EU, US cops kill Avalanche global crime botnet

A joint operation between European and United States police forces has closed down the Avalanche digital crime network that is estimated to have caused hundreds of millions of dollars in losses worldwide.

Avalanche was used to deliver and manage mass malware attacks and money mule recruiting campaigns globally. The criminal network is thought to be responsible for two-thirds of all phishing attempts since 2009, with over a million emails containing damaging attachments or links being sent to victims each week.

The Shadowserver Foundation, a volunteer organisation of security professionals gathering intelligence on cyber crime, said Avalanche was a "Double Fast Flux" operation, churning through hundreds of thousands of domain names and IP addresses at high speed to avoid being detected and taken down.

Europol, Interpol, the United States Department of Justice and the Federal Bureau of Investigation spent four years hunting down the Avalanche operators, aided by security vendors.

The investigation into Avalanche started in Germany in 2012, after the Windows Encryption Trojan ransomware infected a large number of computers in the country. A separate malware campaign the same year by the Avalanche botnet that saw criminals harvest internet banking and email passwords added further impetus to the police investigation.

In total, prosecutors and investigators from 30 countries were involved in taking down Avalanche, including Australian law enforcement.

As part of the investigation, Germany's Federal Office for Information Security together with the Fraunhofer Institute combed through more than 130 terabytes of captured data to work out the Avalanche botnet's server structure.

Five unnamed individuals were arrested and 37 premises raided, with 39 servers seized by police.

The scale of the Avalanche malware distribution network was substantial. Europol said victims of malware infections were identified in more than 180 countries, and abuse notifications sent to hosting providers took down 221 servers on their networks.

More than 800,000 domains used by the Avalanche network were sinkholed, meaning they are blocked and cannot be reached, in the largest such operation to date.

Police estimate the Avalanche botnet used as many as half a million infected computers around the world daily. 

Avalanche distributed some 20 different malware families such as oznym, marcher, matsnu, urlzone, xswkit, and pandabanker, the police said.