[technology taskforce] Avalanche botnet network taken down, 800, 000+ domains sinkholed
Dev Anand Teelucksingh
devtee at gmail.com
Thu Dec 1 20:42:31 UTC 2016
Via http://arstechnica.com/security/2016/12/legal-raids-in-five-countries-seize-botnet-servers-sinkhole-800000-domains/
"A botnet that has served up phishing attacks and at least 17
different malware families to victims for much of this decade has been
taken down in a coordinated effort by an international group of law
enforcement agencies and security firms. Law enforcement officials
seized command and control servers and took control of more than
800,000 Internet domains used by the botnet, dubbed "Avalanche," which
has been in operation in some form since at least late 2009."
The Avalanche network used a method called Double Fast Flux to rapidly
change (like every 5 mins) the IP address and nameservers used to
resolve the domains requested by infected machines - the domains
requested were either hardcoded in the malware on the infected
machines or created by a Domain Generation Algorithm in the malware
that generated thousands of domain names every day for the malware to
attempt to reach.
Europol has an infographic :
https://www.europol.europa.eu/publications-documents/operation-avalanche-infographic
The SSAC published an advisory on Fast Flux Hosting
https://www.icann.org/en/system/files/files/sac-025-en.pdf
Dev Anand
More information about the ttf
mailing list