Avalanche – Law Enforcement Take Down

December 1, 2016
For the past 18 months, The Shadowserver Foundation has been quietly working to support international Law Enforcement agencies in the coordinated take down of the criminal operated Avalanche malware delivery platform.

Avalanche is a Double Fast Flux (Wikipedia) content delivery and management platform designed for the delivery and so-called bullet-proof management of botnets. More than 20 different malware families using multiple Domain Generation Algorithms (DGAs) and operating criminal infrastructure in 30 countries and US states impacted over 60 registries worldwide required unprecedented levels of effective international partnership.

avalanche_-_double_flux-_simple avalanche_-_double_flux-_details

As a key member of a technical subgroup, Shadowserver worked with partners to build the sinkholing infrastructure and coordinate the international DNS Registry/Registrar activities. This resulted in disruption of the criminal operated Avalanche infrastructure and sinkholing of elements of the following malware families:

  • Bolek
  • Citadel
  • CoreBot
  • Gozi2
  • Goznym
  • KINS / VMZeus
  • Marcher
  • Matsnu
  • Nymaim
  • Pandabanker
  • Ranbyus
  • Rovnix
  • Smart App
  • Smoke Loader / Dofoil
  • TeslaCrypt
  • Tiny Banker / Tinba
  • Fake Trusteer App
  • UrlZone
  • Vawtrak
  • Xswkit

This operation has been a mammoth effort involving complex international coordination, with the final operational take down being conducted from Europol/EC3’s Headquarters over the past 3 days. The takedown operation was publicly announced at 15:00 UTC on December 1st 2016.

We have been particularly impressed with the tenacity and ambition of the Public Prosecutor’s Office Verden and the Lüneburg Police (Germany) who took the lead on this investigation four years ago. We have similarly been impressed with the people at Europol, the FBI/DoJ and other Law Enforcement agencies – some of whom faced extraordinary challenges in bringing this operation to a successful conclusion. Similarly, credit must go to all the other technical partners involved, as well as the DNS community members who have worked so well as part of a true public/private partnership.

We will be publishing more supporting information in the coming days, but here are some initial statistics:

  • Jurisdictions: 30
  • Arrests: 5
  • Premises searched: 37
  • Servers seized: 39
  • Servers taken offline through abuse reports: 221
  • Countries with victim IP’s: Over 180
  • Domains blocked or delegated to Shadowserver’s sinkholes: Over 800,000 in over 60 Top-Level-Domain‘s (TLD’s)


The data from these sinkholes will be shared through our daily free mitigation feeds to national CERTs and network owners. We would encourage anyone with responsibility for internet facing networks to sign up for our free feeds here.

For existing report recipients, remediation data from this operation will be tagged in our existing feeds as “avalanche-malwarefamily-name” and will be available from the morning of Friday 2nd December 2016.

Many of the sinkholed domains saw the first full scale use of the Registrar of Last Resort (RoLR) – another not-for-profit organization set up by The Shadowserver Foundation to assist DNS Registries and Law Enforcement agencies in remediating DNS related abuse.

Remediation Advice

While the sinkholed victims are now hopefully shielded from direct exploitation by this group of criminals – they are still infected with one or more families of malware and likely to be vulnerable to others. Law enforcement have worked with security companies globally to build disinfection tools and have provided an array of links to solutions that will enhance the protection of end users. We encourage concerned computer users to check their systems.

In alphabetical order they include:

German BSI:




Dr Web:


ESET Online Scanner:




McAfee Stinger:

Microsoft Safety Scanner

Norton Power Eraser:

Trend Micro:


  • 2017-02-22 – Added eScan

Recent Articles