The Avalanche botnet, also known as “MS-Redirect”, has been responsible for hosting phishing pages and malware distribution attacks on over 35 organizations, including the IRS, Facebook, MySpace, most recently NACHA, and many more. Unfortunately, there’s a great deal of confusion over how this botnet works and how it’s related to other malware.
Let’s clear it up once and for all.
There are actually 3 distinct but related types of malware being used to commit various scams by one or more criminal groups.
Cutwail aka PushDo is a spamming trojan being used to send out massive amounts of spam with links (or lures) to phishing pages or pages that ask the users to download and run programs. Those programs invariably turn out to be instances of the Zeus/ZBot/WNSPOEM banking Trojan. There are also unrelated criminals that also use Zeus Trojans to steal online banking information that are not related to this set of scams. The Avalanche botnet is the middle-step between the spamming botnet and Trojans that steal banking information. It is basically a hosting platform used by the attackers. Because the Avalanche bots act as a simple proxy, and there are thousands of them, it has been exceedingly difficult to shutdown the phish pages. Instead most Anti-Phishing organizations have focused on shutting down the domain names that were used in the phishing URLs.
PhishLabs recently presented new information about the Avalanche botnet at the recent Anti-Phishing Working Group (APWG) fall conference. We were able to acquire a copy of the bot software and analyze it. What we learned is that the malware is actually rather simple. It listens on TCP port 80 for incoming connections and simply relays data receives to another server that hosts the actual phishing pages and malware files.
In an effort to help service providers and others clean-up Avalanche infected machines, here are the key details:
Bot Binary Path: C:\windows\system32\sysservice.exe
Bot Configuration File: C:\windows\system32\sysservice.dll
Registry Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Startup Manager = “%System%\sysservice.exe”
Removing the Avalanche bot components is as simple as deleting the two files and one registry key.
PhishLabs has also been able to determine the IP addresses for a large number of the infected systems. Service Providers are invited to contact us at info -at- phishlabs.com for a list. We have also shared this information with our friends at ShadowServer who are helping report infected systems as well.