Avalanche Botnet Takedown

Number: AL16-023
Date: 1 December 2016

Purpose

The purpose of this alert is to bring attention to the recent “Avalanche” botnet takedown operation.

Assessment

On November 30th, 2016, a worldwide cooperative takedown of the Avalanche botnet took place.  “Avalanche” refers to a worldwide crimeware-as-a-service (CaaS) network infrastructure operated by cyber criminals to conduct malicious activities, including: denial-of-service attacks, malware distribution; and phishing and money-mule operations.

The global cooperative effort to disrupt Avalanche network infrastructure involved one of the largest-ever sinkholing operations, with over 800,000 domains blocked/seized/sinkholed.  Avalanche utilized the double fast-flux DNS technique to attempt to hide itself, acting as command-and-control infrastructure for multiple malware families, including:

The Royal Canadian Mounted Police led the law enforcement effort in Canada, with the Canadian Cyber Incident Response Centre assisting with Canadian victim notification and remediation.

Suggested Action

As the Avalanche botnet is associated with several malware families and a variety of malicious activity, identifying compromises and/or infections may require thorough and varying action.

CCIRC recommends that organizations review the following mitigation information/preventive measures and consider their implementation in the context of their network environment:

It is important to note that infections can be devastating to an individual or organization, and that recovery can be a difficult process which may require the services of a reputable data recovery specialist.

References:

Europol Press Release:
https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation

US-CERT Avalanche Information:
http://us-cert.gov/avalanche

Shadowserver Avalanche Information:
http://blog.shadowserver.org/2016/12/01/avalanche/

CCIRC Technical Report TR11-001 (Malware Infection Recovery Guide):
https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-001-en.aspx

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: