6 C
Wednesday, November 22, 2017
Home Tags Fast Flux

Tag: Fast Flux

Over 800,00 domains have been seized, sinkholed or blocked in global effort to takedown Avalanche botnet that was infecting up to 500,000 users every day. Law enforcement organizations from around the world have co-ordinated in an operation to take down the global botnet known as Avalanche.

The operation to takedown the Avalanche botnet and its associated criminal infrastructure, was formally revealed on December 1 and involved four years of investigation and co-operation between the U.S Federal Bureau of Investigation (FBI) and Europol, as well as prosecutors in over 30 countries.According to Europol, Avalanche is responsible for malware infections in over 180 countries and is estimated to infect up to 500,00 system globally every day.

The Avalanche botnet was first reported on by eWEEK in 2010, when it was identified by the Anti-Phishing Working Group (APWG) as a leading source of phishing attacks."The Avalanche network, which has been operating since at least 2010, is estimated to involve hundreds of thousands of infected computers worldwide," the U.S Department of Justice stated. "The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network."The global effort to takedown the Avalanche network so far has involved the arrest of 5 individuals and the seizure of 39 servers, according to Europol.

The total scope of the Avalanche takedown operation is vast, with over 800,000 internet domains involved that are now being either seized, sinkholed or blocked in an effort to protect users worldwide. With a sinkhole, users are redirected to servers controlled by law enforcement. As to why it was so difficult and took so many years for the Avalanche network to be disabled by law enforcement, part of the reason is because of the sophisticated methods used by the botnet.

The Avalanche network made use of what is known as a double fast flux technique, which is what helped it to evade law enforcement efforts at takedowns. A botnet is a collection of compromised systems that an attacker controls through a command and control system to attack other users and sites on the Internet.

Fast flux is a technique that abuses the Domain Name System (DNS) to hide the source of an attack.

The way DNS is supposed to work is a domain name is referenced in a DNS resolver to forward to a specific IP address. With fast flux, attackers link multiple sets of IP addresses to a given domain name and swap new addresses in and out of the DNS records in an attempt to evade detection.Among the organizations that worked on the Avalanche takedown is the Shadowserver Foundation which helped to build the sinkhole infrastructure needed for Avalanche.

Though blocking and sinkholing malicious domains helps, users are still at some risk."While the sinkholed victims are now hopefully shielded from direct exploitation by this group of criminals – they are still infected with one or more families of malware and likely to be vulnerable to others," the Shadowserver Foundation stated. "Law enforcement have worked with security companies globally to build disinfection tools and have provided an array of links to solutions that will enhance the protection of end users."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist
Four-year op by US and EU culminates in arrests, server seizures On November 30, simultaneous raids in five countries by the FBI, Europol, and the UK's National Crime Agency (NCA) finally shuttered the Avalanche criminal network that has been spewing malware and money laundering campaigns for the past seven years. The Avalanche network was a system of 600 servers around the world that were available for hire to online criminals.

They could be used for launching malware infection campaigns, funneling funds from phishing scams, and controlling more than 500,000 infected PCs a day, police estimate.

They also spammed out a million emails carrying viruses every week. "The volume of fraudulent activity made possible by Avalanche was incredible.

But the scale of the global law enforcement response was unprecedented, as 20 strains of malware and 800,000 domains were targeted on one day," said Mike Hulett, of the NCA's National Cyber Crime Unit. "Unfortunately, taking down Avalanche doesn't clean computers already infected with malware, so while the criminals are scrabbling around inevitably trying to rebuild their operations, computer users should use this window to install anti-virus software and make sure they're protected." The raids on Wednesday seized 39 servers and took another 221 offline.

Thirty-seven premises were searched, and 830,000 malicious domains were shut down. Police found 20 different malware families on the network, including goznym, marcher, matsnu, urlzone, xswkit, and pandabanker. The Avalanche operation started in 2012, when German police investigating a large ransomware outbreak found evidence that the source of their woes was the rogue network.

The way Avalanche was set up made it very difficult to map and penetrate due to a technique called double fast flux. Fast flux is a common criminal technique designed to stymie police investigations by swapping the IP address attached to a domain regularly, sometimes every few minutes, between different servers. Avalanche augmented this by making sure that both the domain location and the name server queried for this location changed, making it doubly hard for investigators to locate and identify criminal operations. To combat this, investigators in the EU and US used a technique called sinkholing, where data traffic from infected machines is redirected through servers controlled by the police and analyzed. Police around the world sifted through 130TB of data to find the information needed to identify the Avalanche architecture. "Avalanche has been a highly significant operation involving international law enforcement, prosecutors and industry resources to tackle the global nature of cybercrime," said Europol Director Rob Wainwright. "The complex trans-national nature of cyber investigations requires international cooperation between public and private organisations at an unprecedented level to successfully impact on top-level cybercriminals.

Avalanche has shown that through this cooperation, we can collectively make the internet a safer place for our businesses and citizens." ® Sponsored: Customer Identity and Access Management
800,000 domains seized, sinkholed, or blocked, and five individuals arrested, in international effort to bring down botnet linked to 17 major malware families. The Avalanche botnet - linked to many of the world's most troublesome ransomware, RATs, and banking Trojans - has been dealt a critical blow in what Europol called today the "largest-ever use of sinkholing to combat botnet infrastructures." Five individuals were arrested and 800,000 domains seized, sinkholed, or blocked in an international takedown operation that began Wednesday.  Active since 2009, the Avalanche botnet has been used for money muling schemes, distributing a wide variety of malware, and as a fast-flux communication infrastructure for other botnets.
It was estimated to involve as many as 500,000 active infected devices worldwide on a daily basis.

From the Europol statement: What made the ’Avalanche’ infrastructure special was the use of the so-called double fast flux technique.

The complex setup of the Avalanche network was popular amongst cybercriminals, because of the double fast flux technique offering enhanced resilience to takedowns and law enforcement action. The double-fast flux technique was what made Avalanche attractive as a communication provider for other botnets - including TeslaCrypt, Nymaim, Rovnix, Qbot, Matsnu, and URLzone - and also what made it effective for securing cybercriminal proceeds. According to Europol, Avalanche has cost the German banking industry EUR 6 million ($6.4 million USD) in online crime alone.

Europol estimates that Avalanche is responsible for monetary losses amounting to hundreds of millions of dollars worldwide, but states that accurate numbers are difficult to come by because there is such a wide variety of malware associated with the botnet.  Avalanche hosted 17 of the "the world’s most pernicious types of malware," as described by the Department of Justice, the FBI, and the US Attorney of the Western District of Pennsylvania in a joint statement.

These malware include Citadel, Dridex, Vawtrak, TeslaCrypt, Pandabanker, GOZeuS, VM-ZeuS, Ransomlock, Bebloh, and Nymaim.

A more complete list can be found in a technical alert released by US-CERT and the FBI today. Investigation into Avalanche dates back to 2012.
Symantec research into the Ransomlock ransomware and a German law enforcement probe into local Bebloh banking trojan infections united when they discovered that the two types of malware were both targeting German speakers and sharing a command-and-control infrastructure. (Symantec described this in a blog today.) The investigation expanded as other malware were connected to the same infrastructure. The Luneberg, Germany police force and the public prosecutor's office in Verden, Germany led the investigation, working closely with investigators and prosecutors from more than 40 countries, Europol, Eurojust, the FBI, and the DoJ.

The German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analyzed over 130 TB of captured data and identified the server structure of the botnet.  Related Content: Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights
Enlarge / Avalanche once hosted ransomware that spoofed messages from law enforcement. Now, a team of 40 law enforcement agencies has shut it down.Symantec reader comments 27 Share this story [Update, 3:00 PM EDT: This story has been updated with additional details from The Shadowserver Foundation and Europol.] A botnet that has served up phishing attacks and at least 17 different malware families to victims for much of this decade has been taken down in a coordinated effort by an international group of law enforcement agencies and security firms. Law enforcement officials seized command and control servers and took control of more than 800,000 Internet domains used by the botnet, dubbed "Avalanche," which has been in operation in some form since at least late 2009. "The operation involves arrests and searches in five countries," representatives of the FBI and US Department of Justice said in a joint statement issued today. "More than 50 Avalanche servers worldwide were taken offline." A Europol release on the operation provided more details, stating: [Five] individuals were arrested, 37 premises were searched, and 39 servers were seized.
Victims of malware infections were identified in over 180 countries.

Also, 221 servers were put offline through abuse notifications sent to the hosting providers.

The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800 000 domains seized, sinkholed or blocked. The domains seized have been "sinkholed" to terminate the operation of the botnet, which is estimated to have spanned over hundreds of thousands of compromised computers around the world.

The Justice Department's Office for the Western Federal District of Pennsylvania and the FBI's Pittsburgh office led the US portion of the takedown. "The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network," the FBI and DOJ said in their joint statement. In 2010, an Anti-Phishing Working Group report called out Avalanche as "the world’s most prolific phishing gang," noting that the Avalanche botnet was responsible for two-thirds of all phishing attacks recorded in the second half of 2009 (84,250 out of 126,697). "During that time, it targeted more than 40 major financial institutions, online services, and job search providers," APWG reported.
In December of 2009, the network used 959 distinct domains for its phishing campaigns.

Avalanche also actively spread the Zeus financial fraud botnet at the time. The phishing messages sent through Avalanche's army of bots in 2009 were generally spoofed e-mails from financial institutions, including USAA (a bank largely serving US military and veterans) and HSBC.

The botnet churned through domains faster than most, with more than half its domains being live for less than 12 hours in late 2009.

The programmatic churning through domains is how the botnet accrued more than 800,000 domains by the time of the takedown this week. The Shadowserver Foundation, a non-profit organization of security professionals that assisted in what the organization described in a post on the takedown as an 18-month collaboration with law enforcement, described Avalanche as a "Double Fast Flux" botnet.
Individual nodes within the botnet are registered and then quickly de-registered as the host associated with a Domain Name Service A address record for a single DNS name The destination addresses for a DNS record often change as quickly as once every 5 minutes, and can cycle through hundreds or thousands of IP addresses.

And there are multiple domain names for command and control nodes hard-coded into the botnet malware, allowing the bots to switch to a different domain name if a specific domain is blocked. "More than 20 different malware families using multiple Domain Generation Algorithms (DGAs) and operating criminal infrastructure in 30 countries and US states impacted over 60 registries worldwide required unprecedented levels of effective international partnership," a Shadowserver Foundation spokesperson reported. Avalanche's phishing operations appeared to drop off in 2010—likely because the organization behind the botnet turned to other sources of income, using its infrastructure to spread a variety of malware instead.

By 2012, Avalanche's command and control network was pushing a variety of crimeware, including "police ransomware." That malware spoofed a message from law enforcement claiming the victim's system had been distributing illegal pornography, then disabling the infected computer until the victim paid a "fine" to unlock it.

According to Symantec, the same block of command and control servers was also used by a banking Trojan called Bebloh that targeted German speakers.

This malware family was investigated at the time by police in Luneburg, Germany, and as the investigation expanded, more and more malware families were discovered to be tied to the same command and control infrastructure. As the investigation grew, the Luneburg police and the public prosecutor's office for the district of Verden, Germany were joined by law enforcement organizations from more than 40 countries, including the FBI's Pittsburgh Division and the Computer Crime and Intellectual Property Section of the United States Department of Justice, Europol, and Eurojust. The Justice Department said additional information on the dismantling of Avalanche—and information about some of its victims in the Pittsburgh area—will be provided "early next week."
Kasperksky's chief malware sleuth solves the mystery of the doomed exploit juggernaut Ruslan Stoyanov was right: what could be history's most advanced financially-driven malware was the progeny of some 50 jailed hackers known as the Lurk group. It is a finding that solves the mysterious demise of the world's most capable exploit kit and one of the biggest threats to end users on the internet. Kaspersky's head of investigation told The Register as part of our investigation into the demise of Angler earlier this month he suspected the group was collared as part of the unprecedented arrests by Russia of members of the Lurk banking trojan group. Few top intelligence community sources knew anything concrete of Angler's fate other than activity using the kit crashed to a halt on 7 June, the same time the Lurk group was arrested. During that investigation, Stoyanov, who has clocked many years of experience as a malware investigator in the private sector and for Moscow's Cyber Crime Unit, rightly suspected Lurk actors had rented out Angler to other criminals as a "kind of side business". His new analysis, published today, the epilogue to some six years of research that helped lead to the downfall of the Lurk hacking group, demonstrates his earlier theory correct. Angler, he says, was the brainchild of Lurk group, brewed as a means to buoy falling revenues from their flagship trojan. All told Lurk group stands accused of stealing some 3 billion rubles (US$46 million, £35 million, A$61 million). At its then peak, Angler was behind a whopping 40 percent of all exploit kit infections having compromised nearly 100,000 websites and tens of millions of users, generating some US$34 million annually for its authors. The Lurk group raids. The lauded and prolific Kaspersky research team says it learned more from the investigation into Lurk than "any other". The group counts the discovery of the Equation Group, an entity strongly suspected of being part of the NSA's offensive tailored access operations wing, as one of its most high profile recent collarings.
It also helped reveal the ultra sophisticated Flame malware and offered early analysis of the Stuxnet worm. Angler, Stoyanov says, was initially a means to deliver the Lurk banking trojan and developed into a highly-profitable money-making operation. Go for broke Lurk shook the blindsided Russian banking sector since it made its debut sometime around 2011. The group dominated the small number of remote banking software vendors which Russian banks used to make payments.

The malware once installed on a bank's network would search for the presence of the software and if found would download and install a custom malicious addon that could create unauthorised payment orders. "This level of automation became possible because the cybercriminals had thoroughly studied how the banking software operated and tailored their malicious software modules to a specific banking solution," Stoyanov says. The software vendors could not keep up.

They were issuing weekly patches to customers that would last a few days before Lurk authors would find another attack vector to undermine it. Angler activity drops dead.
Image: F-Secure Vendors restricted who had access to their software in a bid to turn the patch battle. Eventually the beleaguered banks and software vendors asked Kaspersky for help and turned over their systems for analysis.

This offered researchers a rare trove of malware samples and intelligence on the group they had previously been unable to acquire. Lurk's operational security was tight, but a few blunders were enough to reveal that Stoyanov and his team were up against some 15 talented black hats, a crew that would grow to more than 50 by the time the hacker group was arrested. Legend The Lurk gang were a professional, skilled group which developed an equally impressive trojan. "Judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status," Stoyanov says. "Even though many small and medium-sized groups were willing to work with them, they always preferred to work by themselves." Lurk group came to power in the fall of Carberp, the former dominant player in the Russian black hat fraud scene, and quickly outshone its predecessor. Like any popular tech prodigy, its fans were eager to consume its products.

Angler, a means to help revitalise ebbing revenues, virtually sold itself. "So when Lurk [group] provided other cyber criminals with access to Angler, the exploit pack became especially popular – a product from the top underground authority did not need advertising," Stoyanov says. Customers were treated to a battery of fresh, clean exploits, some zero day, through which the world's end users were compromised.

Flash, Java, and Silverlight were regularly hacked, while security defences were foiled and frustrated by a battery of complex obfuscation tricks including file-less infection and bypassing of Microsoft's lauded EMET security tool. The number of victims from the constant bombardment of Angler attack campaigns were measured in millions as malvertising and silent drive-by downloads were delivered through some of the most sophisticated fraud infrastructure ever seen; only those users who could be compromised, were, limiting the chance attacks would be seen and disrupted by security researchers. A series of gateways, hacked servers, and fast flux networks made it difficult to stop Angler by technological means, and the rise of ransomware only served to increase the financial impact wrought by the net menace. Epilogue With Angler dead, Neutrino has risen.

The felling of the great leviathan tears open the canopy allowing the estimated 70 rival exploit kits to bloom. In the weeks after Angler's end, Neutrino doubled its monthly asking price from US$3500 to US$7000, and began incorporating the rapid deployment of zero day and new exploits into its offerings, standing on the shoulders of its fallen foe. All that really remains is for Russia to parade its win.
It is odd that the Krelim has yet to do so, considering that it like many countries enjoys wheeling out black hat hackers in front of press. "My personal experience of the Lurk investigation made me think that the members of this group were convinced they would never be caught," Stoyanov says. "They had grounds to be that presumptuous: they were very thorough in concealing the traces of their illegal activity, and generally tried to plan the details of their actions with care, however, like all people, they made mistakes." ® Sponsored: 2016 Cyberthreat defense report
It's not the next Stuxnet, says SentinelOne, it's just very naughty code Malware hyped as aimed at the hear of power plants is nothing of the sort according to security outfit Damballa, which has put its name to analysis claiming the "SFG" malware is run-of-the-mill code without sufficient smarts to target SCADA systems. The so-called SFG malware is the spawn of Furtim, and hit headlines as targeting industrial control systems when all it does is creates backdoors for regular data exfiltration and payload dropping. Security outfit SentinelOne Labs found SFG and said it spotted the code infecting systems owned by an European energy company.
SentinelOne said those attacks looked like the work of a nation-state. But Damballa says the malware is a regular financially-driven menace that lacks SCADA (supervisory control and data acquisition) targeting. "SFG is just another Furtim build," Damballa researchers say. "There is no code specific to attacking industrial control systems or SCADA systems. "[SFG] does not appear to be a nation-state operation, and there is no specific threat to any particular sector." SentinelOne has since backtracked on its claims after copping criticism for its analysis, saying it does not have evidence that the malware was targeting SCADA systems. "There has been a number of stories published since the posting of this blog that have suggested this attack is specifically targeting SCADA energy management systems," the company says in an update. "We want to emphasise that we do not have any evidence that this is in fact the case.

The focus of our analysis was on the characteristics of the malware, not the attribution or target." Comparison of the original post found in Bing's cache against the updated reveals claims that the targeted energy was European deleted, along with a footer marketing call that readers within the energy sector should reach out to the firm. Researchers say it uses a "kitchen sink" approach to detecting the sandboxes, honeypots, and analysis efforts of white hats in a "cobbled together" mash taken from years-old malware code. Yet it is the "most comprehensive" copy and paste effort to date. Damballa finds the malware is also impressive in its use of the new 'fluxxy' fast flux infrastructure in which carding sites are built on a network of bot-bitten Russian and Ukrainian home computers that constantly shifts site IP addresses. That fluxxy network powers malware campaigns including Carberp; Gozi ISFB; Pony; TeslaCrypt; GameOver ZeuS/Zbot, and Tinba. "We should focus our intelligence efforts on mapping this fast-flux infrastructure and working with authorities to disrupt, degrade, and destroy it," Damballa says. ® Sponsored: 2016 Cyberthreat defense report
After two years of research, RiskAnalytics issues a report on how one of the world's most successful botnet is still pervasive. Since 2014, security firm RiskAnalytics has been tracking the activities of a particularly virulent botnet that attackers ar...