Festi

Last updated April 30, 2024

Festi is a rootkit and a botnet also known by its alias of Spamnost, and is mostly involved in email spam and denial of service attacks. It works under operating systems of the Windows family. Autumn of 2009^[1]^[2] was the first time Festi came into the view of the companies engaged in the development and sale of antivirus software. At this time it was estimated that the botnet itself consisted of roughly 25.000 infected machines, while having a spam volume capacity of roughly 2.5 billion spam emails a day.^[3]^[4]^[5] Festi showed the greatest activity in 2011-2012.^[6]^[7] More recent estimates - dated August 2012 - display that the botnet is sending spam from 250,000 unique IP addresses, a quarter of the total amount of one million detected IP's sending spam mails.^[8] The main functionality of botnet Festi is spam sending and implementation of cyberattacks like "distributed denial of service".^[9]

Distribution Methods

Distribution is carried with scheme PPI (Pay-Per-Install)^[10] use. For preventing of detection by antiviruses the loader extends ciphered^[10] that complicates signature based detection.

Architecture

All represented data about the architecture of botnet we have gathered from research ESET antivirus company.^[10]^[11]^[12] The loader downloads and sets up a bot which represents a kernel-mode driver which adds itself in the list of the drivers which are launching together with an operating system. On a hard disk drive only the part of a bot is stored which is responsible for communication with command center and loading of modules. After starting the bot periodically asks the command center for receiving a configuration, loading of the modules and the jobs necessary for execution.

Modules

From the researches which have been carried out by specialists of the antivirus company ESET, it is known that Festi has at least two modules. One of them intends for spam sending (BotSpam.dll), another for implementation of cyberattacks like "distributed denial of service" (BotDoS.dll). The module for implementation of cyberattacks like "distributed denial of service" supports the following types of cyberattacks, namely: TCP-flood, UDP-flood, DNS-flood, HTTP(s)-flood, and also flood packets with a random number in the issue of the used protocol.

The expert from the "Kaspersky Lab" researching botnet drew an output that there are more modules, but not all from them are used. Their list includes the module for socks-server implementation (BotSocks.dll) with the TCP and UDP protocols, the module for remote viewing and control of the computer of the user (BotRemote.dll), the module implementing search on a disk of the remote computer and in a local area network (BotSearch.dll) to which the remote computer is connected, grabber-modules for all browsers known at present time (BotGrabber.dll).

Modules are never saved on a hard disk drive that does almost impossible their detection.

Network Interaction

The bot uses client-server model and for functioning implements own protocol of network interaction with command center which is used for receiving a configuration of a botnet, loading of modules, and also for obtaining jobs from command center and notification of command center about their execution. Data are encoded that interferes the determination of contents of network traffic.

Protection against Detection and Debugging

In case of installation the bot switches off a system firewall, hides the kernel-mode driver and the keys of the system registry necessary for loading and operation, protects itself and registry keys from deleting. Operation with a network occurs at a low level that allows to bypass network filters of the antivirus software easily. The use of network filters is observed to prevent their installation. The bot checks, whether it is launched under the virtual machine, in case of positive result of the check, it stops the activities. Festi periodically checks existence of a debugger and is able to remove breakpoints.

The Object-Oriented Approach to Development

Festi is created with use of object-oriented technology of software development that strongly complicates researches by a method of the reverse engineering and does a bot easily ported for other operating systems.

Control

All control of botnet Festi is implemented by means of web interface and is carried out via browser.

Who Stands behind Festi

According to specialists of the antivirus company ESET,^[12] to American journalist and blogger Brian Krebs,^[13] the expert in information security field, according to American journalist of The New York Times newspaper Andrew Kramer,^[14] and also from the sources close to Russian intelligence services, the architect and the developer of botnet Festi — Russian hacker Igor Artimovich.

Conclusion

In conclusion, it is possible to tell that botnet Festi was one of the most powerful botnets for sending spam and carrying out attacks like "distributed denial of service". The principles by which Festi botnet is constructed increase bot lifetime in the system as much as possible, hinder with bot detection by the antivirus software and network filters. The mechanism of modules allows to expand functionality of botnet in any side by means of creation and loading of necessary modules for achievement of different purposes, and the object-oriented approach to development complicates botnet researching with use of methods of the reverse engineering and gives the chance of bot porting on other operating systems through an accurate demarcation of specific to a concrete operating system functionality and remaining logic of bot. Powerful systems of counteraction to detection and debugging make Festi bot almost invisible and stealthy. The system of bindings and use of reserve command centers gives the chance of restoration of control over a botnet after change of command center. Festi is an atypical example of malicious software as the authors approached the process of its development extremely seriously.^[15]

Related Research Articles

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

ESET NOD32 Antivirus, commonly known as NOD32, is an antivirus software package made by the Slovak company ESET. ESET NOD32 Antivirus is sold in two editions, Home Edition and Business Edition. The Business Edition packages add ESET Remote Administrator allowing for server deployment and management, mirroring of threat signature database updates and the ability to install on Microsoft Windows Server operating systems.

The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider, or other firm, which spams or knowingly provides service to spammers.

<span class="mw-page-title-main">Bulletproof hosting</span> Internet service for use by cyber-criminals

Bulletproof hosting (BPH) is technical infrastructure service provided by an Internet hosting service that is resilient to complaints of illicit activities, which serves criminal actors as a basic building block for streamlining various cyberattacks. BPH providers allow online gambling, illegal pornography, botnet command and control servers, spam, copyrighted materials, hate speech and misinformation, despite takedown court orders and law enforcement subpoenas, allowing such material in their acceptable use policies.

<span class="mw-page-title-main">Blue Frog</span>

Blue Frog was a freely-licensed anti-spam tool produced by Blue Security Inc. and operated as part of a community-based system which tried to persuade spammers to remove community members' addresses from their mailing lists by automating the complaint process for each user as spam is received. Blue Security maintained these addresses in a hashed form in a Do Not Intrude Registry, and spammers could use free tools to clean their lists. The tool was discontinued in 2006.

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

The Russian Business Network is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of MPack and an alleged operator of the now defunct Storm botnet.

Fast flux is a domain name system (DNS) based evasion technique used by cyber criminals to hide phishing and malware delivery websites behind an ever-changing network of compromised hosts acting as reverse proxies to the backend botnet master—a bulletproof autonomous system. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.

The Kraken botnet is a network hacking spyware program that attacks Microsoft Windows and Apple Macintosh systems through email and World Wide Web sites such as social networking sites. It was the world's largest botnet as of April 2008.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's third largest botnet, responsible for 18% of worldwide spam traffic.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Igor Alexandrovich Artimovich is a Russian programmer, hacker, and author of a botnet named Festi. He is known under the pseudonym Engel, such writing of the nickname has an origin from the name of a song of the German rock-group Rammstein.

BlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute distributed denial of service attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a variety of plug-ins. A Russian-based group known as Sandworm is attributed with using BlackEnergy targeted attacks. The attack is distributed via a Word document or PowerPoint attachment in an email, luring victims into clicking the seemingly legitimate file.

References

↑ Lewis, Daren (November 5, 2009). "Festi Botnet spins up to become one of the main spamming botnets". Symantec Connect.
↑ Kaplan, Dan (November 6, 2009). "Festi botnet appears". SC Magazine.
↑ Jackson Higgins, Kelly (November 6, 2009). "New Spamming Botnet On The Rise - Dark Reading". darkreading. Archived from the original on August 7, 2012. Retrieved December 15, 2013.
↑ Wattanajantra, Asavin (November 6, 2009). "'Festi' growing to become spambot heavyweight". ITPRO.
↑ "Botnet Festi Rising Tremendously". SPAMfighter. November 18, 2009.
↑ Kirk, Jeremy (August 16, 2012). "Spamhaus Declares Grum Botnet Dead, but Festi Surges". PC World .
↑ Kirk, Jeremy (August 17, 2012). "Spamhaus declares Grum botnet dead, but Festi surges". PC Advisor . Archived from the original on December 15, 2013. Retrieved December 4, 2013.
↑ Saarinen, Juha (Aug 20, 2012). "Festi botnet cranks up spam volumes". ITNews.
↑ "Festi botnet helps launch denial-of-service 'DDoS' attack". Stop Hackers. June 13, 2012.
1 2 3 Matrosov, Aleksandr (May 11, 2012). "King of Spam: Festi botnet analysis". ESET.
↑ Rodionov, Eugene (2011). "Festi botnet analysis and investigation" (PDF). ESET. Archived from the original (PDF) on 2013-12-15.
1 2 Matrosov, Aleksandr (November 12–14, 2012). "Festi Botnet Analysis & Investigation" (PDF). AVAR 2012. Archived from the original (PDF) on 2013-12-15.
↑ Krebs, Brian (June 12, 2012). "Who Is the 'Festi' Botmaster?". Krebs On Security.
↑ Kramer, Andrew (September 2, 2013). "Online Attack Leads to Peek Into Spam Den". The New York Times.
↑ "Festi: malicious and incorporeal". Xakep Magazine. September 2012.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Lewis-1] Lewis, Daren (November 5, 2009). "Festi Botnet spins up to become one of the main spamming botnets". Symantec Connect.

[Kaplan-2] Kaplan, Dan (November 6, 2009). "Festi botnet appears". SC Magazine.

[Higgins-3] Jackson Higgins, Kelly (November 6, 2009). "New Spamming Botnet On The Rise - Dark Reading". darkreading. Archived from the original on August 7, 2012. Retrieved December 15, 2013.

[Wattanajantra-4] Wattanajantra, Asavin (November 6, 2009). "'Festi' growing to become spambot heavyweight". ITPRO.

[SpamFighter-5] "Botnet Festi Rising Tremendously". SPAMfighter. November 18, 2009.

[Kirk-6] Kirk, Jeremy (August 16, 2012). "Spamhaus Declares Grum Botnet Dead, but Festi Surges". PC World .

[Kirk2-7] Kirk, Jeremy (August 17, 2012). "Spamhaus declares Grum botnet dead, but Festi surges". PC Advisor . Archived from the original on December 15, 2013. Retrieved December 4, 2013.

[Saarinen-8] Saarinen, Juha (Aug 20, 2012). "Festi botnet cranks up spam volumes". ITNews.

[Stop_Hackers-9] "Festi botnet helps launch denial-of-service 'DDoS' attack". Stop Hackers. June 13, 2012.

[Matrosov-10] 1 2 3 Matrosov, Aleksandr (May 11, 2012). "King of Spam: Festi botnet analysis". ESET.

[Rodionov-11] Rodionov, Eugene (2011). "Festi botnet analysis and investigation" (PDF). ESET. Archived from the original (PDF) on 2013-12-15.

[Matrosov2-12] 1 2 Matrosov, Aleksandr (November 12–14, 2012). "Festi Botnet Analysis & Investigation" (PDF). AVAR 2012. Archived from the original (PDF) on 2013-12-15.

[Krebs-13] Krebs, Brian (June 12, 2012). "Who Is the 'Festi' Botmaster?". Krebs On Security.

[Kramer-14] Kramer, Andrew (September 2, 2013). "Online Attack Leads to Peek Into Spam Den". The New York Times.

[Xakep-15] "Festi: malicious and incorporeal". Xakep Magazine. September 2012.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]