Festi


Festi is a rootkit and a botnet created on its basis. It works under operating systems of the Windows family. Autumn of 2009 was the first time Festi came into the view of the companies engaged in the development and sale of antivirus software. At this time it was estimated that the botnet itself consisted of roughly 25.000 infected machines, while having a spam volume capacity of roughly 2.5 billion spam emails a day. Festi showed the greatest activity in 2011-2012. More recent estimates - dated August 2012 - display that the botnet is sending spam from 250,000 unique IP addresses, a quarter of the total amount of one million detected IP's sending spam mails. The main functionality of botnet Festi is spam sending and implementation of cyberattacks like "distributed denial of service".

Distribution Methods

Distribution is carried with scheme PPI use. For preventing of detection by antiviruses the loader extends ciphered that complicates signature based detection.

Architecture

All represented data about the architecture of botnet we have gathered from research ESET antivirus company.
The loader downloads and sets up a bot which represents a kernel-mode driver which adds itself in the list of the drivers which are launching together with an operating system. On a hard disk drive only the part of a bot is stored which is responsible for communication with command center and loading of modules. After starting the bot periodically asks the command center for receiving a configuration, loading of the modules and the jobs necessary for execution.

Modules

From the researches which have been carried out by specialists of the antivirus company ESET, it is known that Festi has at least two modules. One of them intends for spam sending, another for implementation of cyberattacks like "distributed denial of service". The module for implementation of cyberattacks like "distributed denial of service" supports the following types of cyberattacks, namely: TCP-flood, UDP-flood, DNS-flood, HTTP-flood, and also flood packets with a random number in the issue of the used protocol.
The expert from the "Kaspersky Lab" researching botnet drew an output that there are more modules, but not all from them are used. Their list includes the module for socks-server implementation with the TCP and UDP protocols, the module for remote viewing and control of the computer of the user, the module implementing search on a disk of the remote computer and in a local area network to which the remote computer is connected, grabber-modules for all browsers known at present time.
Modules are never saved on a hard disk drive that does almost impossible their detection.

Network Interaction

The bot uses client-server model and for functioning implements own protocol of network interaction with command center which is used for receiving a configuration of a botnet, loading of modules, and also for obtaining jobs from command center and notification of command center about their execution. Data are encoded that interferes the determination of contents of network traffic.

Protection against Detection and Debugging

In case of installation the bot switches off a system firewall, hides the kernel-mode driver and the keys of the system registry necessary for loading and operation, protects itself and registry keys from deleting. Operation with a network occurs at a low level that allows to bypass network filters of the antivirus software easily. The use of network filters is observed to prevent their installation. The bot checks, whether it is launched under the virtual machine, in case of positive result of the check, it stops the activities. Festi periodically checks existence of a debugger and is able to remove breakpoints.

The Object-Oriented Approach to Development

Festi is created with use of object-oriented technology of software development that strongly complicates researches by a method of the reverse engineering and does a bot easily ported for other operating systems.

Control

All control of botnet Festi is implemented by means of web interface and is carried out via browser.

Who Stands behind Festi

According to specialists of the antivirus company ESET, to American journalist and blogger Brian Krebs, the expert in information security field, according to American journalist of The New York Times newspaper Andrew Kramer, and also from the sources close to Russian intelligence services, the architect and the developer of botnet Festi — Russian hacker Igor Artimovich.

Conclusion

In conclusion, it is possible to tell that botnet Festi was one of the most powerful botnets for sending spam and carrying out attacks like "distributed denial of service". The principles by which Festi botnet is constructed increase bot lifetime in the system as much as possible, hinder with bot detection by the antivirus software and network filters. The mechanism of modules allows to expand functionality of botnet in any side by means of creation and loading of necessary modules for achievement of different purposes, and the object-oriented approach to development complicates botnet researching with use of methods of the reverse engineering and gives the chance of bot porting on other operating systems through an accurate demarcation of specific to a concrete operating system functionality and remaining logic of bot. Powerful systems of counteraction to detection and debugging make Festi bot almost invisible and stealthy. The system of bindings and use of reserve command centers gives the chance of restoration of control over a botnet after change of command center. Festi is an atypical example of malicious software as the authors approached the process of its development extremely seriously.