Bundesamt für Sicherheit in der Informationstechnik

I have heard of the dismantling of the Avalanche Botnet infrastructure. What does that mean?

An internationally active group of criminals had build up an infrastructure for Botnets, that was used million fold to infect private or commercial Computer systems or mobile smartphones with different malware. About 20 different botnets used that infrastructure to distribute spam- and phishing e-mails, ransomware or online-banking fraud.
You can find more details in the press-release (Pressemitteilung vom 01.12.2016) or media articles.

I received a warning by my Internet Service Provider. How does he know I am affected?

In the course of dismantling the botnet, so called Sinkhole Servers are activated. To those, the connection attempts of infected machines are rerouted. They help to log / record these connection attempts. The IP address is extracted. This IP address can be allocated to a Internet Service Provider, as they have publicly known fix IP ranges. The IP address and a time-stamp is communicated to the Internet service provider. Only they can identify their customers and warn them. This is not possible for the sinkhole-operator.

I received a warning by my provider. What shall I do?

If you receive a message by your provider, it means, that at a given recent time, at least one of the systems you connect to the internet has been or probably still is part of the Avalanche botnet infrastructure.

In that case we strongly suggest to check all systems used including mobile smartphones which connect to the network of the provider for a malware infection and close vulnerabilities.
In addition to a recently updated anti-virus program, you might use a so called „rescue-CD“ offered on the websites of most anti-virus vendors.

According to our investigations, primarily Windows-systems and Android smartphones were part of the respective botnets. But an infection of smartphones with Apple iOS, Microsoft Windows Phone or operating systems like Apples OS X or Linux can not be ruled out completely.

Currently, we have no indication that systems being part of the Internet of Things (IoT) like webcams, printers or TV-receivers are part of the botnet infrastructure.

If you are in doubt, that your systems is cleared completely you might ask for competent help of a local commercial IT-security service.

After cleaning your systems and closing all vulnerabilities (updates, patches, …) we strongly recommend to change all passwords (e-mail account, online banking, online shops, social network, other internet services).

Be aware: First check, clean and update your system, then change your passwords. Otherwise any still active malware on the systems will be able to spy again on your new passwords.
Be sure to choose different and strong passwords.

I did not receive a warning by my provider. Does it mean my systems are safe and free of malware?

Unfortunately, no. If you did not receive a warning by your provider, it means your IP-address is not misused in that specific botnet infrastructure Avalanche or your provider has not informed you yet. It is up to the providers to match the handed over IP-address with its customer-database and inform them.

Next to the Avalanche botnet infrastructure there exists a plenitude of malware and other botnets, which are still active. The only way to reduce the risk, that your system becomes infected is the regular scanning of your system and keeping it up-to-date.

What does it mean if my system is part of a botnet?

If a computer or smartphone is infected with malware it often means it will become part of botnet. A "bot" is an infected computer remotely controlled by a criminal. A botnet is a multitude (often several thousand) of infected computers remotely connected to a network of system. This network of bots is then used to distribute spam- or phishing e-mails, to spread unwanted advertisement, to steal passwords, online-banking- or confidential business-data, and to attack a victim's system by multiple requests to flood it that it becomes overwhelmed (Distributed Denial of Service Attack - DDoS). Systems can be misused to act as infrastructure for the criminals to hide their identity behind a screen of bots.

In other word, your system, the system you are responsible for, is misused for criminal activity, harming other users of the internet, partly resulting in severe financial losses.
In the hands of economically motivated criminals botnets are one of the larges dangers in the internet.

Was there done any damage without me noticing it?

This is possible. The different types of malware used by the criminals in the context of the Avalanche botnet infrastructure allow them to spy on an infected system. They can spy on your password or personal data, steal or manipulate online transactions you do while your do online banking or online shopping.

Especially when using online banking please check in regular intervals your monthly paper or PDF statement of account for unexplained or suspicious account activity. Be aware, that current advanced malware like URLzone is able to alter in real time the booking and account-information in your Internet-browser on the screen.

My anti-virus program does not show any infection after a scan or cleaning session. Is my system safe now?

Be aware, there is no 100% guaranty for a real successful cleaning of an infected system with an anti-virus program. The attackers are regularly hardening and adopting their malware to avoid detection and survive cleaning. Often systems get infected by different malware. It is important to verify the cleaning of your system possibly with different rescue CDs by different AV-vendors.

If you have to or really want to be sure, make a backup and set up your system from scratch. Make sure, that when you play back your backup, no executables are reconstructed, as they can reinfect your system.

Should you be in doubt, you might hire a professional commercial IT-security professional.

Which malware has been identified within the Avalanche botnet infrastructure?

The following malware families have been found within the Avalanche botnet infrastructure. Please notice, that different anti-virus programs have different names for the same malware. Often also generic names like „downloader XYZ“ could be named by anti-virus programs.

  • Andromeda/Gamarue is a malware downloader that loads additional malware like banking trojans and executes them on the infected system. They also have Plug-Ins, with additional functions like information stealers.
  • Bolek is a banking trojan. They spy on online banking for PINs or TANs.
  • Citadel is a banking trojan.
  • Corebot is a banking trojan.
  • Dofoil/Smokeloader is a malware downloader.
  • Gozi2 is a banking trojan.
  • KINS/VMZeus is a banking trojan.
  • Marcher is a banking trojan for Android based systems.
  • Matsnu is a malware downloader.
  • Nymaim is a malware downloader.
  • Pandabanker is a banking trojan.
  • Ranbyus is a banking-trojan.
  • Rovnix is a banking-trojan.
  • Smart App is banking trojan for Android based systems.
  • TeslaCrypt is a Ransomware trojan.
  • Tiny Banker/Tinba is a banking trojan.
  • Trusteer App is a banking trojan for Android based systems.
  • URLZone/Bebloh is a banking trojan.
  • Vawtrak is a banking-trojan.
  • Xswkit is a malware downloader.

I cleaned my system or set it up again from scratch. But now I received another warning by my provider. Do I need to become active again?

Yes, you do. As you received another warning by your provider, your system is again or still infected by malware from the avalanche botnet. This may be caused by the following reasons:

  • Your cleaning was not successful or complete. You should do it again or set up your system from scratch. In doubt, contact or hire a computer specialist.
  • Your system has been infected again by a malware from the Avalanche infrastructure family. Please secure the vulnerabilities of your system and clean it again.
  • An other system being part of your Internet access is still or again infected with a from the Avalanche infrastructure family malware.

Do I receive a warning by my provider every time my system is infected by a malware?

Unfortunately, no. You only receive a warning when your system is infected by a malware, which is a part of the Avalanche infrastructure or a malware, which is sinkholed and reported to your provider by other security organizations. Any malware may operate unnoticed on your system, unless you discover it with an up to date anti-virus program.