From my understanding Avalanche wasn't a single botnet but was high availability infrastructure used by multiple different families/operators.
-AK On Dec 1, 2016 10:37 AM, "John Levine" <johnl@iecc.com> wrote:
Avalanche is a large nasty botnet, which was just disabled by a large coordinated action by industry and law enforcement in multiple countries. It was a lot of work, involving among other things disabling or sinkholing 800,000 domain names used to control it.
More info here:
https://www.europol.europa.eu/newsroom/news/%E2%80% 98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation
http://blog.shadowserver.org/2016/12/01/avalanche/
As both items point out, if your users are infected with Avalance, they're still infected, but now if you disinfect them, they won't get reinfected. At least not with that particular flavor of malware.
R's, John