Added generalized version of the Proslikefan DGA.

baderj · Jun 17, 2016 · b14e6b8 · b14e6b8
1 parent cc7ac05
commit b14e6b8
Show file tree

Hide file tree

Showing 4 changed files with 146 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ murofet/v3 | Murofet Variant 3 | LICAT | [link](https://johannesbader.ch/2015/09
 fobber     | Fobber | Tinba v3 | |
 corebot    | CoreBot | | [link](https://johannesbader.ch/2015/09/the-dga-of-corebot/)
 suppobox | SuppoBox | | [link](http://www.rsaconference.com/writable/presentations/file_upload/br-r01-end-to-end-analysis-of-a-domain-generating-algorithm-malware-family.pdf)
-unnamed_javascript_dga | Unnamed | | [link](https://johannesbader.ch/2015/11/a-javascript-based-dga/) |
+unnamed_javascript_dga | Unnamed | | [link](https://johannesbader.ch/2015/11/a-javascript-based-dga/) *Obsolete*, see *Proslikefan* |
 kraken/v1 | Kraken Version 1 | Bobax, Oderoor |  [link](https://johannesbader.ch/2015/12/krakens-two-domain-generation-algorithms/) |
 kraken/v2 | Kraken Version 2 | Bobax, Oderoor |  [link](https://johannesbader.ch/2015/12/krakens-two-domain-generation-algorithms/) |
 dnschanger | DNSChanger | Alureon | [link](https://johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/) |
@@ -34,3 +34,4 @@ locky | Locky |  | [link](https://blogs.forcepoint.com/security-labs/lockys-new-
 padcrypt | Padcrypt | | [link](http://johannesbader.ch/2016/03/the-dga-of-padcrypt/) |
 gozi | Gozi | Ursnif, Snifula, Papras | [link](http://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature) |
 qadars | Qadars | | [link](https://www.johannesbader.ch/2016/04/the-dga-of-qadars/)
+proslikefan | Proslikefan | | [link](https://johannesbader.ch/2016/06/proslikefan/) 
diff --git a/proslikefan/dga.py b/proslikefan/dga.py
@@ -0,0 +1,43 @@
+import argparse
+from ctypes import c_int
+from datetime import datetime
+
+def dga(date, magic, tlds):
+#    tlds = ["eu", "biz", "se", "info", "com", "net", "org", "ru", "in", 
+#            "name"]
+    for i in range(10):
+        for tld in tlds:
+            seed_string = '.'.join([str(s) for s in 
+                    [magic, date.month, date.day, date.year, tld]])
+            r = abs(hash_string(seed_string)) + i
+            domain = ""
+            k = 0
+            while(k < r % 7 + 6):
+                r = abs(hash_string(domain + str(r))) 
+                domain += chr(r % 26 + ord('a')) 
+                k += 1
+            domain += '.' + tld
+            print(domain)
+
+
+def hash_string(s):
+    h = c_int(0) 
+    for c in s:
+        h.value = (h.value << 5) - h.value + ord(c)
+    return h.value
+
+
+if __name__=="__main__":
+    """ known magic seeds are "prospect" and "OK" """
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-d", "--date", help="date for which to generate domains")
+    parser.add_argument("-m", "--magic", help="magic string", 
+            default="prospect")
+    parser.add_argument("-t", "--tlds", nargs="+", help="tlds",
+        default=["eu", "biz", "se", "info", "com", "net", "org", "ru", "in", "name"])
+    args = parser.parse_args()
+    if args.date:
+        d = datetime.strptime(args.date, "%Y-%m-%d")
+    else:
+        d = datetime.now()
+    dga(d, args.magic, args.tlds)
diff --git a/proslikefan/example_domains.txt b/proslikefan/example_domains.txt
@@ -0,0 +1,100 @@
+flarvcpk.eu
+stjneohiod.biz
+vcevvkc.se
+qylptiin.info
+bsvisbttr.com
+hjiknr.net
+arpeiezki.org
+gobqca.ru
+tivqfahrmxdl.in
+smutloo.name
+gryzepc.eu
+rekgwp.biz
+wavmuomzfr.se
+pqyluzl.info
+akvcqu.com
+glqene.net
+zqxifqduh.org
+hgrykgqj.ru
+uueozhi.in
+rgklyxlcj.name
+hductw.eu
+qkpbesoeh.biz
+xubvxpkmz.se
+oihvtorfa.info
+zxauumyy.com
+klyvfiz.net
+ymkxcvod.org
+drlisomfb.ru
+vazkmjpsl.in
+vlabgmkob.name
+izrswaufys.eu
+pkqjxlhn.biz
+ytjhngi.se
+sxelptrstb.info
+yffvaizg.com
+jjrbhxfzl.net
+cgaqqct.org
+edvaggo.ru
+wcoefw.in
+ujvjzmnigu.name
+jvxmwczd.eu
+osdbvfv.biz
+zjwtobf.se
+rpryzthdk.info
+cnctrlixzl.com
+itnwya.net
+banrgjha.org
+fxpxlsw.ru
+xsnikockk.in
+ttpqysh.name
+khhdvpf.eu
+ncoeqrb.biz
+atvvhyhpyx.se
+qhzxelb.info
+bhhgrv.com
+hzcwghg.net
+acdlovafvd.org
+gaxhbiz.ru
+ymdztaz.in
+sbounkehs.name
+lnssrlwjpy.eu
+mapetads.biz
+bjbafdl.se
+pzyudg.info
+avhpdzz.com
+gvqxgqt.net
+zaqtxvvp.org
+hukjfphm.ru
+vlqlumv.in
+rvezfwt.name
+mmeddmyv.eu
+lucvizum.biz
+yfjsvcgzww.se
+orlxwxx.info
+zhmipvngw.com
+fheaeenck.net
+ycresfa.org
+iiwezrv.ru
+wmhmrqm.in
+qhkykdy.name
+nqvjbwb.eu
+kowaitkxdja.biz
+zxtvvae.se
+noioyjzud.info
+yvjkano.com
+eniyjb.net
+xsbkrxsh.org
+jmduiujlcj.ru
+xixqgfeav.in
+pncktgg.name
+jklpsfturv.eu
+joxanpai.biz
+afunjugp.se
+mgaaqel.info
+xzzsczuysr.com
+dkbqsm.net
+wkllvson.org
+kqzzcw.ru
+ycxuodvpp.in
+opdzzfh.name
diff --git a/unnamed_javascript_dga/README.txt b/unnamed_javascript_dga/README.txt
@@ -0,0 +1 @@
+This DGA turned out to be Proslikefan. See ``../proslikefan`` for a generalized version.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		This DGA turned out to be Proslikefan. See ``../proslikefan`` for a generalized version.