refactored DGA and added new seed

- the main DGA is in `dga.py`. Different seeds can be selected with `-v`,
  `--version`.

- The seed `-v v7` was added, it is featured in sample
  e213401158fcd632f758cd8bda224c7a

bazarbackdoor/dga.py

@@ -1,38 +1,103 @@
 import argparse
+from collections import namedtuple
 from datetime import datetime
 from itertools import product
 
+Param = namedtuple("Param", "mul mod idx")
 
-def dga(date):
-    month = date.month
-    year = date.year
-    date_str = "{0:02d}{1:04d}".format(12-month, year-18)
-
-    valid_chars = [
-      "abcde",
-      "cdef",
-      "efgh",
-      "ghi",
-      "ijk",
-      "klm"
-    ]
-    valid_chars = [list(_) for _ in valid_chars]
-    for part1 in product(*valid_chars):
-        domain = "".join(part1)
-        for i, c in enumerate(part1):
-            domain += chr(ord(c) + int(date_str[i]) )
+p1 = (
+    "qeewcaacywemomedekwyuhidontoibeludsocuexvuuftyliaqydhuizuctuiqow"
+    "agypetehfubitiaziceblaogolryykosuptaymodisahfiybyxcoleafkudarapu"
+    "qoawyluxqagenanyoxcygyqugiutlyvegahepovyigqyqibaeqynyfkiobpeepby"
+    "xaciyvusocaripfyoftesaysozureginalifkazaadytwuubzuvoothymivazyyz"
+    "hoevmeburedeviihiravygkemywaerdonoyryqloammoseweesuvfopiriboikuz"
+    "orruzemuulimyhceukoqiwfexuefgoycwiokitnuneroxepyanbekyixxiuqsias"
+    "xoapaxmaohezwoildifaluzihipanizoecxyopguakdudyovhaumunuwsusyenko"
+    "atugabiv"
+)
+
+p2 = (
+    "yzewevmeywreomviekwyavygontowaerudsoyrexvuamtyseweesuvizpituiqow"
+    "uzoretzemuultiazicukoqiwolxuykosupwiymitisneroxeyxanlekyixxirasi"
+    "asxoapuxqaohezwooxdigyquziutpavezohexyvyguqyqidyovynumunuwsusyen"
+    "xaatyvusivaripfyoftesaysozureginalif"
+)
+
+p3 = (
+    "xezeiwzuizpizovureonxyuzofezytpuarywnyavrysiovvazyratuoskumuatyz"
+    "omnevexaqoixevkeuqoxuvutvipoymxoozwikonipysygotelyzayxnuunuwakqu"
+    "ritaamugvyitimsuyrwyxuexaqtigyivewqiydseawukhirufuwairkiiquxowih"
+    "hyurotiluhvocywowumoyvupagduobaserroziqyenpahaxiloazodtoishuax"
+)
+
+p4 = (
+    "xezenozuizpioqvuekifxyusofalytkadeibubysmyliylvaikultugikuuddoyq"
+    "lanevebaqoixogicuqebuvbuviehbofyefsokonihosygoynbeetwenuunuwohqu"
+    "ritaamugvyitimfiyrelcoykaqqaacapokcuydseumafedemfubyirahiquxegce"
+    "aburotiluhvocywowumoyvupagduobaserroziqyenpahaxiloazodtoishuaxbi"
+    "ufmifoiwesleyhzoyfreontyuzfaezkypuarywnyavrysiovyczyraciosgumuat"
+    "yzommeolxaeqdaevkepeoxsauteppoymxoozwiygucpyheectelyzayxybgaypak"
+    "igluinmacageocidsuorwyxuexantigyivewqiadnaawukhirudywaqekidiipow"
+    "ihhyopfexezenozuizpioqvuekifxyusofalytkadeibubysmyliylvaikultugi"
+    "kuuddoyqlanevebaqoixogicuqebuvbuviehbofyefsokonihosygoynbeetwenu"
+    "unuwohquritaamugvyitimfiyrelcoykaqqaacapokcuydseumafedemfubyirah"
+    "iquxegceaburotiluhvocywowumoyvupagduobaserroziqyenpahaxiloazodto"
+    "ishuaxbiufmifoiwesleyhzoyfreontyuzfaezkypuarywnyavrysiovyczyraci"
+    "osgumuatyzommeolxaeqdaevkepeoxsauteppoymxoozwiygucpyheectelyzayx"
+    "ybgaypakigluinmacageocidsuorwyxuexantigyivewqiadnaawukhirudywaqe"
+    "kidiipowihhyopfe"
+)
+
+
+c1 = [Param(19, 19, 0), Param(19, 19, 1), Param(6, 6, 4), Param(6, 6, 5)]
+c2 = [Param(19, 19, 0), Param(19, 19, 1), Param(4, 22, 4), Param(4, 4, 5)]
+c3 = [Param(19, 19, 0), Param(19, 19, 1), Param(4, 4, 4), Param(4, 4, 5)]
+
+versions = {
+    "v2": (p1, c1),
+    "v3": (p1, c2),
+    "v4": (p2, c2),
+    "v5": (p1, c3),
+    "v6": (p3, c3),
+    "v7": (p4, c3),
+}
+
+
+def dga(date: datetime, version: str):
+    seed = date.strftime("%m%Y")
+    print(seed)
+    pool, params = versions[version]
+    ranges = []
+    for p in params:
+        s = int(seed[p.idx])
+        lower = p.mul * s
+        upper = lower + p.mod
+        ranges.append(list(range(lower, upper)))
+
+    for indices in product(*ranges):
+        domain = ""
+        for index in indices:
+            domain += pool[index * 2 : index * 2 + 2]
         domain += ".bazar"
         yield domain
 
 
-
-if __name__=="__main__":
+if __name__ == "__main__":
     parser = argparse.ArgumentParser()
-    parser.add_argument("-d", "--date", help="date when domains are generated, e.g., 2020-06-28")
+    parser.add_argument(
+        "-d",
+        "--date",
+        help="date used for seeding, e.g., 2020-06-28",
+        default=datetime.now().strftime("%Y-%m-%d"),
+    )
+    parser.add_argument(
+        "-v",
+        "--version",
+        help="version",
+        choices=versions.keys(),
+        default="v2",
+    )
     args = parser.parse_args()
-    if args.date:
-        d = datetime.strptime(args.date, "%Y-%m-%d")
-    else:
-        d = datetime.now()
-    for domain in dga(d):
+    d = datetime.strptime(args.date, "%Y-%m-%d")
+    for domain in dga(d, args.version):
         print(domain)

bazarbackdoor/dga_beta.py

@@ -0,0 +1,38 @@
+import argparse
+from datetime import datetime
+from itertools import product
+
+
+def dga(date):
+    month = date.month
+    year = date.year
+    date_str = "{0:02d}{1:04d}".format(12-month, year-18)
+
+    valid_chars = [
+      "abcde",
+      "cdef",
+      "efgh",
+      "ghi",
+      "ijk",
+      "klm"
+    ]
+    valid_chars = [list(_) for _ in valid_chars]
+    for part1 in product(*valid_chars):
+        domain = "".join(part1)
+        for i, c in enumerate(part1):
+            domain += chr(ord(c) + int(date_str[i]) )
+        domain += ".bazar"
+        yield domain
+
+
+
+if __name__=="__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-d", "--date", help="date when domains are generated, e.g., 2020-06-28")
+    args = parser.parse_args()
+    if args.date:
+        d = datetime.strptime(args.date, "%Y-%m-%d")
+    else:
+        d = datetime.now()
+    for domain in dga(d):
+        print(domain)