Abstract
Recently, as various detection approaches of malicious domains and malware are proposed, the malware which connects to its command and control (C&C) server using techniques like domain flux can be identified effectively. Therefore, cybercriminals seek new alternative methods and discover that DNS based on blockchains can be used to connect C&C servers. Because of the distributed ledger technology, domain names resolved by blockchain DNS, called blockchain domain names (BDNs), are of inherent anonymity and censorship-resistance. We analyzed the work mechanism of this new type of malware. In order to detect malicious BDNs, we propose a prototype system, named Leopard, which analyzes DNS traffic patterns and resource records of BDNs. To our best knowledge, we are the first to propose the automatic detection of malicious BDNs. In Leopard, we extracted 17 features from collected traffic and distinguished between malicious BDNs and domains operated by generic and country-code top-level domains registries from the Alexa top 5000 using a random forest model. In our experiments, we evaluate Leopard on a nine-day real-world dataset. The experimental results show that Leopard can effectively detect malicious BDNs with an AUC of 0.9980 and discover 286 unknown malicious BDNs from the dataset.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In the remainder of the paper, DNS servers we discuss refer to the servers which provide BDNs resolution service.
- 2.
The link of the public datasets is https://drive.google.com/open?id=1YzVB7cZiMspnTAERBATyvqWKGj0CqGT.
- 3.
The samples of BDN-based malware are obtained from Abuse.ch.
- 4.
We named July 29 dataset as \(D_1\), July 30 dataset as \(D_2\), and so on.
- 5.
If BDNs are blocked by OpenNIC, the servers responded the A records of the special IPs such as 192.168.0.1, 0.0.0.0, 127.0.0.1, and 192.0.2.1.
- 6.
The explorer of Namecoin is https://namecha.in and the explorer of Emercoin is https://explorer.emercoin.com/nvs.
- 7.
ROC curve is the receiver operating characteristic curve.
References
Namecoin Homepage. https://namecoin.org/dot-bit/. Accessed 23 Oct 2019
Antonakakis, M., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX Conference on Security Symposium (2012)
Plohmann, D., Yakdan, K., Klatt, M., Bader, J.: A comprehensive measurement study of domain generating malware. In: Proceedings of the 25th USENIX Conference on Security Symposium (2016)
Anderson, H.S., Woodbridge, J., Filar, B.: DeepDGA: adversarially-tuned domain generation and detection. (2016). http://arxiv.org/abs/1610.01969
How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: Blockchain Infrastructure Use. https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber-crime-blockchain-infrastructure-use.html. Accessed 23 Oct 2019
Bitcoin Domains. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-bitcoin-domains.pdf. Accessed 23 Oct 2019
Abuse.ch Homepage. https://abuse.ch/. Accessed 23 Oct 2019
ThreatBook Cloud Sandbox Homepage. https://s.threatbook.cn. Accessed 23 Oct 2019
Dig Homepage. https://linux.die.net/man/1/dig. Accessed 23 Oct 2019
BitName Homepage. https://bitname.ru/index.php?lang=en. Accessed 23 Oct 2019
Gu, G., Perdisci, R., Zhang, J., Lee W.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)
Zhang, J., Jang, J., Gu, G., Stoecklin, M.P., Hu, X.: Error-sensor: mining information from HTTP error traffic for malware intelligence. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 467–489. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_22
Wang, T.S., Lin, H.T., Cheng, W.T., Chen, C.Y.: DBod: clustering and detecting DGA-based botnets using DNS traffic analysis. Comput. Secur. 64, 1–15 (2017)
.Bit-The Next Generation of Bulletproof Hosting. https://abuse.ch/blog/dot-bit-the-next-generation-of-bulletproof-hosting/. Accessed 23 Oct 2019
Alexa Top Sites Homepage. https://www.alexa.com/topsites. Accessed 23 Oct 2019
VirusTotal Homepage. https://www.virustotal.com/. Accessed 23 Oct 2019
Namecoin Homepage. https://www.namecoin.org. Accessed 23 Oct 2019
Emercoin Homepage. https://emercoin.com/en. Accessed 23 Oct 2019
Scikit-Learn Homepage. https://scikit-learn.org/stable/. Accessed 23 Oct 2019
Random Forests. https://www.stat.berkeley.edu/~breiman/RandomForests/cc_home.htm. Accessed 23 Oct 2019
Breiman, L., Friedman, J., Stone, C.J., Olshen, R.A.: Classification and Regression Trees. CRC Press, Boca Raton (1984)
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: Proceedings of the 19th USENIX Conference on Security (2010)
Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., Dagon, D.: Detecting malware domains at the upper DNS hierarchy. In: Proceedings of the 19th USENIX Conference on Security (2011)
Schüppen, S., Teubert, D., Herrmann, P., Meyer, U.: FANCI: feature-based automated NXDomain classification and intelligence. In: Proceedings of the 27th USENIX Security Symposium (2018)
Prasse, P., Machlica, L., Pevny, T., Havelka, J., Scheffer, T.: Malware detection by analysing network traffic with neural networks. In: Proceedings of IEEE Security and Privacy Workshops (2017)
The Explorer Page of Blockchain-DNS.info. https://blockchain-dns.info/explorer/. Accessed 28 Oct 2019
Bilge, L., Kirda, E., Kruegel, C., Balduzzi M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium (2011)
Moura, G.C.M., Heidemann, J.S., Schmidt, R.O., Hardaker W.: Cache me if you can: effects of DNS time-to-live. In: Proceedings of Internet Measurement Conference (2019)
DGArchive. https://dgarchive.caad.fkie.fraunhofer.de/site/. Accessed 25 Jan 2020
Necurs botnet. https://en.wikipedia.org/wiki/Necurs_botnet. Last accessed 24 Jan 2020
Patsakis, C., Casino, F., Lykousas, N., Katos, V.: Unravelling Ariadne’s thread: exploring the threats of decentalised DNS. arXiv:1912.03552v1 (2019)
Acknowledgments
We would like to thank the anonymous reviewers for their insightful comments and suggestions on this paper. We are grateful for Roman Huessy from Abuse.ch sharing the malware samples. This work is supported by the National Key Research and Development Program of China under Grant No. 2016QY05X1002 and No. 2018YFB0804702.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Huang, Z., Huang, J., Zang, T. (2020). Leopard: Understanding the Threat of Blockchain Domain Name Based Malware. In: Sperotto, A., Dainotti, A., Stiller, B. (eds) Passive and Active Measurement. PAM 2020. Lecture Notes in Computer Science(), vol 12048. Springer, Cham. https://doi.org/10.1007/978-3-030-44081-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-44081-7_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-44080-0
Online ISBN: 978-3-030-44081-7
eBook Packages: Computer ScienceComputer Science (R0)