SAN FRANCISCO — The U.S. government has posted links for free scanning programs so companies and individuals can check their computers to make sure they weren’t victims of a massive, international cyber criminal operation that was taken down Thursday after a four-year investigation.
“This is probably the biggest operation that law enforcement has ever done against cyber crime,” said Catalin Cosoi, chief security strategist with BitDefender, one of the dozens of companies worldwide that worked with law enforcement to attack the group.
The U.S. Computer Emergency Readiness Team (US_CERT) has posted links to five scanners on its site. Europol has also posted a list of sites in multiple languages for potentially infected users. The malware only affects systems running the Microsoft Windows operating system, according to US-CERT.
The Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which includes US-CERT, will be providing victim notification to stakeholders, including Internet Service Providers, DHS said in a statement.
Known as “Avalanche,” the group had been active since 2009, according to the FBI and Europol, the European law enforcement agency. It was effectively a criminal company that sold and rented cloud-hosted software to other criminals who used it to take over systems, infect networks, launch ransomware or create enormous robot networks (botnets) to send spam.
Avalanche networks were also used to launch targeted attacks against banks and to recruit people to illegally transfer stolen money between countries, known as money mules.
“They sent more than one million e-mails with damaging attachments or links every week to unsuspecting victims,” and involved as many as 500,000 infected computers worldwide on a daily basis, Europol said in a release.
“They would do whatever you wanted. You just had to call them, say ‘I need command and control service,’ or ‘I need to infect this type of people or this type of business,’ and they’d do it,” said Cosoi.
The investigation originally began in Germany in 2012 after prosecutors there detected a ransomware operation that blocked access to a substantial number of computer systems and allowed the criminals to do bank transfers from the victims’ accounts.
As authorities became aware of the scope and reach of the criminal organization, the effort to shut it down ended up involving prosecutors and investigators in 30 countries.
Law enforcement takedown
On Wednesday, law enforcement launched a concerted action against the Avalanche group. It resulted in five arrests, the search of 37 premises and seizure of 39 servers. In addition, over 800,000 Internet domains, or addresses, were seized to block the criminals access to their customers.
Now that the operation has been taken down, the next crucial stage is for infected individuals and companies to check to make sure that their computers do not have Avalanche malware on them.
“Companies and consumers should take this opportunity to scan their systems for the different families of malware that the Avalanche botnet distributed,” said ESET senior security researcher, Stephen Cobb.
Multiple companies worldwide have written tools to run this scan.
As Europol said on its website, “computer users should note that this law enforcement action will NOT clean malware off any infected computers — it will merely deny the Avalanche users’ ability to communicate with infected victims’ computers. Avalanche victims’ computers will still be infected, but shielded from criminal control.”
While the effort was hailed in the cyber security world as a major coup against cyber crime, the differential between how fast international cybercrime networks proliferate and how quickly international law enforcement can act is troubling.
“It does give some reason for concern that our anti-cybercrime efforts still can’t match the speed and dexterity that cyber criminals use for their own efforts,” said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based security consulting company.
Unfortunately, while he believes that dismantling the Avalanche network will certainly show some short-term gains, he expects the cyber criminals will be “back up and running in short order.”
December 2, 2016