Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

From sandbox: The DGA of MyDoom #49

Open
suqitian opened this issue Jan 7, 2019 · 3 comments
Open

From sandbox: The DGA of MyDoom #49

suqitian opened this issue Jan 7, 2019 · 3 comments

Comments

@suqitian
Copy link
Member

suqitian commented Jan 7, 2019

  • MD5
    5ca475be33c4cb2117837310c43446c0

  • Domains generated on 2019/01/03 in the sandbox

qammswnqrn.info
eawesnrrhs.ws
rqmprewqns.org
wpmsewhnmh.in
rhhwmqqsqh.org
hsnmqqhpna.net
nmmmsaqpmh.us
wppnhmqssr.in
qamnewnrrn.info
heswwrahna.net
qhnppspnma.info
wawwrwqaqh.in
rsrapqrwna.org
eprqerqwns.ws
rnrswahmsa.org
hnqrsapmnn.net
narpqrehqs.us
mppqprmnnr.in
arshsernqa.com
wrerrqpseh.in
rhhhaqanan.org
mnnhwehhsr.in
neepnmhqrn.us
wnhraasnsh.in
asnenehqsa.com
mqwnqqqeeh.in
anqphrhenn.com
hneapamsqh.net
ahneneqamn.com
wmhmqsqsqa.in
arremamwwa.com
hpmespenrn.net
nnesearqra.us
mrrmwsewnn.in
neqehapwhn.us
ewaspmnssh.ws
awrapnpaqn.com
hepeamqrpn.net
prpmaawpsn.in
wrrehreama.in
@suqitian
Copy link
Member Author

suqitian commented Jan 7, 2019

  • TLDs
    [com, biz, us, net, org, ws, info, in]
  • The number of domains
    51 domain per day
  • Test
$ python dga.py -t `date +%s -d "2019-01-03 09:25:28"`
qammswnqrn.info
eawesnrrhs.ws
rqmprewqns.org
wpmsewhnmh.in
rhhwmqqsqh.org
hsnmqqhpna.net
nmmmsaqpmh.us
wppnhmqssr.in
qamnewnrrn.info
heswwrahna.net
qhnppspnma.info
wawwrwqaqh.in
rsrapqrwna.org
eprqerqwns.ws
rnrswahmsa.org
hnqrsapmnn.net
narpqrehqs.us
mppqprmnnr.in
arshsernqa.com
wrerrqpseh.in
rhhhaqanan.org
mnnhwehhsr.in
neepnmhqrn.us
wnhraasnsh.in
asnenehqsa.com
mqwnqqqeeh.in
anqphrhenn.com
hneapamsqh.net
ahneneqamn.com
wmhmqsqsqa.in
arremamwwa.com
hpmespenrn.net
...

dga.py is here.

@suqitian
Copy link
Member Author

suqitian commented Jan 7, 2019

  • Python code
'''
    DGA of Mydoom
'''

import argparse
from datetime import datetime

def dga(date, seed, nr, tlds):
    _sld = ['e', 'v', 'l', 'k', 'r', 'd', 'o', 'h', 'l', 'p']
    magic = 'nj'
    len_sld = len(_sld)
    for i in range(len_sld):
        for j in range(len(magic)):
            _sld[i] = chr(ord(_sld[i]) ^ ((ord(magic[j]) + i * j) & 0xff))

    _seed = seed + date.year + date.month + date.day

    for i in range(nr):
        if i == nr - 1:
            _seed = seed

        _seed = ((_seed * 0x19660d) + 0x3c6ef35f) & 0xffffffff

        sld = ''
        tld = ''
        m = _seed
        for j in range(len_sld):
            idx = m % len_sld
            sld += _sld[idx]
            if j == 0:
                if idx < 7:
                    tld = tlds[idx]
                else:
                    tld = tlds[-1]

            m = m / len_sld

        print sld + '.' + tld

if __name__=="__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--time', help="Seconds since January 1, 1970 UTC")
    parser.add_argument("-n", "--nr", help="nr of domains", type=int, default=51)
    parser.add_argument("-s", "--seed", help="RAND_MAX", default="0xfa8")
    parser.add_argument("-T", "--tlds", help="TLD", default="com-biz-us-net-org-ws-info-in")

    args = parser.parse_args()

    d = datetime.utcfromtimestamp(int(args.time))
    tlds = args.tlds.split('-')
    dga(d, int(args.seed, 16), args.nr, tlds)

@suqitian
Copy link
Member Author

suqitian commented Jan 7, 2019

  • The other samples
78f9412e51f846dae6c3a6aa9df97ad7
b47326e714ac74ff018dfc69367f8bfb
0de520277a7905d5f61146cb27e88f20
6632b9e147d1037b067bf002ce7b92ab
a674e222c1fcf52211fe6b851bb3082b
76263a4b1bf38efc27dd6073342932a3
a3fae8f07be2ea1baf6e5c59473c1aa8
7123267a2f546c3a1a66c0750900395b
...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant