Created
May 19, 2015 09:16
-
-
Save 7h3rAm/55d0a53c0d1d00f31326 to your computer and use it in GitHub Desktop.
DGA of Zeus Gameover Variant - newGOZ - http://www.johannesbader.ch/2014/12/the-dga-of-newgoz/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import hashlib | |
| from datetime import datetime, timedelta | |
| import struct | |
| import argparse | |
| def get_seed(seq_nr, date): | |
| key = "\x01\x05\x19\x35" | |
| seq_nr = struct.pack('<I', seq_nr) | |
| year = struct.pack('<H', date.year) | |
| month = struct.pack('<H', date.month) | |
| day = struct.pack('<H', date.day) | |
| m = hashlib.md5() | |
| m.update(seq_nr) | |
| m.update(year) | |
| m.update(key) | |
| m.update(month) | |
| m.update(key) | |
| m.update(day) | |
| m.update(key) | |
| return m.hexdigest() | |
| def create_domain(seq_nr, date): | |
| def generate_domain_part(seed, nr): | |
| part = [] | |
| for i in range(nr-1): | |
| edx = seed % 36 | |
| seed /= 36 | |
| if edx > 9: | |
| char = chr(ord('a') + (edx-10)) | |
| else: | |
| char = chr(edx + ord('0')) | |
| part += char | |
| if seed == 0: | |
| break | |
| part = part[::-1] | |
| return ''.join(part) | |
| def hex_to_int(seed): | |
| indices = range(0, 8, 2) | |
| data = [seed[x:x+2] for x in indices] | |
| seed = ''.join(reversed(data)) | |
| return int(seed,16) | |
| seed_value = get_seed(seq_nr, date) | |
| domain = "" | |
| for i in range(0,16,4): | |
| seed = seed_value[i*2:i*2+8] | |
| seed = hex_to_int(seed) | |
| domain += generate_domain_part(seed, 8) | |
| if seq_nr % 4 == 0: | |
| domain += ".com" | |
| elif seq_nr % 3 == 0: | |
| domain += ".org" | |
| elif seq_nr % 2 == 0: | |
| domain += ".biz" | |
| else: | |
| domain += ".net" | |
| return domain | |
| if __name__=="__main__": | |
| parser = argparse.ArgumentParser() | |
| parser.add_argument("-d", "--date", help="date for which to generate domains") | |
| parser.add_argument("-u", "--url", help="search this url in past domains") | |
| parser.add_argument("-n", "--nr", help="nr of domains to generate") | |
| args = parser.parse_args() | |
| if args.date: | |
| d = datetime.strptime(args.date, "%Y-%m-%d") | |
| else: | |
| d = datetime.today() | |
| if args.nr: | |
| nr_of_domains = int(args.nr) | |
| else: | |
| nr_of_domains = 1000 | |
| if args.url: | |
| while True: | |
| print("searching in {}".format(d.strftime("%Y-%m-%d"))) | |
| for seq_nr in range(1000): | |
| domain = create_domain(seq_nr, d) | |
| if domain == args.url: | |
| print("\nfound it, domain nr {} at {}".format(seq_nr, | |
| d.strftime("%Y-%m-%d"))) | |
| break | |
| if domain == args.url: | |
| break | |
| d = d - timedelta(days=1) | |
| else: | |
| for seq_nr in range(nr_of_domains): | |
| domain = create_domain(seq_nr, d) | |
| print(domain) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment