Math + GPU + DNS = Cracking Locky Seeds in Real Time without Analyzing Samples

Botconf 2017
2023-04-27 | 11:50 – 12:30

Yohai Einav 🗣 | Hongliang Liu | Alexey Sarychev

We propose and implement a sublinear hash-collision method on a GPU to search for dynamic Locky DGA seed in real-time DNS query traffic. By combining real-time DNS traffic and this fast search method, we successfully detected all dynamic Locky DGA seeds within seconds from their first appearance, and predicted all future C&C names from those seeds. These C&C names are distributed to production systems used by ISPs worldwide, where they’re blocked. They’re also shared with DGArchive and the security community.

Scroll to Top