Bitdefender joins Operation Avalanche

Bitdefender has joined the Europol led Operation Avalanche. The details of Operation Avalanche have been disclosed in a blog from Bogdan Botezatu, Senior E-Threat Analyst, Bitdefender. The blog entitled: “Bitdefender joins Europol and partners to support victim disinfection after dismantling of international criminal ring Avalanche” makes for interesting reading.

The operation is targeting victims of a wide range of malware that used by a now defunct cybercriminal gang. The goal is to provide free tools that will help those infected with malware clean up their devices. The blog says that 20 different malware families are being targeted for clean-up. This includes old and new malware with some still being used by cybercriminals. On the list are botnet software such as Dridex, Matsnu and Pandabanker. The list also includes ransomware such as Teslacrypt and Cerber.

Why clean-up machines?

The first phase of Operation Avalanche stopped more than 800,000 web domains used by malware. It has resulted in 30 servers being seized and over 220 put offline. This has blocked all the command & control (C&C) servers that managed the botnets involved. This is a significant success for Europol and security vendors.

Catalin Cosoi, Chief Security Strategist at Bitdefender
Catalin Cosoi, Chief Security Strategist at Bitdefender

Now the operation has moved to victim support. This is a major change to the way these security operations have worked in the past. Too often they have concentrated on taking down criminal gangs but left victims hanging. This has made it possible for other groups to step in and take over malware infections. It can also leave victims computers unable to reconnect to the Internet as all their traffic is routed through non-existent C&C servers. In effect once a victim always a victim. Until now that is.

Catalin Cosoi, Chief Security Strategist at Bitdefender said: “Removal is a critical step that victims need to take in order to ensure the extinction of these malware families. Even if our products have successfully detected these threats since their emergence, the removal tool we built as part of the cooperation with Europol allows victims running other security solutions – or no solution at all – to successfully disinfect their machines and clean up after the botnet.”


Anything that helps users get closure after their machines have been infected is essential. Cleaning up machines won’t necessarily be simple. As the vast majority of affected machines will be using dynamic IP addresses, tracing the users is not simple. It is likely that distribution of the software will need to use the botnet mechanism to push software clean-up tools to end-user machines. However, this will require a lot of engineering to make work and require that the tools are executed on the remote machine.

We emailed Bitdefender to get more information on how this would work. At the time of going to press there was no response.


  1. This post says: “The operation is targeting victims of a wide range of malware that used by a now defunct cybercriminal gang.”
    I am afraid this is not correct.
    Yes, we read about 5 arrests. The gang leader was arrested in Ukraine (he is from Ukraine) you can find photos and video made by local police:
    But, this cyber-criminal was released in no more than one days after the arrest! The judge released him and he immediately disappeared. You will find a lot Ukrainian news websites writing about it: one more:
    Four years of investigation and 40+ countries involved and just one day to lose the guy. FBI, Europol and others – should have known that Ukraine is totally corrupted. When Western countries identify those hackers – guess what – they go to Ukrainian government and become politicians. Read what Brian Krebs wrote: and this one:
    So, with our money, experience, connections, the not-so-defunct crime gang’s leader can launch Avalanche 2.0.


Please enter your comment!
Please enter your name here