- Dec 30, 2012
- 4,809
For the past 18 months, The Shadowserver Foundation has been quietly working to support international Law Enforcement agencies in the coordinated take down of the criminal operated Avalanche malware delivery platform.
Avalanche is a Double Fast Flux (Wikipedia) content delivery and management platform designed for the delivery and so-called bullet-proof management of botnets. More than 20 different malware families using multiple Domain Generation Algorithms (DGAs) and operating criminal infrastructure in 30 countries and US states impacted over 60 registries worldwide required unprecedented levels of effective international partnership.
As a key member of a technical subgroup, Shadowserver worked with partners to build the sinkholing infrastructure and coordinate the intentional DNS registry/registrar activities. This resulted in disruption of the criminal operated Avalanche infrastructure and sinkholing of elements of the following malware families:
We have been particularly impressed with the tenacity and ambition of the Public Prosecutor’s Office Verden and the Lüneburg Police (Germany) who took the lead on this investigation four years ago. We have similarly been impressed with the people at Europol, the FBI/DoJ and other Law Enforcement agencies – some of whom faced extraordinary challenges. Similarly, credit must go to all the other technical partners and DNS community members who have worked so well as part of a true public/private partnership.
We will be publishing more supporting information in the coming days, but here are some initial statistics:
For existing report recipients, remediation data from this operation will be tagged in our existing feeds as “avalanche-malwarefamily-name”, from the morning of Friday 2nd December 2016.
Many of the sinkholed domains saw the first full scale use of the Registrar of Last Resort (RoLR) – another not-for-profit organization set up by The Shadowserver Foundation to assist DNS Registries and Law Enforcement agencies in remediating DNS related abuse.
As a key member of a technical subgroup, Shadowserver worked with partners to build the sinkholing infrastructure and coordinate the intentional DNS registry/registrar activities. This resulted in disruption of the criminal operated Avalanche infrastructure and sinkholing of elements of the following malware families:
- Bolek
- Citadel
- CoreBot
- Gozi2
- Goznym
- KINS / VMZeus
- Marcher
- Matsnu
- Nymaim
- Pandabanker
- Ranbyus
- Rovnix
- Smart App
- Smoke Loader / Dofoil
- TeslaCrypt
- Tiny Banker / Tinba
- Fake Trusteer App
- UrlZone
- Vawtrak
- Xswkit
We have been particularly impressed with the tenacity and ambition of the Public Prosecutor’s Office Verden and the Lüneburg Police (Germany) who took the lead on this investigation four years ago. We have similarly been impressed with the people at Europol, the FBI/DoJ and other Law Enforcement agencies – some of whom faced extraordinary challenges. Similarly, credit must go to all the other technical partners and DNS community members who have worked so well as part of a true public/private partnership.
We will be publishing more supporting information in the coming days, but here are some initial statistics:
- Jurisdictions: 30
- Arrests: 5
- Premises searched: 37
- Servers seized: 39
- Servers taken offline through abuse reports: 221
- Countries with victim IP’s: Over 180
- Domains blocked or delegated to Shadowserver’s sinkholes: Over 800,000 in over 60 Top-Level-Domain‘s (TLD’s)
For existing report recipients, remediation data from this operation will be tagged in our existing feeds as “avalanche-malwarefamily-name”, from the morning of Friday 2nd December 2016.
Many of the sinkholed domains saw the first full scale use of the Registrar of Last Resort (RoLR) – another not-for-profit organization set up by The Shadowserver Foundation to assist DNS Registries and Law Enforcement agencies in remediating DNS related abuse.
