Last week Europol and a number of other organisations including security vendors helped take down a major security gang. Immediately the operation was complete a secondary phase to clean-up computers was launched. We reported on the role of Bitdefender in that second phase but there were a number of unanswered questions. We have now had those answers and the questions and answers are printed below.
In the meantime we also had a comment on the original article that required some investigation. It pointed out that just five people were arrested and the ringleader was released within 24 hours. The comment claimed that this would allow him to move on and launch Avalanche 2.0. We held off publishing the comment while we validated some of its contents. While this is not normal practice we wanted to be sure we didn’t ignore something that seemed to be highly relevant.
Part of the comment related to articles published several years ago and which seem to bear limited impact on current events. However, it also pointed us to several Ukrainian news sources which we wanted to check out. These sources shed some interesting light on what has happened with the prime suspect.
It shows that the ringleader, Gennady Kapkanova was released by the Poltova Court. It appears that there was a claim that under Ukrainian law he cannot be passed to other countries and he wasn’t being charged with events in Ukraine. Ukraine is a member of Interpol. Given that it took part willingly in this operation which was led by Interpol it would have known what was required to hold Kapkanova. Ukraine also has extradition agreements with other countries. It seems strange therefore that none of this was taken into account before the arrest of Kapkanova by Operation Avalanche.
The problem now is that Kapkanova is free and has disappeared. This creates several problems. Cleaning up the machines that were infected by his botnet Avalanche will take time and be difficult. While security companies try and identify infected users, Kapkanova is likely to try and take control of those machines using different malware. On top of this Kapkanova is once again on the run and will be even harder to catch than before.
It will also be interesting to see how this impacts the working relationship between Ukraine, Europol and other countries. At present Ukraine has several cases before Interpol that it is seeking assistance with. If Ukraine is unwilling to meet its end of the deal then it is likely that some countries will refuse to assist it.
There is no mention at all on the Interpol site of Kapkanova being freed. Instead it is only willing to talk about what Operation Avalanche achieved and the cleaning of infected computers. Ukraine is regularly listed by security companies as a major cybercrime hub. Events like this will do nothing to change that view.
Our Questions and the responses from Bitdefender
How will Bitdefender identify affected users?
Identification of the affected customers is one of the most difficult parts of the clean-up process. While we are monitoring the sinkholes (the domains used by malware for communications, but which are now registered to the parties involved in the takedown), we also advise every internet-connected computer owner to download and run the removal tool.
How will the software be distributed to them?
We cannot contact the affected parties directly because we can’t associate an identity to an infected machine. This could be done at the ISP level but these service providers might not have the resources or the technology necessary to scan all outbound traffic and identify patterns that are specific to botnet activity. This is why we urge all people who learn about the takedown to do their part for a safer Internet and run a free scan.
Do they have to download it?
Yes, the tool is freely available on the Bitdefender website at http://download.bitdefender.com/removal_tools/BDRemTool.exe
What if they are offline as a result of their machine being set to only talk to the C&C server?
In case they can’t access the resource above from the infected computer, they can download it from a different computer and run it off a USB flash drive. The removal tool does not rely on the cloud or internet to perform the clean-up process.
Is this finally the start of a new phases in clean-up by addressing the victims rather than leaving them to sort out their computers on their own?
Victims will still need to address the matter on their own. However, this coordinated takedown ensures that not only the botnet gets taken down, but that victims get free, readily-available tools to help them get rid of the botnet.
Comment from James Black Junior to original article
This post says: “The operation is targeting victims of a wide range of malware that used by a now defunct cybercriminal gang.”
I am afraid this is not correct.
Yes, we read about 5 arrests. The gang leader was arrested in Ukraine (he is from Ukraine) you can find photos and video made by local police: http://soft2secure.com/news/avalanche-platform-taken-down
But, this cyber-criminal was released in no more than one days after the arrest! The judge released him and he immediately disappeared. You will find a lot Ukrainian news websites writing about it: http://obozrevatel.com/crime/14726-ukrainskoe-pravosudie-organizatora-krupnejshej-kiberseti-otpustili-na-volyu.htm one more: http://poltava.to/news/40985/
Four years of investigation and 40+ countries involved and just one day to lose the guy. FBI, Europol and others – should have known that Ukraine is totally corrupted. When Western countries identify those hackers – guess what – they go to Ukrainian government and become politicians.
Read what Brian Krebs wrote: http://voices.washingtonpost.com/securityfix/2008/03/the_curious_case_of_dmitry_gol.html
and this one:
So, with our money, experience, connections, the not-so-defunct crime gang’s leader can launch Avalanche 2.0.