An increasing amount of malware is using non-ICANN domains (e.g. .bazar as used by Team9) for C2, which are resolved via OpenNIC servers that we mark within Wisdom as alt_dns. We should register alphasoc.bazar via EmerDNS and update the hijack module so that it:
[ ] selects 3 random OpenNIC servers from the alt_dns list
[ ] hits each on UDP port 53 with a request for alphasoc.bazar
An increasing amount of malware is using non-ICANN domains (e.g.
.bazar
as used by Team9) for C2, which are resolved via OpenNIC servers that we mark within Wisdom asalt_dns
. We should registeralphasoc.bazar
via EmerDNS and update thehijack
module so that it:alt_dns
listalphasoc.bazar