Abstract
Modern malware can take various forms and has reached a very high level of sophistication in terms of its penetration, persistence, communication and hiding capabilities. The use of cryptography, and of covert communication channels over public and widely used protocols and services, is becoming a norm. In this work, we start by introducing Resource Identifier Generation Algorithms. These are an extension of a well-known mechanism called domain generation algorithms, which are frequently employed by cybercriminals for bot management and communication. Our extension allows, beyond DNS, the use of other protocols. More concretely, we showcase the exploitation of the InterPlanetary File System (IPFS). This is a solution for the “permanent web”, which enjoys a steadily growing community interest and adoption. The IPFS is, in addition, one of the most prominent solutions for blockchain storage. We go beyond the straightforward case of using the IPFS for hosting malicious content and explore ways in which a botmaster could employ it, to manage her bots, validating our findings experimentally. Finally, we discuss the advantages of our approach for malware authors, its efficacy and highlight its extensibility for other distributed storage services.
Similar content being viewed by others
Notes
References
Ali, S.T., McCorry, P., Lee, P.H.J., Hao, F.: Zombiecoin 2.0: managing next-generation botnets using bitcoin. Int. J. Inf. Secur. 17(4), 411–422 (2018)
Anderson, H.S., Woodbridge, J., Filar, B.: DeepDGA: adversarially-tuned domain generation and detection. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, AISec ’16, pp. 13–21. ACM, New York (2016)
Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX Conference on Security Symposium, pp. 24–24. USENIX Association (2012)
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., Zhou, Y.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 1093–1110. USENIX Association, Vancouver (2017)
Aviv, A.J., Haeberlen, A.: Challenges in experimenting with botnet detection systems. In: Proceedings of the 4th Conference on Cyber Security Experimentation and Test, CSET’11, p. 6. USENIX Association, Berkeley (2011)
Bader, J.: The DGA of Pykspa “you skype version is old”. https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/ (2015). Accessed 21 Jan 2019
Benet, J.: IPFS-content addressed, versioned, P2P file system. arXiv preprint arXiv:1407.3561 (2014)
Casino, F., Dasaklis, T.K., Patsakis, C.: A systematic literature review of blockchain-based applications: current status, classification and open issues. Telemat. Inf. 36, 55–81 (2019)
Chen, Y., Kintis, P., Antonakakis, M., Nadji, Y., Dagon, D., Farrell, M.: Measuring lower bounds of the financial abuse to online advertisers: a four year case study of the TDSS/TDL4 botnet. Comput. Secur. 67, 164–180 (2017)
Curtin, R.R., Gardner, A.B., Grzonkowski, S., Kleymenov, A., Mosquera, A.: Detecting DGA domains with recurrent neural networks and side information. arXiv preprint arXiv:1810.02023 (2018)
de Aquino, B.M.M., de Lima, M.V.L., de Oliveira, J.P.C.M., de Souza, C.T.: Protocolos ipfs e ipns como meio para o controle de botnet: prova de conceito. In: Anais do Workshop de Segurana Ciberntica em Dispositivos Conectados (WSCDC—SBRC 2018), vol. 1. SBC, Porto Alegre (2018)
Gong, Y., Qitian, S., Zhang, Z.: A DGA odyssey PDNS driven DGA analysis. https://pc.nanog.org/static/published/meetings/NANOG71/1444/20171004_Gong_A_Dga_Odyssey__v1.pdf (2017). Accessed 21 Jan 2019
Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-peer botnets: overview and case study. HotBots 7, 1–1 (2007)
Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: Proceedings of the Network and Distributed System Security Symposium (2018)
Huckle, S., Bhattacharya, R., White, M., Beloff, N.: Internet of things, blockchain and shared economy applications. Proc. Comput. Sci. 98, 461–466 (2016)
Irvine, D.: Maidsafe.net. US Patent App. 12/476,229 (2010)
Jiang, N., Cao, J., Jin, Y., Li, L.E., Zhang, Z.: Identifying suspicious activities through DNS failure graph analysis. In: The 18th IEEE International Conference on Network Protocols, pp. 144–153 (2010)
Katz, O., Perets, R., Matzliach, G.: Digging deeper—an in-depth analysis of a fast flux network. https://www.akamai.com/us/en/multimedia/documents/white-paper/digging-deeper-in-depth-analysis-of-fast-flux-network.pdf (2016). Accessed 21 Jan 2019
Kelly, M., Alam, S., Nelson, M.L., Weigle, M.C.: Interplanetary wayback: peer-to-peer permanence of web archives. In: Fuhr, N., Kovács, L., Risse, T., Nejdl, W. (eds.) Research and Advanced Technology for Digital Libraries, pp. 411–416. Springer, Cham (2016)
Krebs, B.: Mariposa botnet authors may avoid jail time. https://krebsonsecurity.com/2010/03/mariposa-botnet-authors-may-avoid-jail-time/ (2010). Accessed 21 Jan 2019
Liu, D., Li, Z., Du, K., Wang, H., Liu, B., Duan, H.: Don’t let one rotten apple spoil the whole barrel: towards automated detection of shadowed domains. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, pp. 537–552. ACM, New York (2017)
Manadhata, P.K., Yadav, S., Rao, P., Horne, W.: Detecting malicious domains via graph inference. In: Kutyłowski, M., Vaidya, J. (eds.) Computer Security—ESORICS 2014, pp. 1–18. Springer, Cham (2014)
Mansfield-Devine, S.: The malware arms race. Comput. Fraud Secur. 2018(2), 15–20 (2018)
Moubarak, J., Filiol, E., Chamoun, M.: Developing a k-ary malware using blockchain. arXiv preprint arXiv:1804.01488 (2018)
Nadji, Y., Perdisci, R., Antonakakis, M.: Still beheading hydras: botnet takedowns then and now. IEEE Trans. Dependable Secure Comput. 14(5), 535–549 (2017)
Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., Borisov, N.: Stegobot: a covert social network botnet. In: Filler T., Pevný T., Craver S., Ker A. (eds.) International Workshop on Information Hiding, pp. 299–313. Springer, Berlin (2011)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)
Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Dependable Secure Comput. 9(5), 714–726 (2012)
Pletinckx, S., Trap, C., Doerr, C.: Malware coordination using the blockchain: an analysis of the cerber ransomware. In: 2018 IEEE Conference on Communications and Network Security (CNS), pp. 1–9 (2018)
Plohmann, D., Yakdan, K., Klatt, M., Bader, J., Gerhards-Padilla, E.: A comprehensive measurement study of domain generating malware. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 263–278. USENIX Association, Austin. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/plohmann (2016)
Prince, B.: Flashback botnet updated to include Twitter as C&C. Securityweek (2012)
Produit, B.: Using Blockchain Technology in Distributed Storage Systems. https://courses.cs.ut.ee/MTAT.07.022/2018_spring/uploads/Main/bruno-report-s17-18.pdf (2018). Accessed 21 Jan 2019
Rao, J.M., Reiley, D.H.: The economics of spam. J. Econ. Perspect. 26(3), 87–110 (2012)
Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Dietrich, S. (ed.) Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 192–211. Springer, Cham (2014)
Sood, A.K., Zeadally, S.: A taxonomy of domain-generation algorithms. IEEE Secur. Priv. 14(4), 46–53 (2016). https://doi.org/10.1109/MSP.2016.76
Swan, M.: Blockchain thinking: the brain as a DAC (decentralized autonomous organization). In: Texas Bitcoin Conference, Chicago, pp. 27–29 (2015)
Szabo, N.: The idea of smart contracts. Nick Szabo’s Papers and Concise Tutorials 6 (1997)
Tran, D., Mac, H., Tong, V., Tran, H.A., Nguyen, L.G.: A LSTM based framework for handling multiclass imbalance in DGA botnet detection. Neurocomputing 275, 2401–2413 (2018)
Tron, V., et al.: Swarm. https://swarm-gateways.net/bzz:/theswarm.eth/#the-thsph-orange-paper-series (2016). Accessed 21 Jan 2019
Yadav, S., Reddy, A.L.N.: Winning with DNS failures: Strategies for faster botnet detection. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.) Security and Privacy in Communication Networks, pp. 446–459. Springer, Berlin (2012)
Yadav, S., Reddy, A.K.K., Reddy, A.L.N., Ranjan, S.: Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. IEEE/ACM Trans. Netw. 20(5), 1663–1677 (2012)
Zhao, G., Xu, K., Xu, L., Wu, B.: Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access 3, 1132–1142 (2015)
Zhauniarovich, Y., Khalil, I., Yu, T., Dacier, M.: A survey on malicious domains detection through DNS data analysis. ACM Comput. Surv. 51(4), 67:1–67:36 (2018)
Zhou, Y., Li, Q.S., Miao, Q., Yim, K.: DGA-based botnet detection using DNS traffic. J. Int. Serv. Inf. Secur. 3, 116–123 (2013)
Acknowledgements
This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the project YAKSHA (Grant Agreement no. 780498) and is based upon work from COST Action CA17124: DigForASP Digital forensics: evidence analysis via intelligent systems and practices (European Cooperation in Science and Technology).
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Ethical approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Patsakis, C., Casino, F. Hydras and IPFS: a decentralised playground for malware. Int. J. Inf. Secur. 18, 787–799 (2019). https://doi.org/10.1007/s10207-019-00443-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-019-00443-0