Avalanche Botnet

Original Issue Date:- January 09, 2017
Virus Type:- Avalanche Botnet Infrastructure
Severity:- High

It has been reported that a global network named as “Avalanche” which consists of collection of highly secure infrastructure of servers which are used by the cyber criminals for hosting various malware distribution services, phishing campaigns, botnet operations has been taken down. It is believed that the malware are distributed by means of specially crafted links in emails or malicious attachments. The malware that are distributed using this covert network are basically information stealing, banking Trojans and ransomware. This worldwide network was capable of providing the following services:

  • Provides botnet operators an extra layer of protection against takedown and domain blocking.
  • Supports malware hosting and distribution services.
  • Supports hosting of various phishing campaigns.
  • Launching of DoS attacks.
  • Host various money laundering schemes.

Also, it has been reported that this fast flux network was advertised in the underground online cybercriminal forums.


This universal network make use of DNS techniques to hide cybercrimes behind the ever changing network of compromised hosts acting as proxies. These proxy machines are the compromised systems or machines that are already a part of one or the other botnet. These machines then can help the attacker in hiding its identity behind these machines over the network thereby making it nearly impossible to identify the attacker’s machine.


Malware authors use Avalanche services to compromise various machines, which are then capable of performing the following functions:

  • Stealing of user credentials and other sensitive data, such as banking and credit card information.
  • Capable of encrypting user files and demand ransom amount of money against the decryption key.
  • Providing cyber criminals an unauthorized remote access to the infected computer.
  • Capable of serving or being a part of conducting distributed denial-of-service (DDoS) attacks.

Associated malware:

The various malware families that are using this fast flux network are listed below:

  • Windows-encryption Trojan horse (WVT) (aka Matsnu, Injector, Rannoh, Ransomlock.P)
  • URLzone (aka Bebloh)
  • Citadel
  • Gameover Zeus
  • Dridex
  • VM-ZeuS (aka KINS)
  • Bugat (aka Feodo, Geodo, Cridex, Dridex, Emotet)
  • newGOZ (aka GameOverZeuS)
  • Tinba (aka TinyBanker)
  • Nymaim/GozNym
  • Vawtrak (aka Neverquest)
  • Marcher
  • Pandabanker
  • Ranbyus
  • Smart App
  • TeslaCrypt
  • iBankingTrusteer App Trojan
  • Xswkit
  • Corebot
  • GetTiny
  • Rovnix
  • QakBot (aka Qbot, PinkSlip Bot)


  • Users are advised to visit “cyber Swachhta Kendra” for advise on disinfecting their systems. Visit www.cyberswachhtakendra.gov.in
  • Scan infected system with updated versions of Antivirus solution
  • Disable Autorun and Autoplay policies.
  • Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators
  • Limit or eliminate the use of shared or group accounts.
  • Do not visit untrusted websites.
  • Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
  • Enforce a strong password policy and implement regular password changes.
  • Enable a personal firewall on workstation.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Disable unnecessary services on agency workstations and servers.
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
  • Always change Default login credentials before deployment in production.

Removal Tools:

Cyber Swachhta Kendra

ESET Online Scanner


McAfee Stinger

Microsoft Safety Scanner

Norton Power Eraser

Trend Micro