Math + GPU + DNS = Cracking Locky Seeds in Real Time without Analyzing Samples
2023-04-27 | 11:50 – 12:30
We propose and implement a sublinear hash-collision method on a GPU to search for dynamic Locky DGA seed in real-time DNS query traffic. By combining real-time DNS traffic and this fast search method, we successfully detected all dynamic Locky DGA seeds within seconds from their first appearance, and predicted all future C&C names from those seeds. These C&C names are distributed to production systems used by ISPs worldwide, where they’re blocked. They’re also shared with DGArchive and the security community.