On Thursday, a group of international law enforcement agencies announced that it had completed an ambitious take down of an extensive online criminal infrastructure called “Avalanche.” It’s one of the largest botnet take downs ever, a four-year effort that turned up victims in 180 countries worldwide. Which is to say, nearly all of them.
The scale of Avalanche is overwhelming, as was that of the effort to unwind it. Criminals have been using the platform since 2009 to mount phishing attacks, distribute malware, shuffle stolen money across borders, and even act as a botnet in denial of service attacks. It specialized in targeting both financial institutions and people’s personal financial data, to great success. The Department of Justice pegs the monetary losses associated with Avalanche’s malware attacks as “in the hundreds of millions of dollars worldwide.”
Taking down an operation of that magnitude required globe-spanning coordination. Officials from agencies in 30 countries—including the US Justice Department, Europol, and the United Kingdom’s National Crime Agency—collaborated with private cybersecurity companies and academics. The final tally for the operation was five people arrested, 221 servers taken offline, another 37 seized, and more than 800,000 domains seized, blocked, or otherwise disrupted. If that last number sounds exceptionally large, that’s because it is. Typical botnet take downs will target more like 1,000 domains per day, according to the nonprofit Shadowserver Foundation, which worked on the Avalanche project.
The Avalanche operation was particularly complicated because it involved dismantling the service’s “fast-flux” hosting method, which hid its botnet’s actions (like malware distribution and phishing) behind proxy IP addresses that were constantly changing, making their origins very difficult to trace. To combat the 20 families of malware the system spread, the take down operation used a process called “sink-holing,” which cuts off communication channels between the infected computers of victims and the servers sending malicious commands.
The method disrupted copies of malware that were spread by Avalanche, but it doesn’t eliminate whole malware strains, or remove malicious software from infected computers. Still, experts see this as a victory with implications that expand beyond a single criminal enterprise.
Even operations on this scale can only be a hindrance to cyber criminals, not a permanent obstacle. But they act as a vital deterrent and protection for consumers.
“These kinds of investigations are difficult and lengthy but they yield profound changes,” Jrme Segura, the lead malware intelligence analyst at Malwarebytes, wrote to WIRED. “Identifying and prosecuting the people behind the infrastructure is what can have the longest-lasting impact. The public display of law enforcement breaking down doors and handcuffing malicious operators has a chilling effect.”
Not only that, but the process forged by this project may make future collaborative investigations more efficient. Avalanche has been a highly significant operation involving international law enforcement, prosecutors and industry resources to tackle the global nature of cybercrime,” Europol director Rob Wainwright said in a statement. “The complex trans-national nature of cyber investigations requires international cooperation between public and private organizations at an unprecedented level.
As for the extant malware, many anti-virus tools already scanned for some or all of the families distributed by Avalanche. Officials also worked with multiple security companies to ensure that they offered tools tailored to eliminating Avalanche-related infections. One of those companies, Symantec, points out that though the “malware-hosting network has been dealt a severe blow,” organizations and individuals can still protect themselves further by eliminating malware from their machines.
Most importantly, more efficient malware scans and better international cooperation among law enforcement are important skill sets to hone for the future. Criminal infrastructure may never fully go away, but having better tools to fight it will help limit the impact of future bad actors. Arrests and server seizures aside, if the collaborations forged during the Avalanche take down can make future operations cheaper and easier, the project will be a vital contribution to cybersecurity enforcement.
“Its an important success and hopefully its going to shield a large number of victims,” a Shadowserver representative told WIRED. “But criminals will move and fill the gap, the vacuum wont last for long. Eventually they’re going to go back to business in hours, days, weeks and they’ll start infecting new victims. Its an ongoing battle with the criminals for the foreseeable future.”