Bitdefender has joined the Europol led Operation Avalanche. The details of Operation Avalanche have been disclosed in a blog from Bogdan Botezatu, Senior E-Threat Analyst, Bitdefender. The blog entitled: “Bitdefender joins Europol and partners to support victim disinfection after dismantling of international criminal ring Avalanche” makes for interesting reading.
The operation is targeting victims of a wide range of malware that used by a now defunct cybercriminal gang. The goal is to provide free tools that will help those infected with malware clean up their devices. The blog says that 20 different malware families are being targeted for clean-up. This includes old and new malware with some still being used by cybercriminals. On the list are botnet software such as Dridex, Matsnu and Pandabanker. The list also includes ransomware such as Teslacrypt and Cerber.
Why clean-up machines?
The first phase of Operation Avalanche stopped more than 800,000 web domains used by malware. It has resulted in 30 servers being seized and over 220 put offline. This has blocked all the command & control (C&C) servers that managed the botnets involved. This is a significant success for Europol and security vendors.
Now the operation has moved to victim support. This is a major change to the way these security operations have worked in the past. Too often they have concentrated on taking down criminal gangs but left victims hanging. This has made it possible for other groups to step in and take over malware infections. It can also leave victims computers unable to reconnect to the Internet as all their traffic is routed through non-existent C&C servers. In effect once a victim always a victim. Until now that is.
Catalin Cosoi, Chief Security Strategist at Bitdefender said: “Removal is a critical step that victims need to take in order to ensure the extinction of these malware families. Even if our products have successfully detected these threats since their emergence, the removal tool we built as part of the cooperation with Europol allows victims running other security solutions – or no solution at all – to successfully disinfect their machines and clean up after the botnet.”
Anything that helps users get closure after their machines have been infected is essential. Cleaning up machines won’t necessarily be simple. As the vast majority of affected machines will be using dynamic IP addresses, tracing the users is not simple. It is likely that distribution of the software will need to use the botnet mechanism to push software clean-up tools to end-user machines. However, this will require a lot of engineering to make work and require that the tools are executed on the remote machine.
We emailed Bitdefender to get more information on how this would work. At the time of going to press there was no response.