carloscastilla - Fotolia
After a four-year investigation, the Avalanche "crimeware-as-a-service" network was taken down by law enforcement agencies from 30 countries.
Avalanche used as many as 500,000 infected computers daily, and infected millions of computers with malware for harvesting banking and email credentials, according to US-CERT. The crimeware network spread more than two dozen malware families via more than 800,000 domains and provided command and control (C&C) services for at least eight botnets.
The U.S. Department of Justice and the FBI said in a joint statement, the Avalanche network "is estimated to involve hundreds of thousands of infected computers worldwide. The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network."
The FBI and Justice Department promised more information about the operation would be provided next week.
A press release from the European Police Office (Europol) -- the EU's law enforcement agency, focused on fighting serious international crime and terrorism -- said, "The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries."
The investigation was started in 2012 by the Public Prosecutor's Office in the German town of Verden and the Lüneburg Police (Germany), and was carried out with cooperation from the U.S. Attorney's Office for the Western District of Pennsylvania; the Department of Justice and the FBI; Europol; Eurojust, the EU agency for judicial cooperation on cross-border criminal investigations; and other global partners.
Europol said the law enforcement actions resulted in arrest of five individuals, searches of 37 premises, and seizure of 39 servers. "Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked."
"Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions," according to the US-CERT alert on Avalanche. "Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims' compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service attacks or distributing malware variants to other victims' computers."
In addition, criminals used the Avalanche crimeware infrastructure to operate "money mule" schemes in which people were recruited to commit fraud by transporting or laundering stolen money or merchandise. The money mules accept stolen money or merchandise from a criminal or criminal organization and then forward it, usually after deducting some portion as a "commission," as directed by the criminals; this makes it difficult for investigators to trace the identities of the criminals involved.
According to US-CERT, "Avalanche used fast flux [Domain Name System (DNS)], a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies."
Criminals use fast flux DNS techniques, changing DNS records automatically and frequently, to protect against disruption by authorities. Avalanche actually used a "double fast flux network," according to the National Crime Agency (NCA) in the U.K., one of the law enforcement agencies involved in the takedown. NCA stated double fast flux changes IP address records and changes the authoritative DNS server for domains, further muddying the waters for investigators.
New model for global cybercrime fighting
The Avalanche operation may serve as a model for future international efforts to tamp down cybercrime.
"Avalanche shows that we can only be successful in combating cybercrime when we work closely together, across sectors and across borders," said Julian King, European Commissioner for the Security Union, quoted in the Europol press release. "Cybersecurity and law enforcement authorities need to work hand in hand with the private sector to tackle continuously evolving criminal methods."
"Avalanche has been a highly significant operation involving international law enforcement, prosecutors and industry resources to tackle the global nature of cybercrime," said Rob Wainwright, Europol director. "The complex trans-national nature of cyber investigations requires international cooperation between public and private organizations at an unprecedented level to successfully impact on top-level cybercriminals. Avalanche has shown that through this cooperation we can collectively make the internet a safer place for our businesses and citizens."
Investigating cybercrimes is often hampered by the difficulty of attribution, Chris Pogue, CISO at Sydney-based cybersecurity company Nuix, told SearchSecurity by email. While the use of anonymity tools like Tor and the use of compromised systems as jump boxes to obfuscate the source of attacks can make it difficult to identify the source of an attack, it's not impossible.
"The evidence required to satisfy the burden of proof in this regard is significant, and the investigative analysis must be flawless," Pogue said. "Adding to the challenge is the acquisition and execution of a Mutual Legal Assistance Treaty, or MLAT, which basically allows foreign law enforcement agencies to collaborate on a case that lies outside the borders of their home country. Based on the countries involved, and the complexities of their legal system, an MLAT can take, on average, anywhere from 10 months to a year (longer in some instances) to successfully process."
The scope and breadth of the investigation -- including investigators located in 41 different countries, investigating 16 criminal leaders in 10 different countries -- made the Avalanche operation unique. "Understanding the complexity of such a far-reaching investigation, and the political and legal challenges that needed to be addressed, the resulting raids and arrests are nothing short of amazing," Pogue said. "This is a tremendous feat by these agencies, and they should be commended for their dedication, tenacity and commitment to bring to justice those individuals that choose to commit these crimes."
Impact of Avalanche takedown
"There's no denying the fact that this is a major win for the good guys. The Avalanche servers that were taken down in this raid represent a critical piece of criminal infrastructure that was responsible for a sizable portion of the threats we see encountered on the internet each day," Michael Covington, vice president of product at Wandera, the London-based mobile security company, told SearchSecurity by email. "I suspect we will see a measurable drop in global threat encounters over the coming days and weeks. Considering the type of phishing and botnet attacks typically launched through Avalanche, this is particularly good news for consumers during the upcoming holiday season."
However, while the takedown may disrupt cybercrime operations it will not likely end them.
"We can expect that someone else will fill the void left by Avalanche, as there is an incredible amount of competition in the criminal underground where crime as a service lives," Ed Cabrera, chief cybersecurity officer at Trend Micro, told SearchSecurity by email. "We can expect another cybercriminal group and infrastructure to take its place in the near future."
Covington said, "We have seen similar takedowns in the past and the criminals always come back with something new and bolder than before. When spam servers were taken down in the 2000s, we saw the rise of distributed botnet services. As C&C infrastructure was interrupted, we started seeing more clever attacks that involved evasive, polymorphic malware."
"Arguably, this is not a race with a clean finish line," Cabrera said. "This is a constant effort for law enforcement, in partnership with the security industry, to identify, investigate and mitigate this threat and the cybercriminal groups behind it."
"What enterprise customers need to realize is that these criminal operations are for-profit entities. An interruption to their network is an interruption to their cash flow," Covington said. "The malicious infrastructure will return and it will morph along the way. They should not become complacent and assume we understand the attacker."
"Crime, like all ecosystems, adapts as circumstances change. All we can really do is reduce the incentives for criminality," John Bambenek, threat systems manager at Fidelis Cybersecurity, told SearchSecurity by email. "In the end, however, we have not solved murder, rape or theft and we won't likely end cybercrime either."
Find out more about how malware is controlled through command and control servers.
Learn what every business should know about cybercrime and how to deal with it.
Read about hacking groups that are shifting to corporate espionage.