hasherezade/chinad.py

## chinad.py
#!/usr/bin/env python
"""script used to discover C&C's of Chinad botnet
(more: https://blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2/)
"""

import sys
import argparse
import urllib2

url_bgn = "http://"
url_end = "/api/index.html"
data = ''
agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130921 Firefox/24.0'
content_type = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
method = 'GET'

class TimeoutException(Exception):
    pass

def generate_hosts(host_bgn, start, end):
    hosts = []
    for num in range(start,end):
        host = host_bgn + "." + str(num)
        hosts.append(host)
    return hosts

def make_req(host, url):
    request = urllib2.Request(url, data, {'Host': host, 'Accept': content_type, 'User-Agent' : agent})
    request.get_method = lambda: method

    try:
        resp = urllib2.urlopen(request, timeout=3)
    except urllib2.HTTPError as e1:
        raise e1
    except urllib2.URLError, e:
        if 'timeout' in e.reason:
            raise TimeoutException()

    rcode = resp.getcode()
    if rcode == 200:
        resp_content = resp.read()
        return resp_content
    return

def response_matches(resp_content):
    if resp_content is None:
        return False
    if 'AAA' in resp_content:
        return True
    return False

def list_suspects(hosts):
    suspects = list()
    for host in hosts:
        url = url_bgn + host + url_end
        print "Checking: " + url
        try:
            resp_content = make_req(host, url)
            if response_matches(resp_content) == True:
                suspects.append(url)
                print "[!] Host suspected: " + host
        except TimeoutException:
            print "Timeout: " + url
        except urllib2.HTTPError as e:
            if e.code == 404:
                pass
            else:
                print "\tError : " + url + " : " + e.reason
        except Exception:
            pass
    return suspects

def main():
    parser = argparse.ArgumentParser(description="Chinad check")
    parser.add_argument('--range_start', dest="range_start", default="101.99.68", help="First 3 octets of the hosts range, default='101.99.68'")
    parser.add_argument('--bgn', dest="bgn", default=1, help="Begining of the last octet'", type=int)
    parser.add_argument('--end', dest="end", default=254, help="End of the last octet'", type=int)
    args = parser.parse_args()

    hosts = generate_hosts(args.range_start, args.bgn, args.end)
    suspects = list_suspects(hosts)

    print "--------------"
    print "SUMMARY"
    print "---"
    print "Checked:\t%d" % len(hosts)
    if len(suspects) > 0:
        print "Suspicious:\t%d" % len(suspects)
        print "Suspicious URLs:"
        print "\n".join(suspects)
    else:
        print "Didn't found any suspicous hosts"
    print "--------------"

if __name__ == "__main__":
    sys.exit(main())
	#!/usr/bin/env python
	"""script used to discover C&C's of Chinad botnet
	(more: https://blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2/)
	"""

	import sys
	import argparse
	import urllib2

	url_bgn = "http://"
	url_end = "/api/index.html"
	data = ''
	agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130921 Firefox/24.0'
	content_type = 'text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8'
	method = 'GET'

	class TimeoutException(Exception):
	pass

	def generate_hosts(host_bgn, start, end):
	hosts = []
	for num in range(start,end):
	host = host_bgn + "." + str(num)
	hosts.append(host)
	return hosts

	def make_req(host, url):
	request = urllib2.Request(url, data, {'Host': host, 'Accept': content_type, 'User-Agent' : agent})
	request.get_method = lambda: method

	try:
	resp = urllib2.urlopen(request, timeout=3)
	except urllib2.HTTPError as e1:
	raise e1
	except urllib2.URLError, e:
	if 'timeout' in e.reason:
	raise TimeoutException()

	rcode = resp.getcode()
	if rcode == 200:
	resp_content = resp.read()
	return resp_content
	return

	def response_matches(resp_content):
	if resp_content is None:
	return False
	if 'AAA' in resp_content:
	return True
	return False

	def list_suspects(hosts):
	suspects = list()
	for host in hosts:
	url = url_bgn + host + url_end
	print "Checking: " + url
	try:
	resp_content = make_req(host, url)
	if response_matches(resp_content) == True:
	suspects.append(url)
	print "[!] Host suspected: " + host
	except TimeoutException:
	print "Timeout: " + url
	except urllib2.HTTPError as e:
	if e.code == 404:
	pass
	else:
	print "\tError : " + url + " : " + e.reason
	except Exception:
	pass
	return suspects

	def main():
	parser = argparse.ArgumentParser(description="Chinad check")
	parser.add_argument('--range_start', dest="range_start", default="101.99.68", help="First 3 octets of the hosts range, default='101.99.68'")
	parser.add_argument('--bgn', dest="bgn", default=1, help="Begining of the last octet'", type=int)
	parser.add_argument('--end', dest="end", default=254, help="End of the last octet'", type=int)
	args = parser.parse_args()

	hosts = generate_hosts(args.range_start, args.bgn, args.end)
	suspects = list_suspects(hosts)

	print "--------------"
	print "SUMMARY"
	print "---"
	print "Checked:\t%d" % len(hosts)
	if len(suspects) > 0:
	print "Suspicious:\t%d" % len(suspects)
	print "Suspicious URLs:"
	print "\n".join(suspects)
	else:
	print "Didn't found any suspicous hosts"
	print "--------------"

	if __name__ == "__main__":
	sys.exit(main())