Avalanche botnet takedown

John_L · December 1, 2016, 5:34pm

Avalanche is a large nasty botnet, which was just disabled by a large
coordinated action by industry and law enforcement in multiple
countries. It was a lot of work, involving among other things
disabling or sinkholing 800,000 domain names used to control it.

More info here:

https://www.europol.europa.eu/newsroom/news/‘avalanche’-network-dismantled-in-international-cyber-operation

http://blog.shadowserver.org/2016/12/01/avalanche/

As both items point out, if your users are infected with Avalance,
they're still infected, but now if you disinfect them, they won't get
reinfected. At least not with that particular flavor of malware.

R's,
John

anthony_kasza · December 1, 2016, 7:02pm

From my understanding Avalanche wasn't a single botnet but was high

availability infrastructure used by multiple different families/operators.

-AK

Ronald_F_Guilmette1 · December 1, 2016, 8:38pm

In message <20161201173426.2861.qmail@ary.lan>,

More info here:

‘Avalanche’ network dismantled in international cyber operation | Europol

I'm always happy when even a small handful of miscreants are captured
and taken off the Internet, but...

The press release itself says that this botnet had been running since
2009. So, you know, are we supposed to break out the champaign and
start celebrating because it "only" took LE *seven years* to take down
this one botnet and capture a grand total of five cybercriminals?

Like I say, I'm happy that this one botnet was killed, but to my way
of thinking, the fact that it took seven years to do so is a testament
*not* to the spectacular 21st century capabilities of modern law
enforcement, but rather to the ever widening gap between the time
scales of law enforcment processes, typically measured in months or
years, and the time scales of malicious packets flying around the
Internet, usually measured in miliseconds.

The Internet, viewed as an organism, quite clearly has, at present,
numerous autoimmune diseases. It is attacking itself. And its immune
system, such as it is, clearly ain't working. There's going to come
a day of reckoning when it will no longer be possible to paper over
this sad and self-evident fact. (And no, I'm *not* talking about
the fabled "Digital Pearl Harbor". I'm talking instead about the
Internet equivalent of the meteor that wiped out the dinosaurs.)

Regards,
rfg

P.S. WTF is "double fast flux[tm]"? Is that anything like "double secret
probation" from Animal House?

P.P.S. I love this part of the press release, because it is so telling:

"The successful takedown of this server infrastructure was supported
by ... Registrar of Last Resort, ICANN..."

Hahahahaha! Yea. Translation, for those of you who do not speak
diplomacy-speak: "It isn't hardly just you unofficial anti-spammers and
anti-cybercrime volunteers and private security companies that can't
manage to get many domain registrars and somtimes even domain registries
to lift a finger to help. Even some of us international law enforcement
guys, who have badges and everything, were also told to go pound sand by
several of the world's worst and most unhelpful registrars and registries.
In fact, they were soooooooo colossally unhelpful that in the end, we
finally had to go and plead our case all the way up to ICANN, just in
order to get anything done."

Paul_Ferguson1 · December 1, 2016, 8:43pm

P.S. WTF is "double fast flux[tm]”?

Double fast-flux is when not only the TTL is set very low on the A record(s), bit also on the NS:

- ferg

Rich_Kulawiec · December 1, 2016, 8:56pm

1. Which is why abusers are registrars' best customers and why
(some) registrars work so very hard to support and shield them.

2. As an aside, I've been doing a little research project for a
few years, focused on domains. I've become convinced that *at least*
99% of domains belong to abusers: spammers, phishers, typosquatters,
malware distributors, domaineers, combinations of these, etc.

In the last year, I've begun thinking that 99% is a serious underestimate.
(And it most certainly is in some of the new gTLDs.)

---rsk

J_Hellenthal · December 1, 2016, 9:02pm

99% ? That's a pretty high figure there.

Justin_Paine · December 1, 2016, 9:06pm

straight from the horse's mouth -- they said "99.99% of the 900,000
domains" have been sinkholed.

Rich_Kulawiec · December 1, 2016, 10:43pm

Yeah. I thought so too. For the first ten years. Now I think it's
not nearly high enough. Let me give you three examples -- the three
that happen to be occupying my attention at the moment. I've got more
if you've got the time. A *lot* more.

  1) http://www.firemountain.net/~rsk/loan.txt
  2) http://www.firemountain.net/~rsk/space.txt
  3) http://www.firemountain.net/~rsk/online.txt

1553, 3794, and 602 domains respectively. For brevity, I'll spare
you (4) which is a list of 97,657 domains (all in .info) using
variations of the same words, all registered by the same "company".

Note that my collection methods are lossy, so all of these are
drastically UNDERinclusive.

---rsk

Ronald_F_Guilmette1 · December 1, 2016, 11:01pm

In message <20161201205647.GA8911@gsp.org>,

Robert_McKay · December 2, 2016, 12:24am

I'm just assuming this because it doesn't say anywhere,
but given the context it seems likely to me that almost
none of the 900000 domains were actually registered.

It sounds more likely that they figured out how the domain generation
algorithm works and instructed the registries to block out all the
possible domains it could generate (preventing them from being registered
in the future).. along with also going after the registrars to disable a much smaller
number of domains that were actually currently registered.

Could be the 0.01% were the ones that were actually registered.

Rob

Tony_Finch · December 2, 2016, 10:49am

Note that these are the names of two different organizations - the part
before the comma is not a description of the role played by ICANN.

http://tldcon.ru/docs/02-Addis.pdf
http://www.rolr.org/goals.en.html

Tony.

Hugo_Salgado-Hernand · December 2, 2016, 11:28am

According to a 2015 paper, 85% of new gTLDs domains was some form
of parking, defensive redirect, unused, etc:
<http://conferences2.sigcomm.org/imc/2015/papers/p381.pdf>

Hugo

Rich_Kulawiec · December 2, 2016, 11:47am

[ Reposted with proper Subject line. My apologies. Insufficient coffee. ]

As you probably know Rich, that's not exactly a novel observation. Vixie
was already saying it a full six years ago, and things have only gotten
worse since then.

Yep. I remember reading that. The only change I would make is that
Paul wrote:

Most new domain names are malicious.

and I think a more accurate/updated/refined statement in 2016 would be:

Almost all new domain names are malicious.

We are busy trying to support a domain name system that is two to
three orders of magnitude larger (as measured by domains) than it
should be or needs to be. And nearly all of what we're supporting
is malicious.

---rsk

J_Hellenthal · December 2, 2016, 6:30pm

If I could have it my way, I would say no gTLD’s should be allowed to transmit any email messages whatsoever. And force them to either use something like sendgrid.com or to purchase a primary .com, .org, .net .co.uk whatever etc..

But thats just me.

It’s not a nice world but it is just the world we live in today.