Update hijack module to use OpenNIC servers

alphasoc / flightsim

A utility to safely generate malicious network traffic patterns and evaluate controls.

https://alphasoc.com

Other

1.21k stars 129 forks source link

Update hijack module to use OpenNIC servers #25

Open chrisforce1 opened 4 years ago

chrisforce1 commented 4 years ago

An increasing amount of malware is using non-ICANN domains (e.g. .bazar as used by Team9) for C2, which are resolved via OpenNIC servers that we mark within Wisdom as alt_dns. We should register alphasoc.bazar via EmerDNS and update the hijack module so that it:

[ ] selects 3 random OpenNIC servers from the alt_dns list
[ ] hits each on UDP port 53 with a request for alphasoc.bazar

chrisforce1 commented 1 year ago

Setting to low priority for now as the hijack module is deprecated and we need to consider bringing it back.