diff --git a/README.md b/README.md index ae02ccd..c89f396 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,11 @@ # Domain Generation Algorithms -Some results of my DGA reversing efforts +Johannes Bacher's reversing efforts ## Overview Subfolder | Malware Family | Alias | Write-Up --------- | -------------- | ----- | ---------- +pizd | ?? | | [link] (https://blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured/) newgoz | newGOZ | Gameover Zeus, Peer-to-Peer Zeus | [link](https://johannesbader.ch/2014/12/the-dga-of-newgoz/) ramnit | Ramnit | | [link](https://johannesbader.ch/2014/12/the-dga-of-ramnit/) shiotob | Shiotob | Urlzone, Bebloh | [link](https://johannesbader.ch/2015/01/the-dga-of-shiotob/) diff --git a/pizd/examples.txt b/pizd/examples.txt new file mode 100644 index 0000000..be5b389 --- /dev/null +++ b/pizd/examples.txt @@ -0,0 +1 @@ +['cleanlength.net', 'chargeneither.net', 'cleanneither.net', 'chiefleader.net', 'clearleader.net', 'chiefneedle.net', 'clearneedle.net', 'chieflength.net', 'clearlength.net', 'chiefneither.net', 'clearneither.net', 'considerleader.net', 'crowdleader.net', 'considerneedle.net', 'crowdneedle.net', 'considerlength.net', 'crowdlength.net', 'considerneither.net', 'crowdneither.net', 'containleader.net', 'daughterleader.net', 'containneedle.net', 'daughterneedle.net', 'containlength.net', 'daughterlength.net', 'containneither.net', 'daughterneither.net', 'chooseleader.net', 'collegeleader.net', 'chooseneedle.net', 'collegeneedle.net', 'chooselength.net', 'collegelength.net', 'chooseneither.net', 'collegeneither.net', 'cigaretteleader.net', 'companyleader.net', 'cigaretteneedle.net', 'companyneedle.net', 'cigarettelength.net', 'companylength.net', 'cigaretteneither.net', 'companyneither.net', 'cornerleader.net', 'delightleader.net', 'cornerneedle.net', 'delightneedle.net', 'cornerlength.net', 'delightlength.net', 'cornerneither.net', 'delightneither.net', 'countryleader.net', 'demandleader.net', 'countryneedle.net', 'demandneedle.net', 'countrylength.net', 'demandlength.net', 'countryneither.net', 'demandneither.net', 'chargemanner.net', 'cleanmanner.net', 'chargenumber.net', 'cleannumber.net', 'chargemaster.net', 'cleanmaster.net', 'chargeoclock.net', 'cleanoclock.net', 'chiefmanner.net', 'clearmanner.net', 'chiefnumber.net', 'clearnumber.net', 'chiefmaster.net', 'clearmaster.net', 'chiefoclock.net', 'clearoclock.net', 'considermanner.net', 'crowdmanner.net', 'considernumber.net', 'crowdnumber.net', 'considermaster.net', 'crowdmaster.net', 'consideroclock.net', 'crowdoclock.net', 'containmanner.net', 'daughtermanner.net', 'containnumber.net', 'daughternumber.net', 'containmaster.net', 'daughtermaster.net', 'containoclock.net', 'daughteroclock.net', 'choosemanner.net', 'collegemanner.net', 'choosenumber.net', 'collegenumber.net', 'choosemaster.net', 'collegemaster.net', 'chooseoclock.net', 'collegeoclock.net', 'cigarettemanner.net', 'companymanner.net', 'cigarettenumber.net', 'companynumber.net', 'cigarettemaster.net', 'companymaster.net', 'cigaretteoclock.net', 'companyoclock.net', 'cornermanner.net', 'delightmanner.net', 'cornernumber.net', 'delightnumber.net', 'cornermaster.net', 'delightmaster.net', 'corneroclock.net', 'delightoclock.net', 'countrymanner.net', 'demandmanner.net', 'countrynumber.net', 'demandnumber.net', 'countrymaster.net', 'demandmaster.net', 'countryoclock.net', 'demandoclock.net', 'chargestranger.net', 'cleanstranger.net', 'chargetravel.net', 'cleantravel.net', 'chargestreet.net', 'cleanstreet.net', 'chargetrust.net', 'cleantrust.net', 'chiefstranger.net', 'clearstranger.net', 'chieftravel.net', 'cleartravel.net', 'chiefstreet.net', 'clearstreet.net', 'chieftrust.net', 'cleartrust.net', 'considerstranger.net', 'crowdstranger.net', 'considertravel.net', 'crowdtravel.net', 'considerstreet.net', 'crowdstreet.net', 'considertrust.net', 'crowdtrust.net', 'containstranger.net', 'daughterstranger.net', 'containtravel.net', 'daughtertravel.net', 'containstreet.net', 'daughterstreet.net', 'containtrust.net', 'daughtertrust.net', 'choosestranger.net', 'collegestranger.net', 'choosetravel.net', 'collegetravel.net', 'choosestreet.net', 'collegestreet.net', 'choosetrust.net', 'collegetrust.net', 'cigarettestranger.net', 'companystranger.net', 'cigarettetravel.net', 'companytravel.net', 'cigarettestreet.net', 'companystreet.net', 'cigarettetrust.net', 'companytrust.net', 'cornerstranger.net', 'delightstranger.net', 'cornertravel.net', 'delighttravel.net', 'cornerstreet.net', 'delightstreet.net', 'cornertrust.net', 'delighttrust.net', 'countrystranger.net', 'demandstranger.net', 'countrytravel.net', 'demandtravel.net', 'countrystreet.net', 'demandstreet.net', 'countrytrust.net', 'demandtrust.net', 'chargesucceed.net', 'cleansucceed.net', 'chargevalley.net', 'cleanvalley.net', 'chargesudden.net', 'cleansudden.net', 'chargevarious.net', 'cleanvarious.net', 'chiefsucceed.net', 'clearsucceed.net', 'chiefvalley.net', 'clearvalley.net', 'chiefsudden.net', 'clearsudden.net', 'chiefvarious.net', 'clearvarious.net', 'considersucceed.net', 'crowdsucceed.net', 'considervalley.net', 'crowdvalley.net', 'considersudden.net', 'crowdsudden.net', 'considervarious.net', 'crowdvarious.net', 'containsucceed.net', 'daughtersucceed.net', 'containvalley.net', 'daughtervalley.net', 'containsudden.net', 'daughtersudden.net', 'containvarious.net', 'daughtervarious.net', 'choosesucceed.net', 'collegesucceed.net', 'choosevalley.net', 'collegevalley.net', 'choosesudden.net', 'collegesudden.net', 'choosevarious.net', 'collegevarious.net', 'cigarettesucceed.net', 'companysucceed.net', 'cigarettevalley.net', 'companyvalley.net', 'cigarettesudden.net', 'companysudden.net', 'cigarettevarious.net', 'companyvarious.net', 'cornersucceed.net', 'delightsucceed.net', 'cornervalley.net', 'delightvalley.net', 'cornersudden.net', 'delightsudden.net', 'cornervarious.net', 'delightvarious.net', 'countrysucceed.net', 'demandsucceed.net', 'countryvalley.net', 'demandvalley.net', 'countrysudden.net', 'demandsudden.net', 'countryvarious.net', 'demandvarious.net', 'deviceleader.net', 'distantleader.net', 'deviceneedle.net', 'distantneedle.net', 'devicelength.net', 'distantlength.net', 'deviceneither.net', 'distantneither.net', 'differenceleader.net', 'divideleader.net', 'differenceneedle.net', 'divideneedle.net', 'differencelength.net', 'dividelength.net', 'differenceneither.net', 'divideneither.net', 'duringleader.net', 'enoughleader.net', 'duringneedle.net', 'enoughneedle.net', 'duringlength.net', 'enoughlength.net', 'duringneither.net', 'enoughneither.net', 'earlyleader.net', 'enterleader.net', 'earlyneedle.net', 'enterneedle.net', 'earlylength.net', 'enterlength.net', 'earlyneither.net', 'enterneither.net', 'dinnerleader.net', 'doubleleader.net', 'dinnerneedle.net', 'doubleneedle.net', 'dinnerlength.net', 'doublelength.net', 'dinnerneither.net', 'doubleneither.net', 'directleader.net', 'doubtleader.net', 'directneedle.net', 'doubtneedle.net', 'directlength.net', 'doubtlength.net', 'directneither.net', 'doubtneither.net', 'eitherleader.net'] diff --git a/pizd/pizd b/pizd/pizd new file mode 100644 index 0000000..380eeef --- /dev/null +++ b/pizd/pizd @@ -0,0 +1,427 @@ +__author__ = 'zGreg' +import argparse +from datetime import datetime +import numpy as np + +def pizd(time,nb): + """ + Generates nb domains name according to pizd DGA + :param time: Beginning of the 8' 35" long time interval + :param nb: Number of domain name to generate, default (as seen in DGA) is 85 + :return: a nb-long list of domain names + """ + wordlist = ['above', + 'action', + 'advance', + 'afraid', + 'against', + 'airplane', + 'almost', + 'alone', + 'already', + 'although', + 'always', + 'amount', + 'anger', + 'angry', + 'animal', + 'another', + 'answer', + 'appear', + 'apple', + 'around', + 'arrive', + 'article', + 'attempt', + 'banker', + 'basket', + 'battle', + 'beauty', + 'became', + 'because', + 'become', + 'before', + 'begin', + 'behind', + 'being', + 'believe', + 'belong', + 'beside', + 'better', + 'between', + 'beyond', + 'bicycle', + 'board', + 'borrow', + 'bottle', + 'bottom', + 'branch', + 'bread', + 'bridge', + 'bright', + 'bring', + 'broad', + 'broken', + 'brought', + 'brown', + 'building', + 'built', + 'business', + 'butter', + 'captain', + 'carry', + 'catch', + 'caught', + 'century', + 'chair', + 'chance', + 'character', + 'charge', + 'chief', + 'childhood', + 'children', + 'choose', + 'cigarette', + 'circle', + 'class', + 'clean', + 'clear', + 'close', + 'clothes', + 'college', + 'company', + 'complete', + 'condition', + 'consider', + 'contain', + 'continue', + 'control', + 'corner', + 'country', + 'course', + 'cover', + 'crowd', + 'daughter', + 'decide', + 'degree', + 'delight', + 'demand', + 'desire', + 'destroy', + 'device', + 'difference', + 'different', + 'difficult', + 'dinner', + 'direct', + 'discover', + 'distance', + 'distant', + 'divide', + 'doctor', + 'dollar', + 'double', + 'doubt', + 'dress', + 'dried', + 'during', + 'early', + 'eearly', + 'effort', + 'either', + 'electric', + 'electricity', + 'english', + 'enough', + 'enter', + 'escape', + 'evening', + 'every', + 'except', + 'expect', + 'experience', + 'explain', + 'family', + 'famous', + 'fancy', + 'father', + 'fellow', + 'fence', + 'fifteen', + 'fight', + 'figure', + 'finger', + 'finish', + 'flier', + 'flower', + 'follow', + 'foreign', + 'forest', + 'forever', + 'forget', + 'fortieth', + 'forward', + 'found', + 'fresh', + 'friend', + 'further', + 'future', + 'garden', + 'gather', + 'general', + 'gentle', + 'gentleman', + 'glass', + 'glossary', + 'goodbye', + 'govern', + 'guard', + 'happen', + 'health', + 'heard', + 'heart', + 'heaven', + 'heavy', + 'history', + 'honor', + 'however', + 'hunger', + 'husband', + 'include', + 'increase', + 'indeed', + 'industry', + 'inside', + 'instead', + 'journey', + 'kitchen', + 'known', + 'labor', + 'ladder', + 'language', + 'large', + 'laugh', + 'laughter', + 'leader', + 'leave', + 'length', + 'letter', + 'likely', + 'listen', + 'little', + 'machine', + 'manner', + 'market', + 'master', + 'material', + 'matter', + 'mayor', + 'measure', + 'meeting', + 'member', + 'method', + 'middle', + 'might', + 'million', + 'minute', + 'mister', + 'modern', + 'morning', + 'mother', + 'mountain', + 'movement', + 'nation', + 'nature', + 'nearly', + 'necessary', + 'needle', + 'neighbor', + 'neither', + 'niece', + 'night', + 'north', + 'nothing', + 'notice', + 'number', + 'object', + 'oclock', + 'office', + 'often', + 'opinion', + 'order', + 'orderly', + 'outside', + 'paint', + 'partial', + 'party', + 'people', + 'perfect', + 'perhaps', + 'period', + 'person', + 'picture', + 'pleasant', + 'please', + 'pleasure', + 'position', + 'possible', + 'power', + 'prepare', + 'present', + 'president', + 'pretty', + 'probable', + 'probably', + 'problem', + 'produce', + 'promise', + 'proud', + 'public', + 'quarter', + 'question', + 'quiet', + 'rather', + 'ready', + 'realize', + 'reason', + 'receive', + 'record', + 'remember', + 'report', + 'require', + 'result', + 'return', + 'ridden', + 'right', + 'river', + 'round', + 'safety', + 'school', + 'season', + 'separate', + 'service', + 'settle', + 'severa', + 'several', + 'shake', + 'share', + 'shore', + 'short', + 'should', + 'shoulder', + 'shout', + 'silver', + 'simple', + 'single', + 'sister', + 'smell', + 'smoke', + 'soldier', + 'space', + 'speak', + 'special', + 'spent', + 'spread', + 'spring', + 'square', + 'station', + 'still', + 'store', + 'storm', + 'straight', + 'strange', + 'stranger', + 'stream', + 'street', + 'strength', + 'strike', + 'strong', + 'student', + 'subject', + 'succeed', + 'success', + 'sudden', + 'suffer', + 'summer', + 'supply', + 'suppose', + 'surprise', + 'sweet', + 'system', + 'therefore', + 'thick', + 'think', + 'third', + 'those', + 'though', + 'thought', + 'through', + 'thrown', + 'together', + 'toward', + 'trade', + 'train', + 'training', + 'travel', + 'trouble', + 'trust', + 'twelve', + 'twenty', + 'understand', + 'understood', + 'until', + 'valley', + 'value', + 'various', + 'wagon', + 'water', + 'weather', + 'welcome', + 'wheat', + 'whether', + 'while', + 'white', + 'whose', + 'window', + 'winter', + 'within', + 'without', + 'woman', + 'women', + 'wonder', + 'worth', + 'would', + 'write', + 'written', + 'yellow'] + domains = [] + for i in range(0,nb): + domains.append(generate_domain(bin(time + i), wordlist)) + return domains + +def generate_domain(timestamp,wordl): + """ + Generate one domain name + :param timestamp: tinm + :param wordl: + :return: + """ + inv_key = [0, 5, 10, 14 ,9 ,3 ,11, 7, 2, 13, 4, 8, 1, 12, 6] + bin_temp = timestamp[-15::1] + nib=np.int_(np.zeros(len(bin_temp))) + for x in range(0,14): + nib[x] = bin_temp[inv_key[x]] + res = [''.join([str(char) for char in nib[:7]]),''.join([str(char) for char in nib[7:]])] + res = [wordl[int(res[0],2)], wordl[int(res[1],2)+128] , ".net" ] + return ''.join([str(wds) for wds in res]) + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument("-d", "--date", help="date for which to generate domains") + parser.add_argument("-n", "--nr", help="nr of domains to generate (default 85)", + type=int, default=85) + args = parser.parse_args() + + d = datetime.strptime(args.date, "%Y-%m-%d") if args.date else datetime.now() + d -= datetime.utcfromtimestamp(0) + print pizd(int(d.total_seconds()*1000),args.nr)