Math + GPU + DNS = Cracking Locky Seeds in Real Time without Analyzing Samples

We propose and implement a sublinear hash-collision method on a GPU to search for dynamic Locky DGA seed in real-time DNS query traffic. By combining real-time DNS traffic and this fast search method, we successfully detected all dynamic Locky DGA seeds within seconds from their first appearance, and predicted all future C&C names from those seeds. These C&C names are distributed to production systems used by ISPs worldwide, where they’re blocked. They’re also shared with DGArchive and the security community.


Yohai Einav is a 14-year cybersecurity veteran and presently a lead security researcher at Nominum. In his current role, he manages threat analysis projects with a specific focus on Botnets and their DNS signal. He is also the lead author of the company’s security reports. Yohai’s most recent research focused on a new form of DNS-based amplification attacks generated by IoT botnets using queries that request TXT type records. Other work analyzed file-less malware traffic. Before joining Nominum, Yohai served in various research, analytics and intelligence roles in leading security companies, including Symantec, RSA Security and Verisign.
Dr. Hongliang Liu, Principal Data Scientist at Nominum, received his PhD degree in Physics in 2011. Dr. Liu has been working on defeating DDoS attacks known as Pseudo Random Subdomain (PRSD) attacks which rely on the worldwide DNS infrastructure and building machine intelligence for modeling DNS traffic, including domain correlation models. He has successfully applied his intelligent machines have successfully detected and predicted multiple malware C&C name groups.

Print Friendly, PDF & Email
Yohai Einav

Yohai Einav

Principal Security Researcher at Nominum