Source: Europol

A joint operation to take down the “Avalanche” cybercrime hosting platform was led by Europol, and conducted with law enforcement, judiciaries, and security researchers from more than 30 countries. In this operation, 5 individuals were arrested, and 39 servers were seized, and 221 servers were put offline by the hosting providers. Over 830,000 website domains were seized, blocked or “sinkholed”.

“Avalanche”, set up in 2009, is a hosting platform made up of around 600 servers worldwide, which was mainly used by cybercriminals to deploy financial crimeware (e.g. Zeus, SpyEye), issue commands to infected devices (e.g. to send out fraudulent emails, conduct money laundering activities). In order to hide the server actual locations, it made use of proxy server and also “double fast flux” techniques, i.e. changing both DNS and IP address of a malicious domain every 5 minutes, for infected devices to connect to the platform.

Financial impact and HK victims reported

According to UK law enforcement, the financial loss caused by the fraud performed via “Avalanche” platform was hundreds of millions of US dollars. The malwares found on “Avalanche” platform usually infect vulnerable Windows PC, and perform credential theft and other illegal activities on the infected device to facilitate the fraud.

From the information provided by CERT-Bund of Germany and security researcher Shadowserver, there are devices in Hong Kong connected to the “Avalanche” platform. After consolidating some initial information, there are around 350 IP addresses affected, and more than 50 ISP are involved in Hong Kong. We will notify the corresponding ISP to contact their affected clients in coming week.

How do I know, and what should I do if my device was infected?

• The owners of the infected devices will be informed via their ISP. You can also perform scanning on your computer to check any infection by yourself.
• Please ensure that your security software such as anti-virus on your computer was up to date. You can use it to detect and remove any malware on your computer.
• If you cannot update or renew your security software, please download Microsoft Safety Scanner to scan and remove the malware: https://www.microsoft.com/security/scanner/default.aspx

Advice on prevention of malware infection

• Install basic security software on your device, and ensure that the software is kept up to date.
• Ensure that the operating system and software including plugin in your device receive latest security update.
• Do not open email attachment or click any link in suspicious email.
• Backup important files of your device, and keep the backup disconnected from the device (e.g. unplug USB drive after backup).
• Perform regular scanning to ensure the basic protection of your device.

Reference

• http://www.eurojust.europa.eu/press/PressReleases/Pages/2016/2016-12-01.aspx
• http://www.nationalcrimeagency.gov.uk/news/962-avalanche-takedown
• https://www.bsi-fuer-buerger.de/BSIFB/DE/Risiken/BotNetze/BotNets/botnets_node.htm
• http://blog.shadowserver.org/2016/12/01/avalanche/
• https://www.us-cert.gov/ncas/alerts/TA16-336A
• https://krebsonsecurity.com/2016/12/avalanche-global-fraud-ring-dismantled/