The botnet Festi has been in business since the autumn of 2009 and is currently one of the most powerful and active botnets for sending spam and performing DDoS attacks. Festi is an interesting and untypical malware family implementing rootkit functionality with strong protection against reverse engineering and forensic analysis. It is capable of bypassing sandboxes and automated trackers using some advanced techniques such as inserting timestamps in its communication protocol, detecting virtual machines, and subverting personal firewalls and HIPS systems.
The bot consists of two parts: the dropper, and the main module, the kernel‐mode driver, which is detected by ESET as Win32/Rootkit.Festi. The malware's kernel-mode driver implements backdoor functionality and is capable of:
- Updating configuration data from the C&C (command and control server);
- Downloading additional dedicated plugins.
In our presentation we will concentrate on the latest Festi botnet update from June 2012 and offer comprehensive information gleaned from our investigations, furnishing details on developers of the botnet and reverse engineering of the bot’s main components – the kernel-mode driver and the plugins (DDoS, Spam). The presentation starts with a description of our investigation and an account of how the Festi botnet evolved over time. We will present a binary analysis kernel-mode driver and downloaded plugins – volatile kernel-mode modules which aren’t saved on any storage device in the system, but in memory, making forensic analysis of the malware significantly more difficult. The presentation also covers such aspects of Festi as its ability to bypass personal firewalls and HIPS systems that may be installed on the infected machine. We will give details of the Festi network communication protocol architecture, based on using the TCP/IP stack implementation in the Microsoft Windows Operating System to communicate with C&C servers, send spam and perform DDoS attacks. And finally, we will describe several self-protective features and techniques of the botnet communication protocol used to bypass sandboxes and trackers.
2. Outline of The Presentation
Investigation
The purpose of the botnet
C&C migration
Who is behind the botnet?
Analysis
Implementation details
The bot Architecture
components, interfaces, plugins, etc.
Self-defense
The botnet’s activities:
Spam, DDoS, Proxy.
6. Festi: C&C Domain Names
There are two domain names in .config section:
primary C&C server
reserved C&C server
If neither of these are available Festi employs DGA:
DGA takes as input current day/month/year and bot version_info
Date Festi_v1 Festi_v2
07/11/2012 fzcbihskf.com hjbfherjhff.com
08/11/2012 pzcaihszf.com jjbjherchff.com
09/11/2012 dzcxifsff.com xjbnhcrwhff.com
10/11/2012 azcgnfsmf.com ljbnqcrnhff.com
11/11/2012 bzcfnfsif.com fjblqcrmhff.com
11. Simple dropper used by third party PPI service
PPI service
Load PPI dropper
Run Festi dropper
12. Main Festi Functionality store in kernel mode
Win32/Festi
Dropper
Install kernel-mode
driver
user-mode
kernel-mode
Win32/Festi
kernel-mode
driver
Download plugins
Win32/Festi
Win32/Festi
Plugin 1 Plugin 2 ... Win32/Festi
Plugin N
13. Main Festi Functionality store in kernel mode
Win32/Festi
Dropper
Install kernel-mode
driver
user-mode
kernel-mode
Win32/Festi
kernel-mode
driver
Download plugins
Win32/Festi
Win32/Festi
Plugin 1 Plugin 2 ... Win32/Festi
Plugin N
14. Festi: Configuration information
The bot’s configuration information is hardcoded into
the driver’s binary:
This section contains encrypted information:
URLs of C&C servers
Key to encrypt data transmitted between the bot and C&C
Bot version information and etc
15. Festi: Configuration information
The bot’s configuration information is hardcoded into
the driver’s binary:
This section contains encrypted information:
URLs of C&C servers
Key to encrypt data transmitted between the bot and C&C
Bot version information and etc
16. Festi: Configuration information
The bot’s configuration information is hardcoded into
the driver’s binary:
This section contains encrypted information:
URLs of C&C servers
Key to encrypt data transmitted between the bot and C&C
Bot version information and etc
20. Festi: Self-Defense Features
The bot implements rootkit functionality:
hides its kernel-mode driver
hides its kernel-mode driver registry key
conceals its network communication
The bot protects its kernel-mode driver and corresponding
registry entry from removal
The bot detects VMWare virtual environment and debuggers
30. Festi: Network Interface Architecture
Festi relies on custom implementation of network sockets in
kernel mode:
provides encrypted tunnel with C&C servers
bypasses personal firewalls and HIPS systems
provides unified network interface for the plugins
Bypassing personal firewalls & HIPS:
Employs custom implementation of ZwCreateFile system routine to
access DeviceTcp and DeviceUdp devices
bypasses device filters in tcpip.sys driver stack
31. Festi: Custom Implementation of ZwCreateFile
Execute ObCreateObject to
create file object
Initialize security attributes
of created file object
Execute ObInsertObject to insert
created file object into FILE_OBJECT
type list
Create IRP request with
MajorFunction code set to
IRP_MJ_CREATE
Send created IRP request directly to
tcpip.sys driver
33. Festi: C&C Domain Names
There are two domain names in .config section:
primary C&C server
reserved C&C server
If neither of these are available Festi employs DGA:
DGA takes as input current day/month/year and bot version_info
Date Festi_v1 Festi_v2
07/11/2012 fzcbihskf.com hjbfherjhff.com
08/11/2012 pzcaihszf.com jjbjherchff.com
09/11/2012 dzcxifsff.com xjbnhcrwhff.com
10/11/2012 azcgnfsmf.com ljbnqcrnhff.com
11/11/2012 bzcfnfsif.com fjblqcrmhff.com
34. Festi: C&C Domain Names
There are two domain names in .config section:
primary C&C server
reserved C&C server
If neither of these are available Festi employs DGA:
DGA takes as input current day/month/year and bot version_info
Date Festi_v1 Festi_v2
07/11/2012 fzcbihskf.com hjbfherjhff.com
08/11/2012 pzcaihszf.com jjbjherchff.com
09/11/2012 dzcxifsff.com xjbnhcrwhff.com
10/11/2012 azcgnfsmf.com ljbnqcrnhff.com
11/11/2012 bzcfnfsif.com fjblqcrmhff.com
35. Festi: Communication Protocol Work Phase
The communication protocol with C&C consists of 2 stages:
initialization – resolving C&C domain name
work phase – downloading plugins & tasks
Initialization stage:
the bot manually resolves C&C domain name using Google DNS
servers: 8.8.8.8 and 8.8.4.4
36. Festi: Communication Protocol
The message to C&C consists of: Message header:
message header the bot version
plugin specific data presence of debugger
Presence of VMWare
System information
Plugin specific data:
tag – 16 bit integer
value – word, dword, null-
terminated string, etc.
38. Festi: Plugins
Festi plugins are volatile modules in kernel-mode address space:
downloaded each time the bot is activated
never stored on the hard drive
The plugins are capable of:
sending spam – BotSpam.dll
performing DDoS attacks – BotDoS.dll
providing proxy service – BotSocks.dll
39. Festi: Plugin Interface
Array of pointers
to plugins
Plugin 1
Plugin1 struct PLUGIN_INTERFACE
Plugin 2
Plugin2 struct PLUGIN_INTERFACE
Plugin 3
Plugin3 struct PLUGIN_INTERFACE
...
Plugin N
PluginN struct PLUGIN_INTERFACE
40. Festi: Loading of Plugins
Decompress
plugin
Map plugin image into
system address space
Initialize IAT and apply
relocations to mapped image
Get exported routines:
CreateModule & DeleteModule
Execute
CreateModule
routine
Unmap plugin image Get plugin ID & version info
Register plugin by ID
51. Conclusion
Festi is one of the most powerful botnets for sending spam and
performing DDoS attacks
Design principles and implementation features of the bot:
allow it to counteract security software
harden tracking of the botnet
make it relatively easy to derive the bot implementations for other
platforms
52.
53. Thank you for your attention!
Eugene Rodionov Aleksandr Matrosov
rodionov@eset.sk matrosov@eset.sk
@vxradius @matrosov