View from Above: Exploring the Malware Ecosystem from the Upper DNS Hierarchy.

This work explores authoritative DNS (AuthDNS) as a new measurement perspective for studying the large-scale epidemiology of the malware ecosystem-when and where infections occur, and what infrastructure spreads and controls malware. Utilizing an AuthDNS dataset from a top registrar, we observe malware heterogeneity (202 families), global infrastructure (399,830 IPs in 151 countries) and infection (40,937 querying Autonomous Systems (ASes)) visibility, as well as breadth of temporal coverage (2017-2021). This combination of factors enables an extensive analysis of the malware ecosystem that reinforces prior work on malware infrastructure and also contributes new perspectives on malware infection distribution and lifecycle. We find that malware families re-use infrastructure, especially in cloud hosting countries, but contrary to prior work, we do not detect targeting of clients by countries or industry sector. Furthermore, our 4-year lifecycle analysis of diverse malware families shows that infection analysis is temporally sensitive: over 90% of ASes first query a malicious domain after public detection, and a median of 38.6% ASes only query after domain expiration or takedown. To fit AuthDNS into the broader context of malware research, we conclude with a comparison of experimental vantage points on four qualitative aspects and discuss their advantages and limitations. Ultimately, we establish AuthDNS as a unique measurement perspective capable of measuring global malware infections.