How did Avalanche, a botnet with an active lifetime of 8 years while serving 20+ malware families, ensure a smooth operation of business? Avalanche had the attention of security researchers and law enforcement, yet it managed to persevere for a long period of time.
In this work, we answer this question by analyzing Avalanche’s security controls and its business model based on longitudinal ground truth data from its criminal investigation by German law enforcement. We first analyzed previous botnet research and identified five research challenges: (1) the botnet phenomenon keeps evolving, so continuous research is required, (2) there is not yet a framework to categorize or interpret botnet evasion techniques, (3) botnet research is challenging due to the lack of large real-world datasets, (4) botnet takedowns are challenging and costly, so other avenues for intervening in botnets should be explored, and (5) more research is being done into botnet economics, but it is mostly based on case studies methodologies without access to ground truth data.
We defined the adversarial context of botnets and showed how their responses – evasion techniques – can be interpreted as security controls according to deviant security theory. We created a framework for categorizing these security controls, based on security control types and the type of threat. Turning to our data, we performed an exploratory analysis in which we processed, validated and interpreted the available data based on their different types: server images, network data and databases. Based on the insights from this analysis, we applied the business model canvas and described Avalanche’s business model. We describe how Avalanche provides it customers with proxying and domain registration services, generating on aver- age $7,500 of revenue per month from 59 customers. We identified seven security controls, three technical controls and four administrative controls, that were applied to evade detection, to increase resilience against takedowns and to conceal the ownership by the botnet operators.
Our findings show that Avalanche configured itself to adequately respond to the threats in its adversarial context. Its business model – through using different key partners and many replaceable resources – and its application of security controls – such as backups, bot monitoring and proxy architecture – created redun- dancy in Avalanche’s operation, allowing it to detect and resolve threats quickly.

Many cybercriminal entrepreneurs lack the skills and techniques to provision certain parts of their business model, leading them to outsource these parts to specialized criminal vendors. Online anonymous markets, from Silk Road to AlphaBay, have been used to search for these products and contract with their criminal vendors. While one listing of a product generates high sales numbers, another identical listing fails to sell. In this paper, we investigate which factors determine the performance of cybercrime products.
To answer this question, we analyze scraped data on the business-to-business cybercrime segments of AlphaBay (2015-2017), consist- ing of 7,543 listings from 1,339 vendors, sold at least 126,934 times. We construct new variables to capture product differentiators and price. We capture the influence of vendor characteristics by identifying five distinct vendor profiles based on latent profile analysis of six properties. We leverage these product and vendor characteristics to empirically predict the performance of cybercrime products, whilst controlling for the lifespan and type of solution. Consistent with earlier insights into carding forums, we identify prevalent product differentiators to be influencing the relative success of a product. While all these product differentiators do correlate significantly with product performance, their explanatory power is lower than that of vendor profiles. When outsourcing, the vendor seems to be of more importance to the buyers than product differentiators.

Dit rapport is geschreven in het kader van de tweede fase van het vak ’Bachelor-eindproject’ van de bacheloropleiding Technische Bestuurskunde aan de Technische Universiteit Delft. Het rapport is geschreven naar aanleiding van het issue-paper dat ik voor de eerste fase van dit project geschreven heb over het bestrijden van financiële, economische en fiscale fraude met een cybercomponent. Het onderzoek betreft het ontwerp van een methode om de betrokkenheid van een land bij de handel op online anonieme markten in kaart te brengen op productniveau. Deze methode is ontworpen aan de hand van het proces voor Data Mining en maakt voor de analyse gebruik van machine learning technieken en methodes voor content-based geo-location estimation ontworpen voor social media platformen zoals Twitter. De toepasbaarheid en het resultaat van de methode is in de praktijk getest door de toepassing van de methode op de casus van de FIOD.