Annual Computer Security Applications Conference (ACSAC) 2022

Full Program »

View from Above: Exploring the Malware Ecosystem from the Upper DNS Hierarchy

This work explores authoritative DNS (AuthDNS) as a new measurement perspective for studying the large scale epidemiology of the malware ecosystem—when and where infections occur, and what infrastructure spreads and controls malware. Utilizing a passive authDNS dataset from a top domain registrar, we observe malware heterogeneity (202 families), global infrastructure (399,830 IPs in 151 countries) and infection (40,937 querying Autonomous Systems) visibility, and breadth of temporal coverage (2017–2021). This combination of factors enables broad analysis of the malware ecosystem that reinforces prior work on malware infrastructure and also contributes new perspectives on malware infection distribution and lifecycle. We replicate prior observation of malware families that re-use network infrastructure, and are primarily hosted in popular cloud hosting countries. Contrary to prior work, we do not detect targeting of clients in specific countries or industry sectors. In addition to comparing results with previous research, we contribute the first temporal lifecycle analysis of different malware families across four years of DNS data. The AuthDNS data shows that for most of the cases, over 90% of autonomous systems first query a malicious domain after public detection, and a median of 38.6% ASNs first query after domain expiration or takedown. To fit AuthDNS into the broader context of malware research, we conclude with a comparison of experimental vantage points on four key qualitative aspects and discuss the advantages and limitations of each. Ultimately, we establish AuthDNS as a unique measurement perspective capable of measuring global malware infections and validate previously published work from a fresh point of view.

Aaron Faulkenberry
Georgia Institute of Technology

Athanasios Avgetidis
Georgia Institute of Technology

Zane Ma
Georgia Institute of Technology

Omar Alrawi
Georgia Institute of Technology

Charles Lever

Panagiotis Kintis
Voreas Laboratories Inc

Fabian Monrose
Georgia Institute of Technology

Angelos D. Keromytis
Georgia Institute of Technology

Manos Antonakakis
Georgia Institute of Technology

Paper (ACM DL)



Powered by OpenConf®
Copyright©2002-2023 Zakon Group LLC