initial commit

baderj · Aug 31, 2015 · dca8ec5 · dca8ec5
1 parent a947803
commit dca8ec5
Show file tree

Hide file tree

Showing 27 changed files with 13,255 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1,2 +1,20 @@
-# domain_generation_algorithms
+# Domain Generation Algorithms 
 Some results of my DGA reversing efforts
+
+## Overview
+
+Subfolder | Malware Family | Alias | Write-Up
+--------- | -------------- | ----- | ----------
+newgoz    | newGOZ         | Gameover Zeus, Peer-to-Peer Zeus |   [link](https://johannesbader.ch/2014/12/the-dga-of-newgoz/)
+ramnit    | Ramnit         | [link](https://johannesbader.ch/2014/12/the-dga-of-ramnit/)
+shiotob   | Shiotob        | Urlzone, Bebloh | [link](https://johannesbader.ch/2015/01/the-dga-of-shiotob/)
+symmi     | Symmni         | | [link](http://johannesbader.ch/2015/01/the-dga-of-symmi/)
+banjori   | Banjori        | MultiBanker 2, BackPatch(er) | [link](http://johannesbader.ch/2015/02/the-dga-of-banjori/)
+necurs    | Necurs         | | [link](http://johannesbader.ch/2015/02/the-dgas-of-necurs/)
+dircrypt  | DirCrypt       | | [link](http://johannesbader.ch/2015/03/the-dga-of-dircrypt/)
+pykspa    | Precursor of Pykspa | | [link](http://johannesbader.ch/2015/07/pykspas-inferior-dga-version/)
+          | Improved Pykspa     | | [link](http://johannesbader.ch/2015/03/the-dga-of-pykspa/)
+simda     | Simda | Shiz | [link](http://johannesbader.ch/2015/03/the-dga-of-simda-shiz/)
+tinba     | Tinba | TinyBanker, Zusy  | [link](http://johannesbader.ch/2015/04/new-top-level-domains-for-tinbas-dga/)
+ranbyus   | Ranbyus | | [link](http://johannesbader.ch/2015/05/the-dga-of-ranbyus/)
+
diff --git a/banjori/dga.py b/banjori/dga.py
@@ -0,0 +1,16 @@
+def map_to_lowercase_letter(s):
+    return ord('a') + ((s - ord('a')) % 26)
+
+def next_domain(domain):
+    dl = [ord(x) for x in list(domain)]
+    dl[0] = map_to_lowercase_letter(dl[0] + dl[3])
+    dl[1] = map_to_lowercase_letter(dl[0] + 2*dl[1])
+    dl[2] = map_to_lowercase_letter(dl[0] + dl[2] - 1)
+    dl[3] = map_to_lowercase_letter(dl[1] + dl[2] + dl[3])
+    return ''.join([chr(x) for x in dl])
+
+seed = 'earnestnessbiophysicalohax.com' # 15372 equal to 0 (seed = 0)
+domain = seed
+for i in range(1000):
+    print(domain)
+    domain = next_domain(domain)