The Shadowserver Foundation

Avalanche Botnet

Updated December 4th 2017: Legal and technical action against the Avalanche platform and its customers and operators is ongoing, and in year two has been expanded to include over 848,000 domains as well as the Andromeda malware family. This has considerably increased the number of detected infected victims and further remediation activities are required. Find out more on our blog.

Original Post

On Thursday December 1, 2016, Europol's Cybercrime Co-ordination Centre (EC3) announced a successful operation to take down the Avalanche Botnet.

For the past 18 months, The Shadowserver Foundation has been quietly working to support international Law Enforcement agencies in the coordinated take down of the criminal operated Avalanche malware delivery platform.

Avalanche is a Double Fast Flux (Wikipedia) content delivery and management platform designed for the delivery and so-called bullet-proof management of botnets. More than 20 different malware families using multiple Domain Generation Algorithms (DGAs) and operating criminal infrastructure in 30 countries and US states impacted over 60 registries worldwide required unprecedented levels of effective international partnership.

As a key member of a technical subgroup, Shadowserver worked with partners to build the sinkholing infrastructure and coordinate the international DNS Registry/Registrar activities. This resulted in disruption of the criminal operated Avalanche infrastructure and sinkholing of elements of the following malware families:

You can obtain free nightly reports for your networks by signing up for them here (https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork).

Am I Infected / Remediation

While the sinkholed victims are now hopefully shielded from direct exploitation by this group of criminals – they are still infected with one or more families of malware and likely to be vulnerable to others. Law enforcement have worked with security companies globally to build disinfection tools and have provided an array of links to solutions that will enhance the protection of end users. We encourage concerned computer users to check their systems.

In alphabetical order they include:

German BSI:

Avira:

BitDefender:

Dr Web:

ESET Online Scanner:

F-Secure:

GData:

Kaspersky:

McAfee Stinger:

Microsoft Safety Scanner:

Norton Power Eraser:

Trend Micro:

Stats

Statistics on Previous Day

Other Statistics

If you would like other statistics and information on historical trends, please take a look at: https://avalanche.shadowserver.org/stats/. Otherwise, stats from the most current scan are listed below.


All devices with Avalanche Infections

All avalanche

(Click image to enlarge)

If you would like to see more regions click here

All devices with Avalanche Infections

All avalanche

(Click image to enlarge)



Likewise, if you have anymore questions please feel free to send us an email at: gro [tod] revfooreswodahs [ta] nacbarssnd

The Shadowserver Foundation