baderj · August 29, 2015 14:06
diff --git a/gistfile1.txt b/gistfile1.txt
 import argparse
 """
 Shiotob DGA 

 Generates domains for the Shiotob malware 

 - top level domains alternate between '.net' and '.com'
 - domains are between 14 and 19 characters long
 - domains consist of all letters and digits 123945

 author: [email protected]
 """

 qwerty = 'qwertyuiopasdfghjklzxcvbnm123945678'

 def sum_of_characters(domain):
    return sum([ord(d) for d in domain[:-3]])

 def get_next_domain(domain):
    sof = sum_of_characters(domain)
    ascii_codes = [ord(d) for d in domain] + 100*[0]
    old_hostname_length = len(domain) - 4
    for i in range(0, 66):
        for j in range(0, 66):
            edi = j + i
            if edi < 65:
                p = (old_hostname_length * ascii_codes[j]) 
                cl = p ^ ascii_codes[edi] ^ sof
                ascii_codes[edi] = cl & 0xFF

    """
        calculate the new hostname length
        max: 255/16 = 15
        min: 10
    """
    cx = ((ascii_codes[2]*old_hostname_length) ^ ascii_codes[0]) & 0xFF
    hostname_length = int(cx/16) # at most 15
    if hostname_length < 10:
        hostname_length = old_hostname_length

    """
        generate hostname
    """
    for i in range(hostname_length):
        index = int(ascii_codes[i]/8) # max 31 --> last 3 chars of qwerty unreachable
        bl = ord(qwerty[index])
        ascii_codes[i] = bl

    hostname = ''.join([chr(a) for a in ascii_codes[:hostname_length]])

    """
        append .net or .com (alternating)
    """
    tld = '.com' if domain.endswith('.net') else '.net'
    domain = hostname + tld

    return domain

 if __name__=="__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('nr_of_domains', type=int)
    parser.add_argument('seed')
    args = parser.parse_args()
    domain = args.seed
    for i in range(args.nr_of_domains):
        print(domain)
        domain = get_next_domain(domain)
	import argparse
	"""
	Shiotob DGA

	Generates domains for the Shiotob malware

	- top level domains alternate between '.net' and '.com'
	- domains are between 14 and 19 characters long
	- domains consist of all letters and digits 123945

	author: [email protected]
	"""

	qwerty = 'qwertyuiopasdfghjklzxcvbnm123945678'

	def sum_of_characters(domain):
	return sum([ord(d) for d in domain[:-3]])

	def get_next_domain(domain):
	sof = sum_of_characters(domain)
	ascii_codes = [ord(d) for d in domain] + 100*[0]
	old_hostname_length = len(domain) - 4
	for i in range(0, 66):
	for j in range(0, 66):
	edi = j + i
	if edi < 65:
	p = (old_hostname_length * ascii_codes[j])
	cl = p ^ ascii_codes[edi] ^ sof
	ascii_codes[edi] = cl & 0xFF

	"""
	calculate the new hostname length
	max: 255/16 = 15
	min: 10
	"""
	cx = ((ascii_codes[2]*old_hostname_length) ^ ascii_codes[0]) & 0xFF
	hostname_length = int(cx/16) # at most 15
	if hostname_length < 10:
	hostname_length = old_hostname_length

	"""
	generate hostname
	"""
	for i in range(hostname_length):
	index = int(ascii_codes[i]/8) # max 31 --> last 3 chars of qwerty unreachable
	bl = ord(qwerty[index])
	ascii_codes[i] = bl

	hostname = ''.join([chr(a) for a in ascii_codes[:hostname_length]])

	"""
	append .net or .com (alternating)
	"""
	tld = '.com' if domain.endswith('.net') else '.net'
	domain = hostname + tld

	return domain

	if __name__=="__main__":
	parser = argparse.ArgumentParser()
	parser.add_argument('nr_of_domains', type=int)
	parser.add_argument('seed')
	args = parser.parse_args()
	domain = args.seed
	for i in range(args.nr_of_domains):
	print(domain)
	domain = get_next_domain(domain)