Making the internet a safer place
“The complex trans-national nature of cyber investigations requires international co-operation between public and private organisations at an unprecedented level to successfully impact on top-level cybercriminals. Avalanche has shown that through this co-operation we can collectively make the internet a safer place for our businesses and citizens,” he said.
Avalanche, which was set up in 2009, used up to 600 servers worldwide to host as many as 800,000 web domains at a time.
Cyber criminals rented the servers to launch and manage fraud campaigns, sending emails in bulk to infect computers with malware, ransomware and other malicious software to steal users’ bank details and other personal data for fraud or extortion.
At least 500,000 computers around the world were infected and controlled by the Avalanche system on any given day.
Malware campaigns that were distributed through this network include goznym marcher, matsnu, nymaim, urlzone, virut, xswkit, pandabanker, rovnix, teslacrypt, kbot, ranbyus, vm zeus and Vawtrack.
Avalanche was attractive to cyber criminals because it used a so-called double fast-flux network to defend itself from disruption and identification.
Computers connected to the internet match domain names such as computerweekly.com to a location identified by an IP address, which tells the user’s computer where that domain is located.
A domain is usually fixed to one IP address for a long period of time, but the technique known as fast flux involves automatically and frequently changing the IP address records associated with a domain name.
Double Fast Flux changes both the IP address records and a component called a name server that is used to match the IP addresses and domain, making it difficult to understand and disrupt a network.
Despite the use of double fast-flux, German police, with help from the NCA and other international partners, were eventually able to identify the infrastructure that lay behind the malware campaigns.
One tactic used against the network was sinkholing, in which traffic passing between infected computers and Avalanche was directed to servers monitored by law enforcement. This meant the criminals no longer controlled the computers they had infected and that victims could be identified so that fixes could be applied.
NCA officers took down the 2,210 Avalanche domains which had a .uk address. “The volume of fraudulent activity made possible by Avalanche was incredible,” said Mike Hulett of the NCA’s National Cyber Crime Unit.
“But the scale of the global law enforcement response was unprecedented, as 20 strains of malware and 800,000 domains were targeted on one day. This shows how serious we are about tackling cyber crime. The internet isn’t a safe haven for criminals.
“Unfortunately, taking down Avalanche doesn’t clean computers already infected with malware, so while the criminals are trying to rebuild their operations, computer users should use this window to install antivirus software and make sure they’re protected,” he said.