Avalanche was acriminal syndicate involved inphishing attacks,online bank fraud, andransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.
In November 2016, the Avalanchebotnet was destroyed after a four-year project by an international consortium of law enforcement, commercial, academic, and private organizations.
Avalanche was discovered in December 2008, and may have been a replacement for a phishing group known as Rock Phish which stopped operating in 2008.[1] It was run fromEastern Europe and was given its name by security researchers because of the high volume of its attacks.[2][3] Avalanche launched 24% of phishing attacks in the first half of 2009; in the second half of 2009, theAnti-Phishing Working Group (APWG) recorded 84,250 attacks by Avalanche, constituting 66% of all phishing attacks. The number of total phishing attacks more than doubled, an increase which the APWG directly attributes to Avalanche.[4]
Avalanche usedspam email purporting to come from trusted organisations such as financial institutions or employment websites. Victims were deceived into entering personal information on websites made to appear as though they belong to these organisations. They were sometimes tricked into installing software attached to the emails or at a website. Themalwarelogged keystrokes, stole passwords and credit card information, and allowed unauthorisedremote access to the infected computer.
Internet Identity's Phishing Trends report for the second quarter of 2009 said that Avalanche "have detailed knowledge of commercial banking platforms, particularly treasury management systems and theAutomated Clearing House (ACH) system. They are also performing successful real-timeman-in-the-middle attacks that defeat two-factor security tokens."[5]
Avalanche had many similarities to the previous groupRock Phish - the first phishing group which used automated techniques - but with greater in scale and volume.[6] Avalanche hosted its domains on compromised computers (abotnet). There was no singlehosting provider, making difficult to take down the domain and requiring the involvement of the responsibledomain registrar.
In addition, Avalanche usedfast-fluxDNS, causing the compromised machines to change constantly. Avalanche attacks also spread theZeusTrojan horse enabling further criminal activity. The majority of domains which Avalanche used belonged to nationaldomain name registrars in Europe and Asia. This differs from other phishing attacks, where the majority of domains useU.S. registrars. It appears that Avalanche chose registrars based on their security procedures, returning repeatedly to registrars which do not detect domains being used for fraud, or which were slow to suspend abusive domains.[5][7]
Avalanche frequently registered domains with multiple registrars, while testing others to check whether their distinctive domains were being detected and blocked. They targeted a small number of financial institutions at a time, but rotated these regularly. A domain which not suspended by a registrar was re-used in later attacks. The group created a phishing "kit", which came pre-prepared for use against many victim institutions.[5][8]
Avalanche attracted significant attention from security organisations; as a result, theuptime of thedomain names it used was half that of other phishing domains.[4]
In October 2009,ICANN, the organisation which manages the assignment of domain names, issued a Situation Awareness Note encouraging registrars to be proactive in dealing with Avalanche attacks.[9] The UK registry,Nominet has changed its procedures to make it easier to suspend domains, because of attacks by Avalanche.[4] Interdomain, a Spanish registrar, began requiring a confirmation code delivered bymobile phone in April 2009 which successfully forced Avalanche to stop registering fraudulent domains with them.[5]
In 2010, the APWG reported that Avalanche had been responsible for two-thirds of all phishing attacks in the second half of 2009, describing it as "one of the most sophisticated and damaging on the Internet" and "the world's most prolific phishing gang".[4]
In November 2009, security companies managed to shut down the Avalanche botnet for a short time; after this Avalanche reduced the scale of its activities and altered itsmodus operandi. By April 2010, attacks by Avalanche had decreased to just 59 from a high of more than 26,000 in October 2009, but the decrease was temporary.[1][4]
On November 30, 2016, the Avalanche botnet was destroyed at the end of a four-year project byINTERPOL,Europol, theShadowserver Foundation,[10]Eurojust, theLuneberg (Germany) police, The German Federal Office for Information Security (BSI), the Fraunhofer FKIE, several antivirus companies organized bySymantec,ICANN,CERT, theFBI, and some of the domain registries that had been used by the group.
Symantecreverse-engineered the client malware and the consortium analyzed 130TB of data captured during those years. This allowed it to defeat thefast-flux distributedDNS obfuscation, map the command/control structure[11] of the botnet, and identify its numerous physical servers.
37 premises were searched, 39 servers were seized, 221 rented servers were removed from the network when their unwitting owners were notified, 500,000zombie computers were freed from remote control, 17 families of malware were deprived of c/c, and the five people who ran the botnet were arrested.
The law enforcementsinkhole server, described in 2016 as the "largest ever", with 800,000 domains served, collects the IP addresses of infected computers that request instructions from the botnet so that the ISPs owning them can inform users that their machines are infected and provide removal software.[12][13][14]
The following malware families were hosted on Avalanche:
The Avalanche network also provided the c/c communications for these other botnets:
