Behind the Botnet

Evaluating Avalanche's security controls using a reconstruction of its anatomy from forensic evidence

More Info


How did Avalanche, a botnet with an active lifetime of 8 years while serving 20+ malware families, ensure a smooth operation of business? Avalanche had the attention of security researchers and law enforcement, yet it managed to persevere for a long period of time.
In this work, we answer this question by analyzing Avalanche’s security controls and its business model based on longitudinal ground truth data from its criminal investigation by German law enforcement. We first analyzed previous botnet research and identified five research challenges: (1) the botnet phenomenon keeps evolving, so continuous research is required, (2) there is not yet a framework to categorize or interpret botnet evasion techniques, (3) botnet research is challenging due to the lack of large real-world datasets, (4) botnet takedowns are challenging and costly, so other avenues for intervening in botnets should be explored, and (5) more research is being done into botnet economics, but it is mostly based on case studies methodologies without access to ground truth data.
We defined the adversarial context of botnets and showed how their responses – evasion techniques – can be interpreted as security controls according to deviant security theory. We created a framework for categorizing these security controls, based on security control types and the type of threat. Turning to our data, we performed an exploratory analysis in which we processed, validated and interpreted the available data based on their different types: server images, network data and databases. Based on the insights from this analysis, we applied the business model canvas and described Avalanche’s business model. We describe how Avalanche provides it customers with proxying and domain registration services, generating on aver- age $7,500 of revenue per month from 59 customers. We identified seven security controls, three technical controls and four administrative controls, that were applied to evade detection, to increase resilience against takedowns and to conceal the ownership by the botnet operators.
Our findings show that Avalanche configured itself to adequately respond to the threats in its adversarial context. Its business model – through using different key partners and many replaceable resources – and its application of security controls – such as backups, bot monitoring and proxy architecture – created redun- dancy in Avalanche’s operation, allowing it to detect and resolve threats quickly.