Skip to main content
SpringerLink
Log in

Leopard: Understanding the Threat of Blockchain Domain Name Based Malware

  • Conference paper
  • First Online:
Book cover Passive and Active Measurement (PAM 2020)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 12048))

Included in the following conference series:

Abstract

Recently, as various detection approaches of malicious domains and malware are proposed, the malware which connects to its command and control (C&C) server using techniques like domain flux can be identified effectively. Therefore, cybercriminals seek new alternative methods and discover that DNS based on blockchains can be used to connect C&C servers. Because of the distributed ledger technology, domain names resolved by blockchain DNS, called blockchain domain names (BDNs), are of inherent anonymity and censorship-resistance. We analyzed the work mechanism of this new type of malware. In order to detect malicious BDNs, we propose a prototype system, named Leopard, which analyzes DNS traffic patterns and resource records of BDNs. To our best knowledge, we are the first to propose the automatic detection of malicious BDNs. In Leopard, we extracted 17 features from collected traffic and distinguished between malicious BDNs and domains operated by generic and country-code top-level domains registries from the Alexa top 5000 using a random forest model. In our experiments, we evaluate Leopard on a nine-day real-world dataset. The experimental results show that Leopard can effectively detect malicious BDNs with an AUC of 0.9980 and discover 286 unknown malicious BDNs from the dataset.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In the remainder of the paper, DNS servers we discuss refer to the servers which provide BDNs resolution service.

  2. 2.

    The link of the public datasets is https://drive.google.com/open?id=1YzVB7cZiMspnTAERBATyvqWKGj0CqGT.

  3. 3.

    The samples of BDN-based malware are obtained from Abuse.ch.

  4. 4.

    We named July 29 dataset as \(D_1\), July 30 dataset as \(D_2\), and so on.

  5. 5.

    If BDNs are blocked by OpenNIC, the servers responded the A records of the special IPs such as 192.168.0.1, 0.0.0.0, 127.0.0.1, and 192.0.2.1.

  6. 6.

    The explorer of Namecoin is https://namecha.in and the explorer of Emercoin is https://explorer.emercoin.com/nvs.

  7. 7.

    ROC curve is the receiver operating characteristic curve.

References

  1. Namecoin Homepage. https://namecoin.org/dot-bit/. Accessed 23 Oct 2019

  2. Antonakakis, M., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX Conference on Security Symposium (2012)

    Google Scholar 

  3. Plohmann, D., Yakdan, K., Klatt, M., Bader, J.: A comprehensive measurement study of domain generating malware. In: Proceedings of the 25th USENIX Conference on Security Symposium (2016)

    Google Scholar 

  4. Anderson, H.S., Woodbridge, J., Filar, B.: DeepDGA: adversarially-tuned domain generation and detection. (2016). http://arxiv.org/abs/1610.01969

  5. How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: Blockchain Infrastructure Use. https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber-crime-blockchain-infrastructure-use.html. Accessed 23 Oct 2019

  6. Bitcoin Domains. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-bitcoin-domains.pdf. Accessed 23 Oct 2019

  7. Abuse.ch Homepage. https://abuse.ch/. Accessed 23 Oct 2019

  8. ThreatBook Cloud Sandbox Homepage. https://s.threatbook.cn. Accessed 23 Oct 2019

  9. Dig Homepage. https://linux.die.net/man/1/dig. Accessed 23 Oct 2019

  10. BitName Homepage. https://bitname.ru/index.php?lang=en. Accessed 23 Oct 2019

  11. Gu, G., Perdisci, R., Zhang, J., Lee W.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)

    Google Scholar 

  12. Zhang, J., Jang, J., Gu, G., Stoecklin, M.P., Hu, X.: Error-sensor: mining information from HTTP error traffic for malware intelligence. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 467–489. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_22

    Chapter  Google Scholar 

  13. Wang, T.S., Lin, H.T., Cheng, W.T., Chen, C.Y.: DBod: clustering and detecting DGA-based botnets using DNS traffic analysis. Comput. Secur. 64, 1–15 (2017)

    Article  Google Scholar 

  14. .Bit-The Next Generation of Bulletproof Hosting. https://abuse.ch/blog/dot-bit-the-next-generation-of-bulletproof-hosting/. Accessed 23 Oct 2019

  15. Alexa Top Sites Homepage. https://www.alexa.com/topsites. Accessed 23 Oct 2019

  16. VirusTotal Homepage. https://www.virustotal.com/. Accessed 23 Oct 2019

  17. Namecoin Homepage. https://www.namecoin.org. Accessed 23 Oct 2019

  18. Emercoin Homepage. https://emercoin.com/en. Accessed 23 Oct 2019

  19. Scikit-Learn Homepage. https://scikit-learn.org/stable/. Accessed 23 Oct 2019

  20. Random Forests. https://www.stat.berkeley.edu/~breiman/RandomForests/cc_home.htm. Accessed 23 Oct 2019

  21. Breiman, L., Friedman, J., Stone, C.J., Olshen, R.A.: Classification and Regression Trees. CRC Press, Boca Raton (1984)

    MATH  Google Scholar 

  22. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: Proceedings of the 19th USENIX Conference on Security (2010)

    Google Scholar 

  23. Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., Dagon, D.: Detecting malware domains at the upper DNS hierarchy. In: Proceedings of the 19th USENIX Conference on Security (2011)

    Google Scholar 

  24. Schüppen, S., Teubert, D., Herrmann, P., Meyer, U.: FANCI: feature-based automated NXDomain classification and intelligence. In: Proceedings of the 27th USENIX Security Symposium (2018)

    Google Scholar 

  25. Prasse, P., Machlica, L., Pevny, T., Havelka, J., Scheffer, T.: Malware detection by analysing network traffic with neural networks. In: Proceedings of IEEE Security and Privacy Workshops (2017)

    Google Scholar 

  26. The Explorer Page of Blockchain-DNS.info. https://blockchain-dns.info/explorer/. Accessed 28 Oct 2019

  27. Bilge, L., Kirda, E., Kruegel, C., Balduzzi M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium (2011)

    Google Scholar 

  28. Moura, G.C.M., Heidemann, J.S., Schmidt, R.O., Hardaker W.: Cache me if you can: effects of DNS time-to-live. In: Proceedings of Internet Measurement Conference (2019)

    Google Scholar 

  29. DGArchive. https://dgarchive.caad.fkie.fraunhofer.de/site/. Accessed 25 Jan 2020

  30. Necurs botnet. https://en.wikipedia.org/wiki/Necurs_botnet. Last accessed 24 Jan 2020

  31. Patsakis, C., Casino, F., Lykousas, N., Katos, V.: Unravelling Ariadne’s thread: exploring the threats of decentalised DNS. arXiv:1912.03552v1 (2019)

Download references

Acknowledgments

We would like to thank the anonymous reviewers for their insightful comments and suggestions on this paper. We are grateful for Roman Huessy from Abuse.ch sharing the malware samples. This work is supported by the National Key Research and Development Program of China under Grant No. 2016QY05X1002 and No. 2018YFB0804702.

Author information

Authors and Affiliations

  1. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Zhangrong Huang & Ji Huang

  2. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Zhangrong Huang, Ji Huang & Tianning Zang

Authors
  1. Zhangrong Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ji Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tianning Zang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tianning Zang .

Editor information

Editors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Anna Sperotto

  2. University of California, San Diego, CA, USA

    Alberto Dainotti

  3. University of Zürich, Zürich, Switzerland

    Burkhard Stiller

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Huang, Z., Huang, J., Zang, T. (2020). Leopard: Understanding the Threat of Blockchain Domain Name Based Malware. In: Sperotto, A., Dainotti, A., Stiller, B. (eds) Passive and Active Measurement. PAM 2020. Lecture Notes in Computer Science(), vol 12048. Springer, Cham. https://doi.org/10.1007/978-3-030-44081-7_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-44081-7_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-44080-0

  • Online ISBN: 978-3-030-44081-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation