new Ramnit Seed

baderj · baderj · commit 30389c679a7b · 2017-02-06T11:49:14.000+01:00
diff --git a/gozi/dga.py b/gozi/dga.py
@@ -3,7 +3,7 @@
 import argparse
 
 
-wordlists = {'luther': 4, 'rfc4343': 3, 'nasa': 5}
+wordlists = {'luther': (4, '.com'), 'rfc4343': (3, '.com'), 'nasa': (5, '.com')}
 
 class Rand:
 
@@ -21,7 +21,7 @@ def get_words(wordlist):
 def dga(date, wordlist):
     words = get_words(wordlist)
     diff = date - datetime.strptime("2015-01-01", "%Y-%m-%d")
-    days_passed = (diff.days // wordlists[wordlist])
+    days_passed = (diff.days // wordlists[wordlist][0])
     flag = 1
     seed = (flag << 16) + days_passed - 306607824
     r = Rand(seed) 
@@ -39,7 +39,7 @@ def dga(date, wordlist):
                 l >>= 1
             if len(domain) + l <= 24:
                 domain += word[:l]
-        domain += '.com'
+        domain += wordlists[wordlist][1] 
         yield domain
 
 if __name__ == "__main__":
diff --git a/ramnit/dga.py b/ramnit/dga.py
@@ -3,28 +3,33 @@
 class RandInt:
 
     def __init__(self, seed): 
-        self.seed = seed
+        self.value = seed
 
     def rand_int_modulus(self, modulus):
-        ix = self.seed                
+        ix = self.value
         ix = 16807*(ix % 127773) - 2836*(ix / 127773) & 0xFFFFFFFF        
-        self.seed = ix 
+        self.value = ix 
         return ix % modulus 
 
-def get_domains(seed, nr):
+def get_domains(seed, nr, tlds):
+    if not tlds:
+        tlds = [".com"]
+
     r = RandInt(seed)
 
     for i in range(nr):
-        seed_a = r.seed
+        seed_a = r.value
         domain_len = r.rand_int_modulus(12) + 8
-        seed_b = r.seed
+        seed_b = r.value
         domain = ""
-        for i in range(domain_len):
+        for j in range(domain_len):
             char = chr(ord('a') + r.rand_int_modulus(25))
             domain += char
-        domain += ".com"
+        tld = tlds[i % len(tlds)]
+        domain += '.' if tld[0] != '.' else ''
+        domain += tld
         m = seed_a*seed_b
-        r.seed = (m + m//(2**32)) % 2**32 
+        r.value = (m + m//(2**32)) % 2**32 
         yield domain
 
 if __name__=="__main__":
@@ -35,10 +40,15 @@ def get_domains(seed, nr):
             4BFCBC6A
             79159C10 
             92F4BE35
+            4302C04A 10 -t "click bid eu"
     """
     parser = argparse.ArgumentParser(description="generate Ramnit domains")
     parser.add_argument("seed", help="seed as hex")
     parser.add_argument("nr", help="nr of domains", type=int)
+    parser.add_argument("-t", "--tlds", help="list of tlds", default=None)
     args = parser.parse_args()
-    for domain in get_domains(int(args.seed, 16), args.nr):
+    tlds = None
+    if args.tlds:
+        tlds = [x.strip() for x in args.tlds.split(" ")]
+    for domain in get_domains(int(args.seed, 16), args.nr, tlds):
         print(domain)
