research-article

Open access

View from Above: Exploring the Malware Ecosystem from the Upper DNS Hierarchy

Authors:

Aaron Faulkenberry,

Athanasios Avgetidis,

Panagiotis Kintis,

Fabian Monrose,

Angelos D. Keromytis,

Manos AntonakakisAuthors Info & Claims

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

Pages 240 - 250

https://doi.org/10.1145/3564625.3564646

Published: 05 December 2022 Publication History

All formats PDF

Abstract

This work explores authoritative DNS (AuthDNS) as a new measurement perspective for studying the large-scale epidemiology of the malware ecosystem—when and where infections occur, and what infrastructure spreads and controls malware. Utilizing an AuthDNS dataset from a top registrar, we observe malware heterogeneity (202 families), global infrastructure (399,830 IPs in 151 countries) and infection (40,937 querying Autonomous Systems (ASes)) visibility, as well as breadth of temporal coverage (2017–2021). This combination of factors enables an extensive analysis of the malware ecosystem that reinforces prior work on malware infrastructure and also contributes new perspectives on malware infection distribution and lifecycle. We find that malware families re-use infrastructure, especially in cloud hosting countries, but contrary to prior work, we do not detect targeting of clients by countries or industry sector. Furthermore, our 4-year lifecycle analysis of diverse malware families shows that infection analysis is temporally sensitive: over 90% of ASes first query a malicious domain after public detection, and a median of 38.6% ASes only query after domain expiration or takedown. To fit AuthDNS into the broader context of malware research, we conclude with a comparison of experimental vantage points on four qualitative aspects and discuss their advantages and limitations. Ultimately, we establish AuthDNS as a unique measurement perspective capable of measuring global malware infections.

References

[1]

2019. UNSD - Statistical Classifications. https://unstats.un.org/unsd/classifications.

[2]

2022. VirusTotal. https://www.virustotal.com.

[3]

Eihal Alowaisheq, Peng Wang, Sumayah Alrwais, Xiaojing Liao, XiaoFeng Wang, Tasneem Alowaisheq, Xianghang Mi, Siyuan Tang, and Baojun Liu. 2019. Cracking the wall of confinement: Understanding and analyzing malicious domain take-downs. In Proceedings of the 2019 Network and Distributed System Security Symposium (NDSS 19).

[4]

Omar Alrawi, Charles Lever, Kevin Valakuzhy, Kevin Snow, Fabian Monrose, Manos Antonakakis, 2021. The Circle of life: A {large-scale} study of the {IoT} malware lifecycle. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21).

[5]

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, 2017. Understanding the Mirai botnet. In Proceedings of the 26th USENIX Security Symposium (USENIX Security 17).

[6]

Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou II, and David Dagon. 2011. Detecting malware domains at the upper {DNS} hierarchy. In Proceedings of the 20th USENIX Security Symposium (USENIX Security 11).

[7]

Athanasios Avgetidis, Omar Alrawi, Kevin Valakuzhy, Charles Lever, Paul Burbage, Angelos Keromytis, Fabian Monrose, and Manos Antonakakis. 2023. Beyond the gates: An empirical analysis of HTTP-managed password stealers and operators. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23).

[8]

Ulrich Bayer, Imam Habibi, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2009. A view on current malware behaviors. In Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats (LEET 09).

[9]

CAIDA. 2022. Routeviews Prefix-to-AS mappings (pfx2as) for IPv4 and IPv6. http://data.caida.org/datasets/routing/routeviews-prefix2as/.

[10]

Wentao Chang, Aziz Mohaisen, An Wang, and Songqing Chen. 2015. Measuring botnets in the wild: Some new trends. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security.

Digital Library

[11]

Carlo Contavalli, Wilmer Van Der Gaast, D Lawrence, and Warren Kumari. 2016. Client subnet in DNS queries. RFC 7871 (Informational). http://www.ietf.org/rfc/rfc7875.txt

[12]

Shuang Hao, Nick Feamster, and Ramakant Pandrangi. 2011. Monitoring the initial DNS behavior of malicious domains. In Proceedings of the 2011 ACM Internet Measurement Conference (IMC 11).

Digital Library

[13]

Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey M Voelker, and Stefan Savage. 2008. The heisenbot uncertainty problem: Challenges in separating bots from chaff. In Proceedings of the 1st USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET 08).

[14]

Amin Kharraz, Sajjad Arshad, Collin Mulliner, William Robertson, and Engin Kirda. 2016. UNVEIL: A large-scale, automated approach to detecting ransomware. In Proceedings of the 25th USENIX Security Symposium (USENIX Security 16).

[15]

Platon Kotzias, Leyla Bilge, Pierre-Antoine Vervier, and Juan Caballero. 2019. Mind Your Own Business: A longitudinal study of threats and vulnerabilities in enterprises. In Proceedings of the 2019 Network and Distributed System Security Symposium (NDSS 19).

[16]

Athanasios Kountouras, Panagiotis Kintis, Athanasios Avgetidis, Thomas Papastergiou, Charles Lever, Michalis Polychronakis, and Manos Antonakakis. 2021. Understanding the growth and security considerations of ECS. In Proceedings of the 2021 Network and Distributed System Security Symposium (NDSS 21).

[17]

Athanasios Kountouras, Panagiotis Kintis, Chaz Lever, Yizheng Chen, Yacin Nadji, David Dagon, Manos Antonakakis, and Rodney Joffe. 2016. Enabling network security through active DNS datasets. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses. Springer.

[18]

Chaz Lever, Platon Kotzias, Davide Balzarotti, Juan Caballero, and Manos Antonakakis. 2017. A lustrum of malware network communication: Evolution and insights. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (S&P).

[19]

Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor Van Der Veen, and Christian Platzer. 2014. Andrubis–1,000,000 apps later: A view on current Android malware behaviors. In Proceedings of the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS). IEEE.

Digital Library

[20]

Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao, and Min Yang. 2018. Who is answering my queries: Understanding and characterizing interception of the DNS resolution path. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18).

[21]

Malwarebytes. 2022. 2022 Global Threat Report. https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2022GTR.pdf.

[22]

Malwarebytes. 2022. 2022 Threat Review. https://www.malwarebytes.com/resources/malwarebytes-threat-review-2022/mwb_threatreview_2022_ss_v1.pdf.

[23]

Ghita Mezzour, Kathleen M Carley, and L Richard Carley. 2017. Global variation in attack encounters and hosting. In Proceedings of Hot Topics in Science of Security: Symposium and Bootcamp. ACM.

Digital Library

[24]

P.V. Mockapetris. 1987. Domain names - concepts and facilities. RFC 1034 (INTERNET STANDARD). http://www.ietf.org/rfc/rfc1034.txt Updated by RFCs 1101, 1183, 1348, 1876, 1982, 2065, 2181, 2308, 2535, 4033, 4034, 4035, 4343, 4035, 4592, 5936.

[25]

Paul Mockapetris and Kevin J Dunlap. 1988. Development of the domain name system. In Symposium Proceedings on Communications Architectures and Protocols.

Digital Library

[26]

Paul V Mockapetris. 1987. Rfc1035: Domain names-implementation and specification.

[27]

Abedelaziz Mohaisen and Omar Alrawi. 2013. Unveiling zeus: Automated classification of malware samples. In Proceedings of the 22nd International Conference on World Wide Web.

Digital Library

[28]

Aziz Mohaisen and Omar Alrawi. 2014. Av-meter: An evaluation of antivirus scans and labels. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer.

[29]

Aziz Mohaisen, Omar Alrawi, and Manar Mohaisen. 2015. AMAL: High-fidelity, behavior-based automated malware analysis and classification. computers & security 52(2015).

[30]

Giovane CM Moura, John Heidemann, Ricardo de O Schmidt, and Wes Hardaker. 2019. Cache me if you can: Effects of DNS time-to-live. In Proceedings of the 2019 ACM Internet Measurement Conference (IMC 19).

Digital Library

[31]

Giovane CM Moura, Moritz Müller, and Marco Davids. 2015. Domain names abuse and TLDs: From monetization towards. In Proceedings of the 2015 ACM Internet Measurement Conference (IMC 15).

[32]

Antonio Nappa, Zhaoyan Xu, M Zubair Rafique, Juan Caballero, and Guofei Gu. 2014. Cyberprobe: Towards internet-scale active detection of malicious servers. In Proceedings of the 2014 Network and Distributed System Security Symposium (NDSS 14).

[33]

Daniel Plohmann, Martin Clauss, Steffen Enders, and Elmar Padilla. 2017. Malpedia: A collaborative effort to inventorize the malware landscape. Botconf (2017).

[34]

Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, and Wouter Joosen. 2018. Tranco: A research-oriented top sites ranking hardened against manipulation. arXiv preprint arXiv:1806.01156(2018).

[35]

The Tor Project. 2022. TorDNSEL’s exit lists. https://metrics.torproject.org/collector/archive/exit-lists/.

[36]

N Provos, P Mavrommatis, MA Rajab, and F Monrose. 2008. All your iFRAMEs point to us. In Proceedings of the 17th USENIX Security Symposium (USENIX Security 08).

[37]

Audrey Randall, Enze Liu, Gautam Akiwate, Ramakrishna Padmanabhan, Geoffrey M Voelker, Stefan Savage, and Aaron Schulman. 2020. Trufflehunter: Cache snooping rare domains at large public DNS resolvers. In Proceedings of the 2020 ACM Internet Measurement Conference (IMC 20).

Digital Library

[38]

Mohammad Rezaeirad, Brown Farinholt, Hitesh Dharmdasani, Paul Pearce, Kirill Levchenko, and Damon McCoy. 2018. {Schrödinger’s}{RAT}: Profiling the stakeholders in the remote access trojan ecosystem. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18).

[39]

Christian Rossow, Christian Dietrich, and Herbert Bos. 2012. Large-scale analysis of malware downloaders. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer.

[40]

Silvia Sebastián and Juan Caballero. 2020. Avclass2: Massive malware tag extraction from av labels. In Proceedings of the 2020 Computer Security Applications Conference.

Digital Library

[41]

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna. 2009. Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 09).

Digital Library

[42]

Samaneh Tajalizadehkhoob, Carlos Gañán, Arman Noroozian, and Michel van Eeten. 2017. The role of hosting providers in fighting command and control infrastructure of financial malware. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security.

Digital Library

[43]

Georgia Tech. 2022. GT malware passive DNS data daily feed. https://impactcybertrust.org/dataset_view?idDataset=520.

[44]

Matthew Thomas and Aziz Mohaisen. 2014. Kindred domains: Detecting and clustering botnet domains using DNS traffic. In Proceedings of the 23rd International Conference on World Wide Web.

Digital Library

[45]

Yi-Min Wang, Doug Beck, Xuxian Jiang, and Roussi Roussev. 2006. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the 2006 Network and Distributed System Security Symposium (NDSS 06).

[46]

Nicholas Weaver, Christian Kreibich, and Vern Paxson. 2011. Redirecting {DNS} for Ads and Profit. In Proceedings of the 2011 USENIX Workshop on Free and Open Communications on the Internet (FOCI 11).

[47]

Duane Wessels, Marina Fomenkov, Nevil Brownlee, 2004. Measurements and laboratory simulations of the upper DNS hierarchy. In Proceedings of the 2004 International Workshop on Passive and Active Network Measurement. Springer.

[48]

Zhaoyan Xu, Antonio Nappa, Robert Baykov, Guangliang Yang, Juan Caballero, and Guofei Gu. 2014. Autoprobe: Towards automatic active malicious server probing using dynamic binary analysis. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS 14).

Digital Library

[49]

Maya Ziv, Liz Izhikevich, Kimberly Ruth, Katherine Izhikevich, and Zakir Durumeric. 2021. ASdb: A system for classifying owners of autonomous systems. In Proceedings of the 2021 ACM Internet Measurement Conference (IMC 21).

Digital Library

Cited By

Galloway TKarakolios KMa ZPerdisci RKeromytis AAntonakakis M(2024)Practical Attacks Against DNS Reputation Systems2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00266(4516-4534)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00266
Fahim AZhu SQian ZSong CPapalexakis EChakraborty SChan KYu PJaeger TKrishnamurthy S(2024)DNS Exfiltration Guided by Generative Adversarial Networks2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00038(580-599)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00038
Mundt MBaier H(2024)Enhancing Incident Management by an Improved Understanding of Data Exfiltration: Definition, Evaluation, ReviewDigital Forensics and Cyber Crime10.1007/978-3-031-56580-9_3(33-57)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56580-9_3

Index Terms

View from Above: Exploring the Malware Ecosystem from the Upper DNS Hierarchy

Index terms have been assigned to the content through auto-classification.

Recommendations

Detecting malware domains at the upper DNS hierarchy
SEC'11: Proceedings of the 20th USENIX conference on Security

In recent years Internet miscreants have been leveraging the DNS to build malicious network infrastructures for malware command and control. In this paper we propose a novel detection system called Kopis for detecting malware-related domain names. Kopis ...
Detecting malware based on DNS graph mining
Special issue on Big Data in Future Sensing

Malware remains a major threat to nowadays Internet. In this paper, we propose a DNS graph mining-based malware detection approach. A DNS graph is composed of DNS nodes, which represent server IPs, client IPs, and queried domain names in the process of ...
The Next Malware Battleground: Recovery After Unknown Infection

Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

December 2022

1021 pages

ISBN:9781450397599

DOI:10.1145/3564625

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2022

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC

ACSAC: Annual Computer Security Applications Conference

December 5 - 9, 2022

TX, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
542
Total Downloads

Downloads (Last 12 months)335
Downloads (Last 6 weeks)42

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Galloway TKarakolios KMa ZPerdisci RKeromytis AAntonakakis M(2024)Practical Attacks Against DNS Reputation Systems2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00266(4516-4534)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00266
Fahim AZhu SQian ZSong CPapalexakis EChakraborty SChan KYu PJaeger TKrishnamurthy S(2024)DNS Exfiltration Guided by Generative Adversarial Networks2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00038(580-599)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00038
Mundt MBaier H(2024)Enhancing Incident Management by an Improved Understanding of Data Exfiltration: Definition, Evaluation, ReviewDigital Forensics and Cyber Crime10.1007/978-3-031-56580-9_3(33-57)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56580-9_3
Jain VAlam SKrishnamurthy SFaloutsos M(2023)C2Store: C2 Server Profiles at Your FingertipsProceedings of the ACM on Networking10.1145/36291321:CoNEXT3(1-21)Online publication date: 28-Nov-2023
https://dl.acm.org/doi/10.1145/3629132

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents