Now part of

Humans, Machines and Data: Fighting Mirai, Together

By Yohai Einav, Hongliang Liu

Mirai Blog thumbnail
Posted on February 13, 2018
It’s been 18 months since Mirai entered our lives, and, unfortunately, we expect it to have a perennial presence in our cyber-world for years to come. If we look at the big picture, all indicators suggest that the Mirai problem (and its descendants) is just going to increase, with the growing number of IoT devices in the world and the improvement in IoT hardware (which makes them a more enticing opportunity for attackers – better computing power means a potential for more advanced attacks) being two primary reasons.

Read more

The Botconf Experience

By Yohai Einav, Amir Asiaee, Ali Fakiri-Tabrizi and Alexey Sarychev

The Botconf Experience
Posted on January 4, 2018
Earlier this month we took our show on the road, presenting some of our team’s work at the Botconf conference in beautiful Montpellier, France. We could talk here for hours about the food, wine, culture, etc., but it would probably be more plausible for our readers to learn about the current developments in the war against bots first. So we’ll start with that and perhaps get to the food discussion in the appendix.

Read more

A Death Match of Domain Generation Algorithms

By Hongliang Liu and Yuriy Yuzifovich

A Death Match of Domain Generation Algorithms
Posted on December 29, 2017
Today’s post is all about DGA’s (Domain Generation Algorithms): what they are, why they came into existence, what are some use cases where they are used, and, most importantly – how to detect and block them. As we will demonstrate here, the most effective defense against DGAs is a combination of traditional methods with modern machine intelligence.

Read more

Domain Correlation: just let the malware beat itself

By Hongliang Liu, Yohai Einav and Thanh Nguyen

Cat Butterfly Statue
Posted on October 30, 2017
This post is an introduction to our ‘Domain Correlation Engine’ and its strategic usage as an anti-malware weapon.

But before we get to that, here’s an important observation: Domain correlation is pretty cool. It’s so cool that we created a 3D visualization to demonstrate it:

Read more

The Many Security Usages of Anomaly Detection

By Ali Fakeri-Tabrizi, Amir Asiaee, Yohai Einav, Thanh Nguyen and Paul O’Leary

five leaf clover
Posted on October 30, 2017
The most common use of network infrastructure is to facilitate legitimate communication between two parties across the network. Unfortunately, the same network infrastructure provides an opportunity for malicious communications.

Read more

The continuous threat of malware hiding in fake Adobe Flash updates

By Thanh Nguyen & Ali Fakeri Tabrizi

Trojan Horse
Posted on October 26, 2017
The constant stream of Adobe Flash updates has always been a serious security headache. As a matter of fact, using our Domain Reputation System (DRS), we recently discovered hundreds of new core domains per day, each with different subdomains, which trick users to download and install the latest Adobe Flash security patches. The total unique client count for all these names is hundreds of thousands, based on the global traffic we see.

Read more amplification attack: Welcome to a new era of DDoS

By Hongliang Liu and Mikael Kulberg

Paper Origami
Posted on October 02, 2017
In today’s post we describe a new amplification attack we’ve observed only a few days ago, and which we believe is a new phase in the evolution of DDoS attacks. Before getting into the details, let’s start with a quick recap of what amplification attacks really are.

Read more

Detecting file-less malware with file-less detection

By Hongliang Liu and Yohai Einav

smoke rises
Posted on September 11, 2017
File-less malware is malware that exists exclusively as a computer memory-based artifact (i.e., in RAM). It doesn’t write any of its activities to the hard drive, so it has no footprint in the file system. According to Carbon Black, this type of attack is on the rise: 97% of their customers were targeted by a file-less malware in 2016. The reason for its proliferation? Quite simply, it works.

Read more

How to Survive a Post-Infection Apocalypse

By Yohai Einav, Principal Security Researcher

Posted on July 25, 2017
Most security experts would agree that the best approach to Cybersecurity is a layered approach; Protect your assets against a variety of attack vectors, in a variety of tactics and in different fronts; secure the endpoint, the network, the cloud, guard your data, in-motion, in-rest, in-transit.

Read more

Reclaiming the hijacked browser

By Paul O’Leary, Hongliang Liu, and Yuriy Yuzifovich

Ocean Waves
Posted on June 06, 2017
A browser hijacker is the type of malware which alters your device’s browser settings so that you are redirected to web sites that you had no intention of visiting. It is an old, and yet very prevalent problem today.

Read more Amplification Attacker: Sparks Inside the Network

By Mikael Kullberg, Sr. Security Researcher

SparksPosted on June 1, 2017

Looking at the data (yes, our previously identified attacker fixed a typo in the TLD) and recent attempts at large-scale amplification attacks, I noticed a surprising absence of spoofed source addresses. My first thought was that the ISP forces the correct IP onto packets entering the network, but that is not common practice (illegal source address packets are dropped if you implement BCP38, SAVI and/or unicast RPF).

Read more

WannaCry: views from the DNS frontline

By Yuriy Yuzifovich and Yohai Einav


Posted on May 15, 2017

As the investigation of the WannaCry ransomware keeps evolving, more evidence is revealed and more theories are suggested. While analyzing the DNS and HTTP traffic of domains and clients involved in WannaCry we made several useful discoveries, which may shed some additional light on this cybercrime.

Read more

The (DDoS) Attack on French Media

By Yohai Einav, Principal Security Researcher

DDos attack French service provider

Posted on May 11, 2017

A recent DDoS attack against Cedexis, a French service provider, caused many prominent French newspapers, including Le Monde, Le Figaro, L’Equipe, Le Nouvel Observateur, all hosted on Cedexis network, to briefly shut down yesterday, May 10. Other web services built on Cedexis network has been affected as well.

Read more

The Comings and Goings (and Comings) of Locky

By Mikael Kullberg, Sr. Security Researcher

data science

Posted on May 09, 2017

Ransomware is grabbing a lot of headlines lately given the increasing frequency with which these attacks occur. One prominent form of this advanced cyberthreat is Locky, which we first wrote about almost one year ago. After our initial blog post we saw Locky mostly disappear – at least momentarily. It then came back about three weeks later, but given our broad view of DNS queries from communications service provider (CSP) networks around the globe, we were quickly able to detect the new activity.

Read more

Sophisticated Hacker Behind the ‘Google Docs’ Phishing Campaign

By Yuriy Yuzifovich, Head of Data Science & Security Research

data science

Posted on May 03, 2017

Today a new phishing attack began making the rounds in email boxes around the world, taking the form of an email with a link to a Google Doc that the sender has shared with the recipient. The email looks innocent enough, as shown in the image below – I myself received one shortly after the attack was launched – and many people will likely click the link out of curiosity to see what they received.

Read more

Introducing Nominum Data Science Insights

By Yuriy Yuzifovich, Head of Data Science & Security Research


Posted on May 3, 2017

Today we’re launching a new security and data science blog where we’ll discuss technical topics and share insights from our expert Security and Data Science team here at Nominum. As the leader of this team, I’m excited to have this blog be a way to share some of our findings with a more technical audience—people who love cybersecurity, data, DNS, and all the exciting new developments on the internet (and who doesn’t?).

Read more