Note to readers

This publication does not currently meet the Government of Canada's Web Standards. The information remains valid.

Alert - Avalanche Botnet Takedown

Number: AL16-023
Date: 1 December 2016

Purpose

The purpose of this alert is to bring attention to the recent “Avalanche” botnet takedown operation.

Assessment

On November 30th, 2016, a worldwide cooperative takedown of the Avalanche botnet took place.  “Avalanche” refers to a worldwide crimeware-as-a-service (CaaS) network infrastructure operated by cyber criminals to conduct malicious activities, including: denial-of-service attacks, malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. distribution; and phishing PhishingAn attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing a specific, usually well-known brand, usually for financial gain. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts. and money-mule operations.

The global cooperative effort to disrupt Avalanche network infrastructure involved one of the largest-ever sinkholing operations, with over 800,000 domains blocked/seized/sinkholed.  Avalanche utilized the double fast-flux DNS technique to attempt to hide itself, acting as command-and-control infrastructure for multiple malware families, including:

  • Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector,Rannoh,Ransomlock.P)
  • URLzone (aka Bebloh)
  • Citadel
  • VM-ZeuS (aka KINS)
  • Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)
  • newGOZ (aka GameOverZeuS)
  • Tinba (aka TinyBanker)
  • Nymaim/GozNym
  • Vawtrak (aka Neverquest)
  • Marcher
  • Pandabanker
  • Ranbyus
  • Smart App
  • TeslaCrypt
  • Trusteer App
  • Xswkit
  • TeslaCrypt
  • Corebot
  • GetTiny
  • Rovnix
  • QakBot (aka Qbot, PinkSlip Bot)

The Royal Canadian Mounted Police led the law enforcement effort in Canada, with the Canadian Cyber Incident Cyber incidentAny unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource. Response Centre assisting with Canadian victim notification and remediation.

Suggested Action

As the Avalanche botnet is associated with several malware families and a variety of malicious activity, identifying compromises and/or infections may require thorough and varying action.

CCIRC recommends that organizations review the following mitigation information/preventive measures and consider their implementation in the context of their network environment:

  • Employ anti-malware tools on your assets and/or infrastructure.  Tools which can both detect/identify and remediate/remove infections should be sought.  CCIRC does not endorse or support any specific product/vendor.  Anti-malware tools should be maintained and kept up-to-date, with all data/software downloaded to your infrastructure scanned before executing/opening.
  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Since network storage can also be affected, this data should be kept on a separate device, and backups should be stored offline.
  • Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.
  • Follow safe practices when browsing the Web.
  • Do not follow unsolicited Web links in emails.

It is important to note that infections can be devastating to an individual or organization, and that recovery can be a difficult process which may require the services of a reputable data recovery specialist.

References:

Europol Press Release:
https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation

US-CERT Avalanche Information:
http://us-cert.gov/avalanche

Shadowserver Avalanche Information:
http://blog.shadowserver.org/2016/12/01/avalanche/

CCIRC Technical Report TR11-001 (Malware Infection Recovery Guide):
https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-001-en.aspx

Date modified: