merge

baderj · baderj · commit d6f9949becf0 · 2017-02-06T11:50:42.000+01:00
diff --git a/README.md b/README.md
@@ -38,3 +38,4 @@ sisron | Sisron | TOMB, Win32/Agent.WRQ, Trojan.Scar |  [link](https://www.johan
 proslikefan | Proslikefan | | [link](https://johannesbader.ch/2016/06/proslikefan/) 
 vawtrak | Vawtrak | | [link](http://www.threatgeek.com/2016/11/vawtrak-dga-round-2.html)
 unnamed_downloader | Unnamed Downloader | | 
+chinad | Chinad | | [link](https://github.com/360netlab/DGA/issues/1)
diff --git a/chinad/dga.py b/chinad/dga.py
@@ -0,0 +1,44 @@
+import string
+import hashlib
+import argparse
+from datetime import datetime
+
+def dga(date):
+    TLDS = ['.com', '.org', '.net', '.biz', '.info', '.ru', '.cn']
+    alphanumeric = string.ascii_lowercase + string.digits
+
+    """
+        Chinad generates 1000 domains, but only 256 different domains possible
+    """
+    for nr in range(0x100):
+        data = "{}{}{}{}".format(
+                chr(date.year % 100),
+                chr(date.month),
+                chr(date.day),
+                chr(nr)) + 12*"\x00" 
+
+        h = hashlib.sha1(data).digest()
+        h_le = []
+        for i in range(5):
+            for j in range(4):
+                h_le.append(h[i*4 + (3-j)])
+
+        domain = ""
+        for r in h_le[:16]: 
+            domain += alphanumeric[(ord(r) & 0xFF) % len(alphanumeric)]
+
+        r = ord(h_le[-4]) 
+        domain += TLDS[r % len(TLDS)]
+        yield domain
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="gozi dga")
+    parser.add_argument("-d", "--date", 
+            help="date for which to generate domains")
+    args = parser.parse_args()
+    if args.date:
+        d = datetime.strptime(args.date, "%Y-%m-%d")
+    else:
+        d = datetime.now()
+    for domain in dga(d):
+        print(domain)
diff --git a/chinad/example_domains.txt b/chinad/example_domains.txt
@@ -0,0 +1,256 @@
+8f6bacmw30xxv6sc.cn
+486txu3yjly0xcmz.ru
+xmi6x8zg9rkanmyo.info
+spy1jhdbmvt2ueva.net
+evybt5gtf2tprvbi.info
+7qbys97e3pcw262c.info
+kz89iy97c7n7vbur.biz
+zmkvvlsvkbffnuez.ru
+tr1yy6lxtry1gsts.biz
+mfq6uwq3p2hvc8zn.cn
+h6a7zf18dahsn1pn.biz
+lbhu2b4onvw6mhwu.cn
+qaremd11qfdiwb47.biz
+2oqhvqa20xu2ttwe.ru
+44g3lrtvpga64pr5.cn
+u9acs17k4e57g6xb.biz
+hq8xhz0bfaivokfj.biz
+0i45pk9qg7dqs47n.com
+iwmuu5i1evlex7s4.net
+79ixpcacfvpime6m.info
+fjshewzc8gm6zqxi.cn
+ak66f1dqu0zeyyut.com
+xnp1hp158frmv7wx.info
+qei029wovp2xekkd.org
+2zqyvswzzvelsokl.org
+amhec4vsx7xqainb.org
+8zhme0h4rijyhga6.cn
+iebl5wmvtrlbc58s.biz
+ktwms0z569yc9rhf.org
+8y62m7a5nwzpmy6q.net
+2exu30rtfau09f54.cn
+shxe5zruqo3jwyny.info
+x7eimxy74afpl8fm.net
+z5k62dxdluaoylsf.info
+h9kqbpfsv2316wfb.ru
+bjz760784qyn6hk9.biz
+p6att0903vcq0990.info
+ydx2wxp97qbwnovc.ru
+9pu9x8483w8c9d6x.ru
+5uw6psy4176c3su2.net
+8wyy1px8hdphtcbx.org
+irxrummnh4tybffk.ru
+t22thaq66f7agu5c.net
+w6sifioj9gueic4s.org
+tryky1dpugt6vddi.org
+au11rpuxm0j1g99n.ru
+8liftcsa53khb1q5.biz
+4x9hjqhkaplr7nhf.org
+2me2peehmh30okka.org
+su94a0vjdfvqd9dq.info
+fouz5t4e504c84td.biz
+fx43bl9fd608c3yt.com
+c8orn8tpewgiu249.com
+be8kb6cmn3vmirfa.info
+laafnaeeufflpv46.net
+5puagitcqs4gja9t.ru
+ywrqcrn6p8ezb0mj.org
+lrgl32r2bwz37d0o.biz
+ea91ok5y2q6tbffd.cn
+z9y4zd8yvdwyoj6w.cn
+64viez6xtlksjroa.org
+az133trnknbt40fx.net
+catzchpfu2t34sot.net
+dg1nmvbuzy755npl.cn
+vobfy4ayddm6umie.cn
+rb5rpawtmeiir72m.biz
+wvlrgss3l71ussou.net
+ce3eyj7th6oupwhv.ru
+av8bk9ry9ne4kpqd.org
+ju20xf2em1dhjkkt.ru
+khe3x9urs9avhhkd.com
+5tefm7efjs2h07sz.info
+f9cst6fo3mce8eje.com
+kmukcqfhfb42lm0c.net
+omlmov3hogwwf9mu.biz
+xl2hkpzwj7rtqz1i.org
+okowafrb2gni2cdl.ru
+i7tda8xicli04yuu.biz
+3g5rbqjm27goe7vn.org
+cfoirrkoxagna5dv.com
+ekd33sgezewzbdgv.info
+wb0vsxk4xg23w6mz.cn
+w1guwgh7fkxnvna3.com
+ne30mtmjnsnnsghv.net
+ydxy35l00pyiq0di.biz
+n24irb0z1w4f8ypf.ru
+dra3aghg5c40idpf.org
+onps05bhqtovqj3e.com
+4vl4ijlyubm3d1dg.org
+rwzb2rov21tyfk1v.com
+pp772tjg7xnwegif.com
+26c549wkn951vo6r.info
+tacmw4wa3nhcceln.biz
+i70pqurdewvear68.org
+2tb5d4u7iltifq7m.com
+hpyded2i7rh72ido.org
+07gzxa21lsxnzq9a.cn
+n4q83upffvcxo8c4.biz
+4iyutjrosttfwsgm.info
+ucr93yleddp3ecxj.biz
+0ucai4r99oisbcr8.org
+hotfjnw50vb2x3gy.cn
+9qd18cyl2oxrzbq2.ru
+f01plq03s86wdtaa.biz
+i3bvtex6mj14kb6q.ru
+h3s7h59ea691x525.info
+kdtr1vvbowlkoate.org
+y5otq2r14jhj1671.biz
+1tlqsq82c060ki38.net
+okuaa9ukg2vdqw37.cn
+c3ct4rgci9lsdlyu.ru
+zg25l9cfj3m5b0rb.net
+yyv4ktgox5sk8vac.info
+m5j42r6uiqov2dgm.biz
+xlf94vjh5zg293hf.com
+47e7aaqtgo91r0e0.biz
+6pkilzd4ropy2us8.cn
+urzisf8s5yphxxzc.ru
+5q9xwlbzhfzdbamy.biz
+j00njsqkb95389c7.net
+cbrkilnd4jh4jc5u.net
+svjujrhvuckfgej6.cn
+cdqo47711cm40ebi.net
+4i1zorajdtzy7gak.cn
+z368bt291tdj2kxf.com
+2wpok1bg4lhx8g0a.org
+nq93f0wsm9knkczs.biz
+l94tytjdfuhj7wy2.com
+hrhykgaz4zpjt3ww.cn
+4zijlau17jtguu4j.cn
+kmjsme81xzimr2an.info
+8ki2zdyj8ufgg6yg.biz
+yuyn993aba59t7b8.com
+egr1wxlvl5jmoowr.info
+ua51uqviax0dttp2.org
+j769qkdb0qtor7m7.ru
+y0ixcudll80wlkzd.info
+lyxssd7cpusg94ho.cn
+bobrjhjoyaod31rq.info
+zse7jo1xvuxa6e50.cn
+ok78g0rb5xb5yo77.biz
+p5dc0sd6yr2uigxb.ru
+nz65e7k43j0p2dew.cn
+pityopipqr91zeew.com
+fpmcd3ug7j8f5pyb.com
+6rph1vuqnnrz41uz.ru
+h1igeqf8q146yumf.cn
+nx39l89ti1fphrfp.org
+n37kmu33u5vdxaq4.org
+8n7afiwkq6nvvrx8.org
+1vf4tmcyxa5uk4fc.net
+kdafjz1hztu9ozru.biz
+qxo5tdnmbtx6mh2y.ru
+qi1ie7x9j2812h0v.com
+ygiwpu0b2lctrsx9.org
+p8veux8g4uc585fe.cn
+2cpcuu0f6lxitw6e.cn
+db96cnztxi7bak9j.info
+oe60yx21mje7260l.net
+1h25fshfq0thexcl.ru
+i6205acyufc8tbhv.org
+26h4lruvmrhvijlf.net
+m8yhcchizchjeew4.info
+vu4crdyxvvgqmk1j.net
+9yi3zqnnlpqk75av.info
+vuyrkdlagn30qsqz.com
+d2pfjv0eirc1zifm.cn
+nqfkv7e8klicb17i.info
+6rtxnwpc9f3mlc4j.org
+iej05slrux7nf135.com
+7ti2qlq1w1wu3l6e.net
+787ip94vbas018fp.org
+mmoyr221iehh4ein.org
+kusq5w42d66vw40r.biz
+0b92swj26ozsx7he.biz
+muet2c6f53a326b2.net
+u19dvdjcy8gz0q3b.ru
+9b41d8tpcz4ycjly.net
+dlm1ckyoeldxrj7n.info
+kg3zy3pvd9b9iyk0.ru
+cuinn4bn9fmo01fc.org
+09hyjuplb1tw63x0.ru
+s3ipbf3r61x3z1z5.net
+azpg5pcxxa4bc9hd.org
+78xwx59e3yqfs8ac.cn
+o5y8isrxpvoj2sig.com
+xp20weaeqbyqnadr.com
+l3dd3nd9wwdq86vz.biz
+k6jf2erah5pn4d6c.cn
+tbk6n1d21zr01ups.ru
+f9pj9e3fb95xntos.org
+voo45zhee0zk2j0k.biz
+e2ahyrfjj5llbc6e.com
+1gppu17j9wwdnbgt.ru
+mq5490mhbjht50pj.org
+xnitj8o6svdw7mvu.net
+aubhkiud6cvgsnyr.ru
+ow4xxs3a27mxf1ex.info
+374qbdp09bf4easj.net
+11nbqa0bkg3dpd1x.info
+gi1ihtnppkrungp5.com
+k7eihmbt76pf4b3j.com
+gz8wlnj3qfauakx9.com
+ar21nojlwu5xrtvc.info
+6m3y6h27vui9bknw.ru
+ww9ccw949q4tbrws.ru
+4cprxmjvgb4neh8r.cn
+lcowd923ufwmknxn.cn
+msp7g99pa3yffmks.biz
+vvsfbd0stlkc6uph.com
+a7qo8d59tqradjpk.com
+3pw1mlf2wc4n5mgt.biz
+rqvmk2a9uyfqou34.com
+xmyeh3r39utyeogs.info
+o3wbe04yn4d4hbj1.ru
+8qvl8exzs11xw6er.org
+0dbmap3lnudnscyh.cn
+bjwbx17hfo9abazc.org
+38xr7w7xwkrlnyz5.ru
+e88zzdtm2cy4hx7v.org
+iainksf9ho8i3edc.com
+fuy2n9sktbuhyfvq.ru
+au3e960l29m1i7ds.com
+sr3lfmsa1d9xava5.biz
+r1341xeaxtxh02s6.com
+4qxvq8xi7o4rnj75.info
+2t1odbnboaj8ydfa.info
+fs2vveaegna7h8xd.ru
+gczeim1jxxrkjmgv.biz
+5lgf4tgeloqb3e7y.ru
+dgenfe7yvmklykli.info
+vzvs9isjxnuhhe3y.net
+xdra03vv7x51b37i.info
+5iq5panwshvwz1tf.org
+29eu724papkmplen.biz
+8g9zd4pga2akyf4t.org
+aj15idq30vuiztg7.ru
+cpf1vdvsge8i276v.net
+n1qb36a8cnd93hme.net
+6zzjw9xhtp2qqqsx.org
+6adw4d4v8hhytb1m.com
+h6gufbbnsr0xljmk.ru
+rbcl38y8tiz6sm2t.info
+ex6ookufi9ra73vk.cn
+4qwcgppr9mukzzzr.com
+anq5qoo588vs1t0q.ru
+ljai1lj71tl205ls.info
+e8f9sgc6nm03j5t7.cn
+lgbex97zlrurg8c3.biz
+1m8opc7hixj7528n.cn
+83d8ivsgcz9fxzpt.ru
+nam9t6zszknf0uow.cn
+0mv4chxprgdgc1jz.com
+4tykeeam20plktdp.info
+atn88qvtk9yb3axl.cn
+exs2oquga1nu68sf.org
diff --git a/gozi/dga.py b/gozi/dga.py
@@ -5,6 +5,14 @@
 
 wordlists = {'luther': (4, '.com'), 'rfc4343': (3, '.com'), 'nasa': (5, '.com')}
 
+seeds = {
+        'luther': {'div': 4, 'tld': '.com', 'nr': 12},
+        'rfc4343': {'div': 3, 'tld': '.com', 'nr': 10},
+        'nasa': {'div': 5, 'tld': '.com', 'nr': 12},
+        'gpl': {'div': 5, 'tld': '.ru', 'nr': 10}
+        }
+        
+        
 class Rand:
 
     def __init__(self, seed):
@@ -21,7 +29,7 @@ def get_words(wordlist):
 def dga(date, wordlist):
     words = get_words(wordlist)
     diff = date - datetime.strptime("2015-01-01", "%Y-%m-%d")
-    days_passed = (diff.days // wordlists[wordlist][0])
+    days_passed = (diff.days // seeds[wordlist]['div'])
     flag = 1
     seed = (flag << 16) + days_passed - 306607824
     r = Rand(seed) 
@@ -39,15 +47,15 @@ def dga(date, wordlist):
                 l >>= 1
             if len(domain) + l <= 24:
                 domain += word[:l]
-        domain += wordlists[wordlist][1] 
+        domain += seeds[wordlist]['tld']
         yield domain
 
 if __name__ == "__main__":
     parser = argparse.ArgumentParser(description="gozi dga")
     parser.add_argument("-d", "--date", 
             help="date for which to generate domains")
     parser.add_argument("-w", "--wordlist", help="wordlist", 
-            choices=wordlists.keys(), default='luther')
+            choices=seeds.keys(), default='luther')
     args = parser.parse_args()
     if args.date:
         d = datetime.strptime(args.date, "%Y-%m-%d")
diff --git a/gozi/gpl b/gozi/gpl
diff --git a/vawtrak/dga3.py b/vawtrak/dga3.py
