Bundesamt für Sicherheit in der Informationstechnik

Avalanche – global network of botnets dismantled

Deutsche Fassung

An internationally active criminal network has infected hundreds of thousands of private and commercial computer systems with different malware. This network known as "Avalanche" is currently one of the largest known botnet infrastructures in the world. A total of 20 different botnets could be identified that used this infrastructure to distribute millions and millions of spam and phishingmails as well as malware like ransomware or banking trojans.

On November 30th, 2016, after more than four years of investigation, the Public Prosecutor’s Office Verden and the Lueneburg Police, Germany, in close cooperation with the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice and the FBI, Europol, Eurojust and global partners, dismantled this international criminal infrastructure. The German Federal Office for Information Security (BSI) supported this operation.

In the course of the dismantling of the infrastructure, so called 'sinkhole servers' were installed to identify IP addresses of infected computers. At the end of November 2017, this sinkholing was extended for another year. Furthermore, information on affected German IP addresses will be provided to the responsible Internet service providers (ISPs) in Germany, who then can notify their customers of the infection. With this approach, only currently infected systems being part of this botnet infrastructure can be identified. Information on affected IP addresses in other countries is provided by CERT-Bund to the respective national CERTs in more than 80 countries worldwide.

Victims notified by their ISPs should check their systems for a malware infection and fix security vulnerabilities on their computers. By dismantling the infrastructure, the malware is still on the system. It can not be excluded, that criminals might regain control over the infected machines again. Therefore, affected users should act immediately. Even users who do not receive a warning from their provider could take this as an occasion to check their computer for vulnerabilities and infections.

According to our analysis, primarily Windows-based computers and Android smartphones were part of the respective botnets. However, infections of smartphones with Apple iOS,Microsoft Windows Phone or operating systems like Apples OS X or Linux can not be ruled out completely.
Currently, we have no indication that systems being part of the Internet of Things (IoT) like webcams, printers or TV-receivers are part of the botnet infrastructure.

Additional information can be found in our FAQ.

Please also refer to your national IT- security organizations or to IT-security / anti-virus vendors for information on how to remove malware and make your systems more secure.