During a malware-driven distributed denial of service attack, a security researcher found excessive requests to a name server referring to the same domain name and host name encoded in hexadecimal. The malware author used which type of command and control?
The scenario describes a situation where a name server receives excessive requests referring to the same domain name and host name encoded in hexadecimal. Dnscat2 is a tool that uses DNS for command and control by tunneling data through DNS queries. This method is covert and leverages the DNS protocol, which fits the given description accurately. Internet Relay Chat (IRC) and File Transfer Protocol (FTP) are not typically associated with hex-encoded DNS requests. A custom channel is too generic and does not specifically describe the observed behavior.
netcat via DNS protocol
The answer is B. Dnscat2. Dnscat2 is a DNS tunneling protocol that can be used to establish a covert communication channel between a malware-infected device and a command and control server. Dnscat2 uses DNS queries to transmit data, which makes it difficult to detect and block.