. The
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
logged keystrokes, stole passwords and credit card information, and allowed unauthorised
remote access to the infected computer.
Internet Identity
IID, previously Internet Identity, was a privately held Internet security company based in Tacoma, Washington, United States. IID was acquired in an all-cash transaction by Infoblox on February 8, 2016. It primarily provides cyberthreat data, a p ...
's Phishing Trends report for the second quarter of 2009 said that Avalanche "have detailed knowledge of commercial banking platforms, particularly treasury management systems and the
Automated Clearing House
An automated clearing house (ACH) is a computer-based electronic network for processing transactions, usually domestic low value payments, between participating financial institutions. It may support both credit transfers and direct debits. The ...
(ACH) system. They are also performing successful real-time
man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
s that defeat two-factor security tokens."
Avalanche had many similarities to the previous group
Rock Phish
Rock Phish refers to both a phishing toolkit/technique and the group behind it.
Rock Phish gang and techniques
At one time the Rock Phish group was stated to be behind "one-half of the phishing attacks being carried out. VeriSign
Verisign I ...
- the first phishing group which used automated techniques - but with greater in scale and volume.
Avalanche hosted its domains on compromised computers (a
botnet
A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
). There was no single
hosting provider, making difficult to take down the domain and requiring the involvement of the responsible
domain registrar
A domain name registrar is a company that manages the reservation of Internet domain names. A domain name registrar must be accredited by a generic top-level domain (gTLD) registry or a country code top-level domain (ccTLD) registry. A registrar ...
.
In addition, Avalanche used
fast-flux
Fast flux is a domain name system (DNS) based evasion technique used by cyber criminals to hide phishing and malware delivery websites behind an ever-changing network of compromised hosts acting as reverse proxies to the backend botnet mas ...
DNS
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
, causing the compromised machines to change constantly. Avalanche attacks also spread the
Zeus
Zeus or , , ; grc, Δῐός, ''Diós'', label=Genitive case, genitive Aeolic Greek, Boeotian Aeolic and Doric Greek#Laconian, Laconian grc-dor, Δεύς, Deús ; grc, Δέος, ''Déos'', label=Genitive case, genitive el, Δίας, ''D ...
Trojan horse
The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
enabling further criminal activity. The majority of domains which Avalanche used belonged to national
domain name registrar
A domain name registrar is a company that manages the reservation of Internet domain names. A domain name registrar must be accredited by a generic top-level domain (gTLD) registry or a country code top-level domain (ccTLD) registry. A registrar ...
s in Europe and Asia. This differs from other phishing attacks, where the majority of domains use
U.S.
The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territori ...
registrars. It appears that Avalanche chose registrars based on their security procedures, returning repeatedly to registrars which do not detect domains being used for fraud, or which were slow to suspend abusive domains.
Avalanche frequently registered domains with multiple registrars, while testing others to check whether their distinctive domains were being detected and blocked. They targeted a small number of financial institutions at a time, but rotated these regularly. A domain which not suspended by a registrar was re-used in later attacks. The group created a phishing "kit", which came pre-prepared for use against many victim institutions.
Avalanche attracted significant attention from security organisations; as a result, the
uptime
Uptime is a measure of system reliability, expressed as the percentage of time a machine, typically a computer, has been working and available. Uptime is the opposite of downtime.
It is often used as a measure of computer operating system reliabi ...
of the
domain name
A domain name is a string that identifies a realm of administrative autonomy, authority or control within the Internet. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As ...
s it used was half that of other phishing domains.
In October 2009,
ICANN
The Internet Corporation for Assigned Names and Numbers (ICANN ) is an American multistakeholder group and nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces ...
, the organisation which manages the assignment of domain names, issued a Situation Awareness Note encouraging registrars to be proactive in dealing with Avalanche attacks.
The UK registry,
Nominet
Nominet UK is currently delegated by IANA to be the manager of the .uk domain name. Nominet directly manages registrations directly under .uk, and some of the second level domains .co.uk, .org.uk, .sch.uk, .me.uk, .net.uk, .ltd.uk and .plc.uk.
...
has changed its procedures to make it easier to suspend domains, because of attacks by Avalanche.
Interdomain, a Spanish registrar, began requiring a confirmation code delivered by
mobile phone
A mobile phone, cellular phone, cell phone, cellphone, handphone, hand phone or pocket phone, sometimes shortened to simply mobile, cell, or just phone, is a portable telephone that can make and receive calls over a radio frequency link whil ...
in April 2009 which successfully forced Avalanche to stop registering fraudulent domains with them.
In 2010, the APWG reported that Avalanche had been responsible for two-thirds of all phishing attacks in the second half of 2009, describing it as "one of the most sophisticated and damaging on the Internet" and "the world's most prolific phishing gang".
Takedown
In November 2009, security companies managed to shut down the Avalanche botnet for a short time; after this Avalanche reduced the scale of its activities and altered its ''
modus operandi
A ''modus operandi'' (often shortened to M.O.) is someone's habits of working, particularly in the context of business or criminal investigations, but also more generally. It is a Latin phrase, approximately translated as "mode (or manner) of op ...
''. By April 2010, attacks by Avalanche had decreased to just 59 from a high of more than 26,000 in October 2009, but the decrease was temporary.
On November 30, 2016, the Avalanche botnet was destroyed at the end of a four-year project by
INTERPOL
The International Criminal Police Organization (ICPO; french: link=no, Organisation internationale de police criminelle), commonly known as Interpol ( , ), is an international organization that facilitates worldwide police cooperation and cri ...
,
Europol, the
Shadowserver Foundation,
Eurojust
Eurojust is an agency of the European Union (EU) dealing with judicial co-operation in criminal matters among agencies of the member states. It is seated in The Hague, Netherlands. Established in 2002, it was created to improve handling of serio ...
, the
Luneberg (Germany) police, The
German Federal Office for Information Security
The Federal Office for Information Security (german: Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI) is the Germany, German upper-level Federal agency (Germany), federal agency in charge of managing computer and commun ...
(BSI), the Fraunhofer FKIE, several antivirus companies organized by
Symantec,
ICANN
The Internet Corporation for Assigned Names and Numbers (ICANN ) is an American multistakeholder group and nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces ...
,
CERT, the
FBI
The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and its principal Federal law enforcement in the United States, federal law enforcement age ...
, and some of the domain registries that had been used by the group.
Symantec
reverse-engineered
Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompli ...
the client malware and the consortium analyzed 130
TB of data captured during those years. This allowed it to defeat the
fast-flux
Fast flux is a domain name system (DNS) based evasion technique used by cyber criminals to hide phishing and malware delivery websites behind an ever-changing network of compromised hosts acting as reverse proxies to the backend botnet mas ...
distributed
DNS
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
obfuscation, map the command/control structure of the botnet, and identify its numerous physical servers.
37 premises were searched, 39 servers were seized, 221 rented servers were removed from the network when their unwitting owners were notified, 500,000
zombie computers
A zombie (Haitian French: , ht, zonbi) is a mythological undead corporeal revenant created through the reanimation of a corpse. Zombies are most commonly found in horror and fantasy genre works. The term comes from Haitian folklore, in whic ...
were freed from remote control, 17 families of malware were deprived of c/c, and the five people who ran the botnet were arrested.
The law enforcement
sinkhole server, described in 2016 as the "largest ever", with 800,000 domains served, collects the IP addresses of infected computers that request instructions from the botnet so that the ISPs owning them can inform users that their machines are infected and provide removal software.
Malware deprived of infrastructure
The following malware families were hosted on Avalanche:
* Windows-encryption Trojan horse (WVT) (a.k.a. Matsnu, Injector, Rannoh, Ransomlock.P)
* URLzone (a.k.a. Bebloh)
* Citadel
* VM-ZeuS (a.k.a. KINS)
* Bugat (a.k.a. Feodo, Geodo, Cridex, Dridex,
Emotet)
*
newGOZ (a.k.a. GameOverZeuS)
*
Tinba (a.k.a. TinyBanker)
* Nymaim/GozNym
* Vawtrak (a.k.a. Neverquest)
* Marcher
* Pandabanker
* Ranbyus
* Smart App
* TeslaCrypt
* Trusteer App
* Xswkit
The Avalanche network also provided the c/c communications for these other botnets:
*
TeslaCrypt
* Nymaim
* Corebot
* GetTiny
* Matsnu
* Rovnix
* Urlzone
* QakBot (a.k.a. Qbot, PinkSlip Bot)
References
External links
Joint Cyber Operation Takes Down Avalanche Criminal Network(
FBI
The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and its principal Federal law enforcement in the United States, federal law enforcement age ...
)
{{Hacking in the 2000s
Email spammers
Cybercrime
Organized crime groups in Europe