DGA now uses the provided date, old version was based on a debugging sample of the malware

Author: baderj

corebot/dga.py

@@ -1,22 +1,16 @@
 import argparse
 from datetime import datetime
 
-r = 0x1DB98930
-r = 0x1DBA8930
-len_l = 0xC
-len_u = 0x18
-
-
-def init_rand_and_chars(year, month, day, nr_b):
-    global r
+def init_rand_and_chars(year, month, day, nr_b, r):
     r = (r + year + ((nr_b << 16) + (month << 8) | day)) & 0xFFFFFFFF
     charset = [chr(x) for x in xrange(ord('a'), ord('z'))] +\
             [chr(x) for x in xrange(ord('0'), ord('9'))]
 
-    return charset
+    return charset, r
 
-def generate_domain(charset):
-    global r
+def generate_domain(charset, r):
+    len_l = 0xC
+    len_u = 0x18
     r = (1664525*r + 1013904223) & 0xFFFFFFFF
     domain_len = len_l + r % (len_u - len_l)
     domain = ""
@@ -25,19 +19,23 @@ def generate_domain(charset):
         domain += charset[r % len(charset)] 
     domain += ".ddns.net"
     print(domain)
+    return r
 
 if __name__=="__main__":
     parser = argparse.ArgumentParser()
+    parser.add_argument("-s", "--seed", help="seed", default="1DBA8930")
     parser.add_argument("-d", "--date", help="date for which to generate domains")
-    parser.add_argument("-n", "--nr", help="nr of domains to generate", type=int, default=40)
+    parser.add_argument("-t", "--debug", help="debug DGA (day set to 8)")
+    parser.add_argument("-n", "--nr", help="nr of domains to generate", 
+           type=int, default=40)
     args = parser.parse_args()
-    if args.date:
-        d = datetime.strptime(args.date, "%Y-%m-%d")
-    else:
-        d = datetime.now()
+    
+    d = datetime.strptime(args.date, "%Y-%m-%d") if args.date else datetime.now()
+    day = 8 if args.debug else d.day
 
-    charset = init_rand_and_chars(d.year, d.month, 8, 1) 
+    charset, r = init_rand_and_chars(d.year, d.month, day, 1, 
+            int(args.seed, 16)) 
     for _ in range(40):
-        generate_domain(charset)
+        r = generate_domain(charset, r)