Skip to main content

Hydras and IPFS: a decentralised playground for malware


Modern malware can take various forms and has reached a very high level of sophistication in terms of its penetration, persistence, communication and hiding capabilities. The use of cryptography, and of covert communication channels over public and widely used protocols and services, is becoming a norm. In this work, we start by introducing Resource Identifier Generation Algorithms. These are an extension of a well-known mechanism called domain generation algorithms, which are frequently employed by cybercriminals for bot management and communication. Our extension allows, beyond DNS, the use of other protocols. More concretely, we showcase the exploitation of the InterPlanetary File System (IPFS). This is a solution for the “permanent web”, which enjoys a steadily growing community interest and adoption. The IPFS is, in addition, one of the most prominent solutions for blockchain storage. We go beyond the straightforward case of using the IPFS for hosting malicious content and explore ways in which a botmaster could employ it, to manage her bots, validating our findings experimentally. Finally, we discuss the advantages of our approach for malware authors, its efficacy and highlight its extensibility for other distributed storage services.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4


  1. 1.

  2. 2.

  3. 3.

  4. 4.

  5. 5.

  6. 6.

  7. 7.


  8. 8.

  9. 9.

  10. 10.

  11. 11.

  12. 12.


  1. 1.

    Ali, S.T., McCorry, P., Lee, P.H.J., Hao, F.: Zombiecoin 2.0: managing next-generation botnets using bitcoin. Int. J. Inf. Secur. 17(4), 411–422 (2018)

    Article  Google Scholar 

  2. 2.

    Anderson, H.S., Woodbridge, J., Filar, B.: DeepDGA: adversarially-tuned domain generation and detection. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, AISec ’16, pp. 13–21. ACM, New York (2016)

  3. 3.

    Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX Conference on Security Symposium, pp. 24–24. USENIX Association (2012)

  4. 4.

    Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., Zhou, Y.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 1093–1110. USENIX Association, Vancouver (2017)

  5. 5.

    Aviv, A.J., Haeberlen, A.: Challenges in experimenting with botnet detection systems. In: Proceedings of the 4th Conference on Cyber Security Experimentation and Test, CSET’11, p. 6. USENIX Association, Berkeley (2011)

  6. 6.

    Bader, J.: The DGA of Pykspa “you skype version is old”. (2015). Accessed 21 Jan 2019

  7. 7.

    Benet, J.: IPFS-content addressed, versioned, P2P file system. arXiv preprint arXiv:1407.3561 (2014)

  8. 8.

    Casino, F., Dasaklis, T.K., Patsakis, C.: A systematic literature review of blockchain-based applications: current status, classification and open issues. Telemat. Inf. 36, 55–81 (2019)

    Article  Google Scholar 

  9. 9.

    Chen, Y., Kintis, P., Antonakakis, M., Nadji, Y., Dagon, D., Farrell, M.: Measuring lower bounds of the financial abuse to online advertisers: a four year case study of the TDSS/TDL4 botnet. Comput. Secur. 67, 164–180 (2017)

    Article  Google Scholar 

  10. 10.

    Curtin, R.R., Gardner, A.B., Grzonkowski, S., Kleymenov, A., Mosquera, A.: Detecting DGA domains with recurrent neural networks and side information. arXiv preprint arXiv:1810.02023 (2018)

  11. 11.

    de Aquino, B.M.M., de Lima, M.V.L., de Oliveira, J.P.C.M., de Souza, C.T.: Protocolos ipfs e ipns como meio para o controle de botnet: prova de conceito. In: Anais do Workshop de Segurana Ciberntica em Dispositivos Conectados (WSCDC—SBRC 2018), vol. 1. SBC, Porto Alegre (2018)

  12. 12.

    Gong, Y., Qitian, S., Zhang, Z.: A DGA odyssey PDNS driven DGA analysis. (2017). Accessed 21 Jan 2019

  13. 13.

    Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-peer botnets: overview and case study. HotBots 7, 1–1 (2007)

    Google Scholar 

  14. 14.

    Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: Proceedings of the Network and Distributed System Security Symposium (2018)

  15. 15.

    Huckle, S., Bhattacharya, R., White, M., Beloff, N.: Internet of things, blockchain and shared economy applications. Proc. Comput. Sci. 98, 461–466 (2016)

    Article  Google Scholar 

  16. 16.

    Irvine, D.: US Patent App. 12/476,229 (2010)

  17. 17.

    Jiang, N., Cao, J., Jin, Y., Li, L.E., Zhang, Z.: Identifying suspicious activities through DNS failure graph analysis. In: The 18th IEEE International Conference on Network Protocols, pp. 144–153 (2010)

  18. 18.

    Katz, O., Perets, R., Matzliach, G.: Digging deeper—an in-depth analysis of a fast flux network. (2016). Accessed 21 Jan 2019

  19. 19.

    Kelly, M., Alam, S., Nelson, M.L., Weigle, M.C.: Interplanetary wayback: peer-to-peer permanence of web archives. In: Fuhr, N., Kovács, L., Risse, T., Nejdl, W. (eds.) Research and Advanced Technology for Digital Libraries, pp. 411–416. Springer, Cham (2016)

    Chapter  Google Scholar 

  20. 20.

    Krebs, B.: Mariposa botnet authors may avoid jail time. (2010). Accessed 21 Jan 2019

  21. 21.

    Liu, D., Li, Z., Du, K., Wang, H., Liu, B., Duan, H.: Don’t let one rotten apple spoil the whole barrel: towards automated detection of shadowed domains. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, pp. 537–552. ACM, New York (2017)

  22. 22.

    Manadhata, P.K., Yadav, S., Rao, P., Horne, W.: Detecting malicious domains via graph inference. In: Kutyłowski, M., Vaidya, J. (eds.) Computer Security—ESORICS 2014, pp. 1–18. Springer, Cham (2014)

    Google Scholar 

  23. 23.

    Mansfield-Devine, S.: The malware arms race. Comput. Fraud Secur. 2018(2), 15–20 (2018)

    Article  Google Scholar 

  24. 24.

    Moubarak, J., Filiol, E., Chamoun, M.: Developing a k-ary malware using blockchain. arXiv preprint arXiv:1804.01488 (2018)

  25. 25.

    Nadji, Y., Perdisci, R., Antonakakis, M.: Still beheading hydras: botnet takedowns then and now. IEEE Trans. Dependable Secure Comput. 14(5), 535–549 (2017)

    Article  Google Scholar 

  26. 26.

    Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., Borisov, N.: Stegobot: a covert social network botnet. In: Filler T., Pevný T., Craver S., Ker A. (eds.) International Workshop on Information Hiding, pp. 299–313. Springer, Berlin (2011)

  27. 27.

    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)

  28. 28.

    Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Trans. Dependable Secure Comput. 9(5), 714–726 (2012)

    Google Scholar 

  29. 29.

    Pletinckx, S., Trap, C., Doerr, C.: Malware coordination using the blockchain: an analysis of the cerber ransomware. In: 2018 IEEE Conference on Communications and Network Security (CNS), pp. 1–9 (2018)

  30. 30.

    Plohmann, D., Yakdan, K., Klatt, M., Bader, J., Gerhards-Padilla, E.: A comprehensive measurement study of domain generating malware. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 263–278. USENIX Association, Austin. (2016)

  31. 31.

    Prince, B.: Flashback botnet updated to include Twitter as C&C. Securityweek (2012)

  32. 32.

    Produit, B.: Using Blockchain Technology in Distributed Storage Systems. (2018). Accessed 21 Jan 2019

  33. 33.

    Rao, J.M., Reiley, D.H.: The economics of spam. J. Econ. Perspect. 26(3), 87–110 (2012)

    Article  Google Scholar 

  34. 34.

    Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Dietrich, S. (ed.) Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 192–211. Springer, Cham (2014)

    Google Scholar 

  35. 35.

    Sood, A.K., Zeadally, S.: A taxonomy of domain-generation algorithms. IEEE Secur. Priv. 14(4), 46–53 (2016).

    Article  Google Scholar 

  36. 36.

    Swan, M.: Blockchain thinking: the brain as a DAC (decentralized autonomous organization). In: Texas Bitcoin Conference, Chicago, pp. 27–29 (2015)

  37. 37.

    Szabo, N.: The idea of smart contracts. Nick Szabo’s Papers and Concise Tutorials 6 (1997)

  38. 38.

    Tran, D., Mac, H., Tong, V., Tran, H.A., Nguyen, L.G.: A LSTM based framework for handling multiclass imbalance in DGA botnet detection. Neurocomputing 275, 2401–2413 (2018)

    Article  Google Scholar 

  39. 39.

    Tron, V., et al.: Swarm. (2016). Accessed 21 Jan 2019

  40. 40.

    Yadav, S., Reddy, A.L.N.: Winning with DNS failures: Strategies for faster botnet detection. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.) Security and Privacy in Communication Networks, pp. 446–459. Springer, Berlin (2012)

    Chapter  Google Scholar 

  41. 41.

    Yadav, S., Reddy, A.K.K., Reddy, A.L.N., Ranjan, S.: Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. IEEE/ACM Trans. Netw. 20(5), 1663–1677 (2012)

    Article  Google Scholar 

  42. 42.

    Zhao, G., Xu, K., Xu, L., Wu, B.: Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access 3, 1132–1142 (2015)

    Article  Google Scholar 

  43. 43.

    Zhauniarovich, Y., Khalil, I., Yu, T., Dacier, M.: A survey on malicious domains detection through DNS data analysis. ACM Comput. Surv. 51(4), 67:1–67:36 (2018)

    Article  Google Scholar 

  44. 44.

    Zhou, Y., Li, Q.S., Miao, Q., Yim, K.: DGA-based botnet detection using DNS traffic. J. Int. Serv. Inf. Secur. 3, 116–123 (2013)

    Google Scholar 

Download references


This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the project YAKSHA (Grant Agreement no. 780498) and is based upon work from COST Action CA17124: DigForASP Digital forensics: evidence analysis via intelligent systems and practices (European Cooperation in Science and Technology).

Author information



Corresponding author

Correspondence to Constantinos Patsakis.

Ethics declarations

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Patsakis, C., Casino, F. Hydras and IPFS: a decentralised playground for malware. Int. J. Inf. Secur. 18, 787–799 (2019).

Download citation


  • Malware
  • Botnets
  • Domain generation algorithm
  • IPFS