Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update hijack module to use OpenNIC servers #25

Open
2 tasks
chrisforce1 opened this issue Jun 15, 2020 · 1 comment
Open
2 tasks

Update hijack module to use OpenNIC servers #25

chrisforce1 opened this issue Jun 15, 2020 · 1 comment
Labels
low priority

Comments

@chrisforce1
Copy link
Contributor

chrisforce1 commented Jun 15, 2020
edited

An increasing amount of malware is using non-ICANN domains (e.g. .bazar as used by Team9) for C2, which are resolved via OpenNIC servers that we mark within Wisdom as alt_dns. We should register alphasoc.bazar via EmerDNS and update the hijack module so that it:

  • selects 3 random OpenNIC servers from the alt_dns list
  • hits each on UDP port 53 with a request for alphasoc.bazar
@chrisforce1 chrisforce1 added the enhancement New feature or request label Jun 15, 2020
@chrisforce1
Copy link
Contributor Author

Setting to low priority for now as the hijack module is deprecated and we need to consider bringing it back.

@chrisforce1 chrisforce1 added low priority and removed enhancement New feature or request labels Feb 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
low priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tg @chrisforce1