Abstract: Techniques for inferring the existence of suspicious software by detecting multiple name server requests for the same sets of non-existent domains. Implementations can allow for detecting the existence of malware or other suspicious software without requiring reverse engineering of the malware's domain generation algorithm.