Advertisement

Hydras and IPFS: a decentralised playground for malware

  • Constantinos PatsakisEmail author
  • Fran Casino
Regular contribution

Abstract

Modern malware can take various forms and has reached a very high level of sophistication in terms of its penetration, persistence, communication and hiding capabilities. The use of cryptography, and of covert communication channels over public and widely used protocols and services, is becoming a norm. In this work, we start by introducing Resource Identifier Generation Algorithms. These are an extension of a well-known mechanism called domain generation algorithms, which are frequently employed by cybercriminals for bot management and communication. Our extension allows, beyond DNS, the use of other protocols. More concretely, we showcase the exploitation of the InterPlanetary File System (IPFS). This is a solution for the “permanent web”, which enjoys a steadily growing community interest and adoption. The IPFS is, in addition, one of the most prominent solutions for blockchain storage. We go beyond the straightforward case of using the IPFS for hosting malicious content and explore ways in which a botmaster could employ it, to manage her bots, validating our findings experimentally. Finally, we discuss the advantages of our approach for malware authors, its efficacy and highlight its extensibility for other distributed storage services.

Keywords

Malware Botnets Domain generation algorithm IPFS 

Notes

Acknowledgements

This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the project YAKSHA (Grant Agreement no. 780498) and is based upon work from COST Action CA17124: DigForASP Digital forensics: evidence analysis via intelligent systems and practices (European Cooperation in Science and Technology).

Compliance with ethical standards

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

References

  1. 1.
    Ali, S.T., McCorry, P., Lee, P.H.J., Hao, F.: Zombiecoin 2.0: managing next-generation botnets using bitcoin. Int. J. Inf. Secur. 17(4), 411–422 (2018)CrossRefGoogle Scholar
  2. 2.
    Anderson, H.S., Woodbridge, J., Filar, B.: DeepDGA: adversarially-tuned domain generation and detection. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, AISec ’16, pp. 13–21. ACM, New York (2016)Google Scholar
  3. 3.
    Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX Conference on Security Symposium, pp. 24–24. USENIX Association (2012)Google Scholar
  4. 4.
    Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., Zhou, Y.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 1093–1110. USENIX Association, Vancouver (2017)Google Scholar
  5. 5.
    Aviv, A.J., Haeberlen, A.: Challenges in experimenting with botnet detection systems. In: Proceedings of the 4th Conference on Cyber Security Experimentation and Test, CSET’11, p. 6. USENIX Association, Berkeley (2011)Google Scholar
  6. 6.
    Bader, J.: The DGA of Pykspa “you skype version is old”. https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/ (2015). Accessed 21 Jan 2019
  7. 7.
    Benet, J.: IPFS-content addressed, versioned, P2P file system. arXiv preprint arXiv:1407.3561 (2014)
  8. 8.
    Casino, F., Dasaklis, T.K., Patsakis, C.: A systematic literature review of blockchain-based applications: current status, classification and open issues. Telemat. Inf. 36, 55–81 (2019)CrossRefGoogle Scholar
  9. 9.
    Chen, Y., Kintis, P., Antonakakis, M., Nadji, Y., Dagon, D., Farrell, M.: Measuring lower bounds of the financial abuse to online advertisers: a four year case study of the TDSS/TDL4 botnet. Comput. Secur. 67, 164–180 (2017)CrossRefGoogle Scholar
  10. 10.
    Curtin, R.R., Gardner, A.B., Grzonkowski, S., Kleymenov, A., Mosquera, A.: Detecting DGA domains with recurrent neural networks and side information. arXiv preprint arXiv:1810.02023 (2018)
  11. 11.
    de Aquino, B.M.M., de Lima, M.V.L., de Oliveira, J.P.C.M., de Souza, C.T.: Protocolos ipfs e ipns como meio para o controle de botnet: prova de conceito. In: Anais do Workshop de Segurana Ciberntica em Dispositivos Conectados (WSCDC—SBRC 2018), vol. 1. SBC, Porto Alegre (2018)Google Scholar
  12. 12.
    Gong, Y., Qitian, S., Zhang, Z.: A DGA odyssey PDNS driven DGA analysis. https://pc.nanog.org/static/published/meetings/NANOG71/1444/20171004_Gong_A_Dga_Odyssey__v1.pdf (2017). Accessed 21 Jan 2019
  13. 13.
    Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-peer botnets: overview and case study. HotBots 7, 1–1 (2007)Google Scholar
  14. 14.
    Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: Proceedings of the Network and Distributed System Security Symposium (2018)Google Scholar
  15. 15.
    Huckle, S., Bhattacharya, R., White, M., Beloff, N.: Internet of things, blockchain and shared economy applications. Proc. Comput. Sci. 98, 461–466 (2016)CrossRefGoogle Scholar
  16. 16.
    Irvine, D.: Maidsafe.net. US Patent App. 12/476,229 (2010)Google Scholar
  17. 17.
    Jiang, N., Cao, J., Jin, Y., Li, L.E., Zhang, Z.: Identifying suspicious activities through DNS failure graph analysis. In: The 18th IEEE International Conference on Network Protocols, pp. 144–153 (2010)Google Scholar
  18. 18.
    Katz, O., Perets, R., Matzliach, G.: Digging deeper—an in-depth analysis of a fast flux network. https://www.akamai.com/us/en/multimedia/documents/white-paper/digging-deeper-in-depth-analysis-of-fast-flux-network.pdf (2016). Accessed 21 Jan 2019
  19. 19.
    Kelly, M., Alam, S., Nelson, M.L., Weigle, M.C.: Interplanetary wayback: peer-to-peer permanence of web archives. In: Fuhr, N., Kovács, L., Risse, T., Nejdl, W. (eds.) Research and Advanced Technology for Digital Libraries, pp. 411–416. Springer, Cham (2016)CrossRefGoogle Scholar
  20. 20.
    Krebs, B.: Mariposa botnet authors may avoid jail time. https://krebsonsecurity.com/2010/03/mariposa-botnet-authors-may-avoid-jail-time/ (2010). Accessed 21 Jan 2019
  21. 21.
    Liu, D., Li, Z., Du, K., Wang, H., Liu, B., Duan, H.: Don’t let one rotten apple spoil the whole barrel: towards automated detection of shadowed domains. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, pp. 537–552. ACM, New York (2017)Google Scholar
  22. 22.
    Manadhata, P.K., Yadav, S., Rao, P., Horne, W.: Detecting malicious domains via graph inference. In: Kutyłowski, M., Vaidya, J. (eds.) Computer Security—ESORICS 2014, pp. 1–18. Springer, Cham (2014)Google Scholar
  23. 23.
    Mansfield-Devine, S.: The malware arms race. Comput. Fraud Secur. 2018(2), 15–20 (2018)CrossRefGoogle Scholar
  24. 24.
    Moubarak, J., Filiol, E., Chamoun, M.: Developing a k-ary malware using blockchain. arXiv preprint arXiv:1804.01488 (2018)
  25. 25.
    Nadji, Y., Perdisci, R., Antonakakis, M.: Still beheading hydras: botnet takedowns then and now. IEEE Trans. Dependable Secure Comput. 14(5), 535–549 (2017)CrossRefGoogle Scholar
  26. 26.
    Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., Borisov, N.: Stegobot: a covert social network botnet. In: Filler T., Pevný T., Craver S., Ker A. (eds.) International Workshop on Information Hiding, pp. 299–313. Springer, Berlin (2011)Google Scholar
  27. 27.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)Google Scholar
  28. 28.
    Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Dependable Secure Comput. 9(5), 714–726 (2012)Google Scholar
  29. 29.
    Pletinckx, S., Trap, C., Doerr, C.: Malware coordination using the blockchain: an analysis of the cerber ransomware. In: 2018 IEEE Conference on Communications and Network Security (CNS), pp. 1–9 (2018)Google Scholar
  30. 30.
    Plohmann, D., Yakdan, K., Klatt, M., Bader, J., Gerhards-Padilla, E.: A comprehensive measurement study of domain generating malware. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 263–278. USENIX Association, Austin. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/plohmann (2016)
  31. 31.
    Prince, B.: Flashback botnet updated to include Twitter as C&C. Securityweek (2012)Google Scholar
  32. 32.
    Produit, B.: Using Blockchain Technology in Distributed Storage Systems. https://courses.cs.ut.ee/MTAT.07.022/2018_spring/uploads/Main/bruno-report-s17-18.pdf (2018). Accessed 21 Jan 2019
  33. 33.
    Rao, J.M., Reiley, D.H.: The economics of spam. J. Econ. Perspect. 26(3), 87–110 (2012)CrossRefGoogle Scholar
  34. 34.
    Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Dietrich, S. (ed.) Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 192–211. Springer, Cham (2014)Google Scholar
  35. 35.
    Sood, A.K., Zeadally, S.: A taxonomy of domain-generation algorithms. IEEE Secur. Priv. 14(4), 46–53 (2016).  https://doi.org/10.1109/MSP.2016.76 CrossRefGoogle Scholar
  36. 36.
    Swan, M.: Blockchain thinking: the brain as a DAC (decentralized autonomous organization). In: Texas Bitcoin Conference, Chicago, pp. 27–29 (2015)Google Scholar
  37. 37.
    Szabo, N.: The idea of smart contracts. Nick Szabo’s Papers and Concise Tutorials 6 (1997)Google Scholar
  38. 38.
    Tran, D., Mac, H., Tong, V., Tran, H.A., Nguyen, L.G.: A LSTM based framework for handling multiclass imbalance in DGA botnet detection. Neurocomputing 275, 2401–2413 (2018)CrossRefGoogle Scholar
  39. 39.
    Tron, V., et al.: Swarm. https://swarm-gateways.net/bzz:/theswarm.eth/#the-thsph-orange-paper-series (2016). Accessed 21 Jan 2019
  40. 40.
    Yadav, S., Reddy, A.L.N.: Winning with DNS failures: Strategies for faster botnet detection. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.) Security and Privacy in Communication Networks, pp. 446–459. Springer, Berlin (2012)CrossRefGoogle Scholar
  41. 41.
    Yadav, S., Reddy, A.K.K., Reddy, A.L.N., Ranjan, S.: Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. IEEE/ACM Trans. Netw. 20(5), 1663–1677 (2012)CrossRefGoogle Scholar
  42. 42.
    Zhao, G., Xu, K., Xu, L., Wu, B.: Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access 3, 1132–1142 (2015)CrossRefGoogle Scholar
  43. 43.
    Zhauniarovich, Y., Khalil, I., Yu, T., Dacier, M.: A survey on malicious domains detection through DNS data analysis. ACM Comput. Surv. 51(4), 67:1–67:36 (2018)CrossRefGoogle Scholar
  44. 44.
    Zhou, Y., Li, Q.S., Miao, Q., Yim, K.: DGA-based botnet detection using DNS traffic. J. Int. Serv. Inf. Secur. 3, 116–123 (2013)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Department of InformaticsUniversity of PiraeusPiraeusGreece

Personalised recommendations