Full Program »
View from Above: Exploring the Malware Ecosystem from the Upper DNS Hierarchy
This work explores authoritative DNS (AuthDNS) as a new measurement perspective for studying the large scale epidemiology of the malware ecosystem—when and where infections occur, and what infrastructure spreads and controls malware. Utilizing a passive authDNS dataset from a top domain registrar, we observe malware heterogeneity (202 families), global infrastructure (399,830 IPs in 151 countries) and infection (40,937 querying Autonomous Systems) visibility, and breadth of temporal coverage (2017–2021). This combination of factors enables broad analysis of the malware ecosystem that reinforces prior work on malware infrastructure and also contributes new perspectives on malware infection distribution and lifecycle. We replicate prior observation of malware families that re-use network infrastructure, and are primarily hosted in popular cloud hosting countries. Contrary to prior work, we do not detect targeting of clients in specific countries or industry sectors. In addition to comparing results with previous research, we contribute the first temporal lifecycle analysis of different malware families across four years of DNS data. The AuthDNS data shows that for most of the cases, over 90% of autonomous systems first query a malicious domain after public detection, and a median of 38.6% ASNs first query after domain expiration or takedown. To fit AuthDNS into the broader context of malware research, we conclude with a comparison of experimental vantage points on four key qualitative aspects and discuss the advantages and limitations of each. Ultimately, we establish AuthDNS as a unique measurement perspective capable of measuring global malware infections and validate previously published work from a fresh point of view.