SlideShare une entreprise Scribd logo

Festi botnet analysis and investigation

Alex Matrosov
Alex Matrosov

The botnet Festi has been in business since the autumn of 2009 and is currently one of the most powerful and active botnets for sending spam and performing DDoS attacks. Festi is an interesting and untypical malware family implementing rootkit functionality with strong protection against reverse engineering and forensic analysis. It is capable of bypassing sandboxes and automated trackers using some advanced techniques such as inserting timestamps in its communication protocol, detecting virtual machines, and subverting personal firewalls and HIPS systems. The bot consists of two parts: the dropper, and the main module, the kernel‐mode driver, which is detected by ESET as Win32/Rootkit.Festi. The malware's kernel-mode driver implements backdoor functionality and is capable of: - Updating configuration data from the C&C (command and control server); - Downloading additional dedicated plugins. In our presentation we will concentrate on the latest Festi botnet update from June 2012 and offer comprehensive information gleaned from our investigations, furnishing details on developers of the botnet and reverse engineering of the bot’s main components – the kernel-mode driver and the plugins (DDoS, Spam). The presentation starts with a description of our investigation and an account of how the Festi botnet evolved over time. We will present a binary analysis kernel-mode driver and downloaded plugins – volatile kernel-mode modules which aren’t saved on any storage device in the system, but in memory, making forensic analysis of the malware significantly more difficult. The presentation also covers such aspects of Festi as its ability to bypass personal firewalls and HIPS systems that may be installed on the infected machine. We will give details of the Festi network communication protocol architecture, based on using the TCP/IP stack implementation in the Microsoft Windows Operating System to communicate with C&C servers, send spam and perform DDoS attacks. And finally, we will describe several self-protective features and techniques of the botnet communication protocol used to bypass sandboxes and trackers.

Technologie
1  sur  53
Télécharger pour lire hors ligne
Festi Botnet Analysis & Investigation Aleksandr Matrosov Eugene Rodionov
Outline of The Presentation  Investigation  The purpose of the botnet  C&C migration  Who is behind the botnet?  Analysis  Implementation details  The bot Architecture  components, interfaces, plugins, etc.  Self-defense  The botnet’s activities:  Spam, DDoS, Proxy.
Festi: Investigation
Festi: Statistics
Festi: C&C migration Beginning 2012 Autumn 2011 muduck.ru (173.212.248.51) vilturt.ru C&C migration moduck.ru (173.212.248.51) pyatochek.ru reghostin.ru (178.162.179.47) valdispit.ru hostikareg.ru (178.162.179.47) Autumn 2012 suduck.ru (37.59.50.89) 133import.ru (178.162.179.70) 02school33.ru (178.162.179.70)
Festi: C&C Domain Names  There are two domain names in .config section:  primary C&C server  reserved C&C server  If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
Festi: C&C panel (2010)
Who is behind the Festi botnet?
http://krebsonsecurity.com/2012/06/who-is-the-festi-botmaster/
Festi: Analysis
Simple dropper used by third party PPI service PPI service Load PPI dropper Run Festi dropper
Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
Festi: Configuration information The bot’s configuration information is hardcoded into the driver’s binary:  This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
Festi: Configuration information The bot’s configuration information is hardcoded into the driver’s binary:  This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
Festi: Configuration information The bot’s configuration information is hardcoded into the driver’s binary:  This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
Festi: Entry Point Call Graph
Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
Festi: Self-Defense
Festi: Self-Defense Features  The bot implements rootkit functionality:  hides its kernel-mode driver  hides its kernel-mode driver registry key  conceals its network communication  The bot protects its kernel-mode driver and corresponding registry entry from removal  The bot detects VMWare virtual environment and debuggers
Festi: Protecting Kernel-Mode Driver  Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ...  Monitoring IRP_MJ_DIRECTORY_CONTROL request.
Festi: Protecting Kernel-Mode Driver  Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ...  Monitoring IRP_MJ_DIRECTORY_CONTROL request.
Festi: Protecting Kernel-Mode Driver  Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ...  Monitoring IRP_MJ_DIRECTORY_CONTROL request.
Festi: Protecting Registry  Splicing ZwEnumerateKey system routine  Registering for receiving Shutdown notifications to restore the registry.
Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
Festi: Network Communication
Festi: Network Interface Architecture  Festi relies on custom implementation of network sockets in kernel mode:  provides encrypted tunnel with C&C servers  bypasses personal firewalls and HIPS systems  provides unified network interface for the plugins  Bypassing personal firewalls & HIPS:  Employs custom implementation of ZwCreateFile system routine to access DeviceTcp and DeviceUdp devices  bypasses device filters in tcpip.sys driver stack
Festi: Custom Implementation of ZwCreateFile Execute ObCreateObject to create file object Initialize security attributes of created file object Execute ObInsertObject to insert created file object into FILE_OBJECT type list Create IRP request with MajorFunction code set to IRP_MJ_CREATE Send created IRP request directly to tcpip.sys driver
Festi: Bypassing Filters in Tcpip.sys driver stack IRP IRP original Festi Attached Filter Attached Filter driver forward device #N driver #N device #N #N ... ... ... Attached Filter Attached Filter driver forward device #1 driver #1 device #1 #1 DeviceTcp DeviceTcp Tcpip.sys Tcpip.sys dispatch or or driver dispatch driver DeviceUdp DeviceUdp
Festi: C&C Domain Names  There are two domain names in .config section:  primary C&C server  reserved C&C server  If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
Festi: C&C Domain Names  There are two domain names in .config section:  primary C&C server  reserved C&C server  If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
Festi: Communication Protocol Work Phase  The communication protocol with C&C consists of 2 stages:  initialization – resolving C&C domain name  work phase – downloading plugins & tasks  Initialization stage:  the bot manually resolves C&C domain name using Google DNS servers: 8.8.8.8 and 8.8.4.4
Festi: Communication Protocol  The message to C&C consists of:  Message header:  message header  the bot version  plugin specific data  presence of debugger  Presence of VMWare  System information  Plugin specific data:  tag – 16 bit integer  value – word, dword, null- terminated string, etc.
Festi: Plugin Interface
Festi: Plugins  Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive  The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
Festi: Loading of Plugins Decompress plugin Map plugin image into system address space Initialize IAT and apply relocations to mapped image Get exported routines: CreateModule & DeleteModule Execute CreateModule routine Unmap plugin image Get plugin ID & version info Register plugin by ID
Festi: Plugin Activities
Festi: DDoS Plugin (BotDos.dll)  Supports four types of DDoS attacks:  TCP flood  UDP flood  DNS flood  HTTP flood
Festi: SOCKS Plugin (BotSocks.dll) Support two types of proxy service:  SOCKS over TCP  SOCKS over UDP
Festi: Spam Plugin
Festi: Spam Plugin (BotSpam.dll)
Festi: Spam Plugin (BotSpam.dll)
Festi: Spam Plugin (BotSpam.dll)
Festi: Obtaining Spam Information Festi Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
Festi: Obtaining Spam Information Festi Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
Festi: Obtaining Spam Information Festi Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
Conclusion  Festi is one of the most powerful botnets for sending spam and performing DDoS attacks  Design principles and implementation features of the bot:  allow it to counteract security software  harden tracking of the botnet  make it relatively easy to derive the bot implementations for other platforms
Thank you for your attention! Eugene Rodionov Aleksandr Matrosov rodionov@eset.sk matrosov@eset.sk @vxradius @matrosov

Recommandé

How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesFFRI, Inc.
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimer2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimerDoug Koster
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtFelipe Prado
 
Jnode
JnodeJnode
JnodeRaul Espinola
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 

Recommandé

How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesFFRI, Inc.
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimer2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimerDoug Koster
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtFelipe Prado
 
Jnode
JnodeJnode
JnodeRaul Espinola
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealitySally Feller
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
Android Multimedia Support
Android Multimedia SupportAndroid Multimedia Support
Android Multimedia SupportJussi Pohjolainen
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesIgor Korkin
 
Android Audio System
Android Audio SystemAndroid Audio System
Android Audio SystemYi-Hsiang Huang
 
Secure boot general
Secure boot generalSecure boot general
Secure boot generalPrabhu Swamy
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonAlex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
42054960
4205496042054960
42054960andres castillo
 

Contenu connexe

Tendances

Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealitySally Feller
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesIgor Korkin
 
Secure boot general
Secure boot generalSecure boot general
Secure boot generalPrabhu Swamy
 

Tendances (13)

Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
 
Android Multimedia Support
Android Multimedia SupportAndroid Multimedia Support
Android Multimedia Support
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
 
Android Audio System
Android Audio SystemAndroid Audio System
Android Audio System
 
Secure boot general
Secure boot generalSecure boot general
Secure boot general
 

En vedette

Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonAlex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyCODE BLUE
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIAleksey Lukatskiy
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 

En vedette (15)

Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
42054960
4205496042054960
42054960
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 

Similaire à Festi botnet analysis and investigation

Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...DefconRussia
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...DefconRussia
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memorysecurityxploded
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012Nouh Walid
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionveerababu penugonda(Mr-IoT)
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisChetan Ganatra
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 

Similaire à Festi botnet analysis and investigation (20)

Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Hunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memoryHunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memory
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 

Dernier

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 

Dernier (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Festi botnet analysis and investigation

  • 1. Festi Botnet Analysis & Investigation Aleksandr Matrosov Eugene Rodionov
  • 2. Outline of The Presentation  Investigation  The purpose of the botnet  C&C migration  Who is behind the botnet?  Analysis  Implementation details  The bot Architecture  components, interfaces, plugins, etc.  Self-defense  The botnet’s activities:  Spam, DDoS, Proxy.
  • 5. Festi: C&C migration Beginning 2012 Autumn 2011 muduck.ru (173.212.248.51) vilturt.ru C&C migration moduck.ru (173.212.248.51) pyatochek.ru reghostin.ru (178.162.179.47) valdispit.ru hostikareg.ru (178.162.179.47) Autumn 2012 suduck.ru (37.59.50.89) 133import.ru (178.162.179.70) 02school33.ru (178.162.179.70)
  • 6. Festi: C&C Domain Names  There are two domain names in .config section:  primary C&C server  reserved C&C server  If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
  • 8. Who is behind the Festi botnet?
  • 11. Simple dropper used by third party PPI service PPI service Load PPI dropper Run Festi dropper
  • 12. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 13. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 14. Festi: Configuration information The bot’s configuration information is hardcoded into the driver’s binary:  This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
  • 15. Festi: Configuration information The bot’s configuration information is hardcoded into the driver’s binary:  This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
  • 16. Festi: Configuration information The bot’s configuration information is hardcoded into the driver’s binary:  This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
  • 17. Festi: Entry Point Call Graph
  • 18. Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
  • 20. Festi: Self-Defense Features  The bot implements rootkit functionality:  hides its kernel-mode driver  hides its kernel-mode driver registry key  conceals its network communication  The bot protects its kernel-mode driver and corresponding registry entry from removal  The bot detects VMWare virtual environment and debuggers
  • 21. Festi: Protecting Kernel-Mode Driver  Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ...  Monitoring IRP_MJ_DIRECTORY_CONTROL request.
  • 22. Festi: Protecting Kernel-Mode Driver  Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ...  Monitoring IRP_MJ_DIRECTORY_CONTROL request.
  • 23. Festi: Protecting Kernel-Mode Driver  Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ...  Monitoring IRP_MJ_DIRECTORY_CONTROL request.
  • 24. Festi: Protecting Registry  Splicing ZwEnumerateKey system routine  Registering for receiving Shutdown notifications to restore the registry.
  • 25. Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
  • 26. Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
  • 27. Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
  • 28. Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
  • 30. Festi: Network Interface Architecture  Festi relies on custom implementation of network sockets in kernel mode:  provides encrypted tunnel with C&C servers  bypasses personal firewalls and HIPS systems  provides unified network interface for the plugins  Bypassing personal firewalls & HIPS:  Employs custom implementation of ZwCreateFile system routine to access DeviceTcp and DeviceUdp devices  bypasses device filters in tcpip.sys driver stack
  • 31. Festi: Custom Implementation of ZwCreateFile Execute ObCreateObject to create file object Initialize security attributes of created file object Execute ObInsertObject to insert created file object into FILE_OBJECT type list Create IRP request with MajorFunction code set to IRP_MJ_CREATE Send created IRP request directly to tcpip.sys driver
  • 32. Festi: Bypassing Filters in Tcpip.sys driver stack IRP IRP original Festi Attached Filter Attached Filter driver forward device #N driver #N device #N #N ... ... ... Attached Filter Attached Filter driver forward device #1 driver #1 device #1 #1 DeviceTcp DeviceTcp Tcpip.sys Tcpip.sys dispatch or or driver dispatch driver DeviceUdp DeviceUdp
  • 33. Festi: C&C Domain Names  There are two domain names in .config section:  primary C&C server  reserved C&C server  If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
  • 34. Festi: C&C Domain Names  There are two domain names in .config section:  primary C&C server  reserved C&C server  If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
  • 35. Festi: Communication Protocol Work Phase  The communication protocol with C&C consists of 2 stages:  initialization – resolving C&C domain name  work phase – downloading plugins & tasks  Initialization stage:  the bot manually resolves C&C domain name using Google DNS servers: 8.8.8.8 and 8.8.4.4
  • 36. Festi: Communication Protocol  The message to C&C consists of:  Message header:  message header  the bot version  plugin specific data  presence of debugger  Presence of VMWare  System information  Plugin specific data:  tag – 16 bit integer  value – word, dword, null- terminated string, etc.
  • 38. Festi: Plugins  Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive  The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
  • 39. Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
  • 40. Festi: Loading of Plugins Decompress plugin Map plugin image into system address space Initialize IAT and apply relocations to mapped image Get exported routines: CreateModule & DeleteModule Execute CreateModule routine Unmap plugin image Get plugin ID & version info Register plugin by ID
  • 42. Festi: DDoS Plugin (BotDos.dll)  Supports four types of DDoS attacks:  TCP flood  UDP flood  DNS flood  HTTP flood
  • 43. Festi: SOCKS Plugin (BotSocks.dll) Support two types of proxy service:  SOCKS over TCP  SOCKS over UDP
  • 45. Festi: Spam Plugin (BotSpam.dll)
  • 46. Festi: Spam Plugin (BotSpam.dll)
  • 47. Festi: Spam Plugin (BotSpam.dll)
  • 48. Festi: Obtaining Spam Information Festi Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
  • 49. Festi: Obtaining Spam Information Festi Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
  • 50. Festi: Obtaining Spam Information Festi Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
  • 51. Conclusion  Festi is one of the most powerful botnets for sending spam and performing DDoS attacks  Design principles and implementation features of the bot:  allow it to counteract security software  harden tracking of the botnet  make it relatively easy to derive the bot implementations for other platforms
  • 52.
  • 53. Thank you for your attention! Eugene Rodionov Aleksandr Matrosov rodionov@eset.sk matrosov@eset.sk @vxradius @matrosov