Festi botnet analysis and investigation

1,474 views

Published on

The botnet Festi has been in business since the autumn of 2009 and is currently one of the most powerful and active botnets for sending spam and performing DDoS attacks. Festi is an interesting and untypical malware family implementing rootkit functionality with strong protection against reverse engineering and forensic analysis. It is capable of bypassing sandboxes and automated trackers using some advanced techniques such as inserting timestamps in its communication protocol, detecting virtual machines, and subverting personal firewalls and HIPS systems.
The bot consists of two parts: the dropper, and the main module, the kernel‐mode driver, which is detected by ESET as Win32/Rootkit.Festi. The malware's kernel-mode driver implements backdoor functionality and is capable of:
- Updating configuration data from the C&C (command and control server);
- Downloading additional dedicated plugins.
In our presentation we will concentrate on the latest Festi botnet update from June 2012 and offer comprehensive information gleaned from our investigations, furnishing details on developers of the botnet and reverse engineering of the bot’s main components – the kernel-mode driver and the plugins (DDoS, Spam). The presentation starts with a description of our investigation and an account of how the Festi botnet evolved over time. We will present a binary analysis kernel-mode driver and downloaded plugins – volatile kernel-mode modules which aren’t saved on any storage device in the system, but in memory, making forensic analysis of the malware significantly more difficult. The presentation also covers such aspects of Festi as its ability to bypass personal firewalls and HIPS systems that may be installed on the infected machine. We will give details of the Festi network communication protocol architecture, based on using the TCP/IP stack implementation in the Microsoft Windows Operating System to communicate with C&C servers, send spam and perform DDoS attacks. And finally, we will describe several self-protective features and techniques of the botnet communication protocol used to bypass sandboxes and trackers.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,474
On SlideShare
0
From Embeds
0
Number of Embeds
281
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Festi botnet analysis and investigation

  1. 1. Festi Botnet Analysis & Investigation Aleksandr Matrosov Eugene Rodionov
  2. 2. Outline of The Presentation Investigation  The purpose of the botnet  C&C migration  Who is behind the botnet? Analysis  Implementation details  The bot Architecture  components, interfaces, plugins, etc.  Self-defense The botnet’s activities:  Spam, DDoS, Proxy.
  3. 3. Festi: Investigation
  4. 4. Festi: Statistics
  5. 5. Festi: C&C migration Beginning 2012 Autumn 2011 muduck.ru (173.212.248.51)vilturt.ru C&C migration moduck.ru (173.212.248.51)pyatochek.ru reghostin.ru (178.162.179.47)valdispit.ru hostikareg.ru (178.162.179.47) Autumn 2012 suduck.ru (37.59.50.89) 133import.ru (178.162.179.70) 02school33.ru (178.162.179.70)
  6. 6. Festi: C&C Domain Names There are two domain names in .config section:  primary C&C server  reserved C&C server If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
  7. 7. Festi: C&C panel (2010)
  8. 8. Who is behind the Festi botnet?
  9. 9. http://krebsonsecurity.com/2012/06/who-is-the-festi-botmaster/
  10. 10. Festi: Analysis
  11. 11. Simple dropper used by third party PPI service PPI serviceLoad PPI dropperRun Festi dropper
  12. 12. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  13. 13. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  14. 14. Festi: Configuration informationThe bot’s configuration information is hardcoded intothe driver’s binary: This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
  15. 15. Festi: Configuration informationThe bot’s configuration information is hardcoded intothe driver’s binary: This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
  16. 16. Festi: Configuration informationThe bot’s configuration information is hardcoded intothe driver’s binary: This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
  17. 17. Festi: Entry Point Call Graph
  18. 18. Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
  19. 19. Festi: Self-Defense
  20. 20. Festi: Self-Defense Features The bot implements rootkit functionality:  hides its kernel-mode driver  hides its kernel-mode driver registry key  conceals its network communication The bot protects its kernel-mode driver and corresponding registry entry from removal The bot detects VMWare virtual environment and debuggers
  21. 21. Festi: Protecting Kernel-Mode Driver Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ... Monitoring IRP_MJ_DIRECTORY_CONTROL request.
  22. 22. Festi: Protecting Kernel-Mode Driver Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ... Monitoring IRP_MJ_DIRECTORY_CONTROL request.
  23. 23. Festi: Protecting Kernel-Mode Driver Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ... Monitoring IRP_MJ_DIRECTORY_CONTROL request.
  24. 24. Festi: Protecting Registry Splicing ZwEnumerateKey system routine Registering for receiving Shutdown notifications to restore the registry.
  25. 25. Festi: Anti-Debugging & VM Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3 Detecting WinPcap:  looking for driver npf.sys (network packet filter) Detecting VMWare virtual environment:  using documented feature “get version”
  26. 26. Festi: Anti-Debugging & VM Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3 Detecting WinPcap:  looking for driver npf.sys (network packet filter) Detecting VMWare virtual environment:  using documented feature “get version”
  27. 27. Festi: Anti-Debugging & VM Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3 Detecting WinPcap:  looking for driver npf.sys (network packet filter) Detecting VMWare virtual environment:  using documented feature “get version”
  28. 28. Festi: Anti-Debugging & VM Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3 Detecting WinPcap:  looking for driver npf.sys (network packet filter) Detecting VMWare virtual environment:  using documented feature “get version”
  29. 29. Festi: Network Communication
  30. 30. Festi: Network Interface Architecture Festi relies on custom implementation of network sockets in kernel mode:  provides encrypted tunnel with C&C servers  bypasses personal firewalls and HIPS systems  provides unified network interface for the plugins Bypassing personal firewalls & HIPS:  Employs custom implementation of ZwCreateFile system routine to access DeviceTcp and DeviceUdp devices  bypasses device filters in tcpip.sys driver stack
  31. 31. Festi: Custom Implementation of ZwCreateFile Execute ObCreateObject to create file object Initialize security attributes of created file object Execute ObInsertObject to insert created file object into FILE_OBJECT type list Create IRP request with MajorFunction code set to IRP_MJ_CREATE Send created IRP request directly to tcpip.sys driver
  32. 32. Festi: Bypassing Filters in Tcpip.sys driver stack IRP IRP original Festi Attached Filter Attached Filter driver forward device #N driver #N device #N #N ... ... ... Attached Filter Attached Filter driver forward device #1 driver #1 device #1 #1 DeviceTcp DeviceTcp Tcpip.sys Tcpip.sys dispatch or or driver dispatch driver DeviceUdp DeviceUdp
  33. 33. Festi: C&C Domain Names There are two domain names in .config section:  primary C&C server  reserved C&C server If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
  34. 34. Festi: C&C Domain Names There are two domain names in .config section:  primary C&C server  reserved C&C server If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
  35. 35. Festi: Communication Protocol Work Phase The communication protocol with C&C consists of 2 stages:  initialization – resolving C&C domain name  work phase – downloading plugins & tasks Initialization stage:  the bot manually resolves C&C domain name using Google DNS servers: 8.8.8.8 and 8.8.4.4
  36. 36. Festi: Communication Protocol The message to C&C consists of:  Message header:  message header  the bot version  plugin specific data  presence of debugger  Presence of VMWare  System information Plugin specific data:  tag – 16 bit integer  value – word, dword, null- terminated string, etc.
  37. 37. Festi: Plugin Interface
  38. 38. Festi: Plugins Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
  39. 39. Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
  40. 40. Festi: Loading of Plugins Decompress plugin Map plugin image into system address space Initialize IAT and apply relocations to mapped image Get exported routines: CreateModule & DeleteModule Execute CreateModule routine Unmap plugin image Get plugin ID & version info Register plugin by ID
  41. 41. Festi: Plugin Activities
  42. 42. Festi: DDoS Plugin (BotDos.dll) Supports four types of DDoS attacks:  TCP flood  UDP flood  DNS flood  HTTP flood
  43. 43. Festi: SOCKS Plugin (BotSocks.dll)Support two types of proxy service: SOCKS over TCP SOCKS over UDP
  44. 44. Festi: Spam Plugin
  45. 45. Festi: Spam Plugin (BotSpam.dll)
  46. 46. Festi: Spam Plugin (BotSpam.dll)
  47. 47. Festi: Spam Plugin (BotSpam.dll)
  48. 48. Festi: Obtaining Spam InformationFesti Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
  49. 49. Festi: Obtaining Spam InformationFesti Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
  50. 50. Festi: Obtaining Spam InformationFesti Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
  51. 51. Conclusion Festi is one of the most powerful botnets for sending spam and performing DDoS attacks Design principles and implementation features of the bot:  allow it to counteract security software  harden tracking of the botnet  make it relatively easy to derive the bot implementations for other platforms
  52. 52. Thank you for your attention!Eugene Rodionov Aleksandr Matrosovrodionov@eset.sk matrosov@eset.sk@vxradius @matrosov

×