SlideShare a Scribd company logo
1 of 53
Download to read offline
Festi Botnet Analysis & Investigation


   Aleksandr Matrosov
   Eugene Rodionov
Outline of The Presentation

 Investigation
    The purpose of the botnet
    C&C migration
    Who is behind the botnet?

 Analysis
    Implementation details
    The bot Architecture
       components, interfaces, plugins, etc.
    Self-defense

 The botnet’s activities:
    Spam, DDoS, Proxy.
Festi: Investigation
Festi: Statistics
Festi: C&C migration

                                                        Beginning 2012
 Autumn 2011
                                                muduck.ru (173.212.248.51)
vilturt.ru             C&C migration            moduck.ru (173.212.248.51)
pyatochek.ru                                    reghostin.ru (178.162.179.47)
valdispit.ru                                    hostikareg.ru (178.162.179.47)




                         Autumn 2012

               suduck.ru (37.59.50.89)
               133import.ru (178.162.179.70)
               02school33.ru (178.162.179.70)
Festi: C&C Domain Names
 There are two domain names in .config section:
   primary C&C server
   reserved C&C server

 If neither of these are available Festi employs DGA:
   DGA takes as input current day/month/year and bot version_info

                  Date         Festi_v1          Festi_v2
              07/11/2012   fzcbihskf.com   hjbfherjhff.com
              08/11/2012   pzcaihszf.com   jjbjherchff.com
              09/11/2012   dzcxifsff.com   xjbnhcrwhff.com
              10/11/2012   azcgnfsmf.com   ljbnqcrnhff.com
              11/11/2012   bzcfnfsif.com   fjblqcrmhff.com
Festi: C&C panel (2010)
Who is behind the Festi botnet?
http://krebsonsecurity.com/2012/06/who-is-the-festi-botmaster/
Festi: Analysis
Simple dropper used by third party PPI service


   PPI service




Load PPI dropper




Run Festi dropper
Main Festi Functionality store in kernel mode
     Win32/Festi
      Dropper


               Install kernel-mode
                       driver
                                                                              user-mode

                                                                              kernel-mode



                              Win32/Festi
                              kernel-mode
                                 driver

                                             Download plugins


                               Win32/Festi
     Win32/Festi
      Plugin 1                  Plugin 2            ...         Win32/Festi
                                                                 Plugin N
Main Festi Functionality store in kernel mode
     Win32/Festi
      Dropper


               Install kernel-mode
                       driver
                                                                              user-mode

                                                                              kernel-mode



                              Win32/Festi
                              kernel-mode
                                 driver

                                             Download plugins


                               Win32/Festi
     Win32/Festi
      Plugin 1                  Plugin 2            ...         Win32/Festi
                                                                 Plugin N
Festi: Configuration information
The bot’s configuration information is hardcoded into
the driver’s binary:




 This section contains encrypted information:
   URLs of C&C servers
   Key to encrypt data transmitted between the bot and C&C
   Bot version information and etc
Festi: Configuration information
The bot’s configuration information is hardcoded into
the driver’s binary:




 This section contains encrypted information:
   URLs of C&C servers
   Key to encrypt data transmitted between the bot and C&C
   Bot version information and etc
Festi: Configuration information
The bot’s configuration information is hardcoded into
the driver’s binary:




 This section contains encrypted information:
   URLs of C&C servers
   Key to encrypt data transmitted between the bot and C&C
   Bot version information and etc
Festi: Entry Point Call Graph
Festi: Architecture



                      Win32/Festi
     Win32/Festi                      Win32/Festi
                      C&C Protocol
   Plugin Manager                    Network Socket
                        Parser




                      Win32/Festi
                       Memory
                       Manager
Festi: Self-Defense
Festi: Self-Defense Features

 The bot implements rootkit functionality:
   hides its kernel-mode driver
   hides its kernel-mode driver registry key
   conceals its network communication

 The bot protects its kernel-mode driver and corresponding
  registry entry from removal

 The bot detects VMWare virtual environment and debuggers
Festi: Protecting Kernel-Mode Driver

 Hooking Systemroot

             Festi                Filter          File system
             driver             driver #1            driver


           Malicious
            device
                          ...   Attached
                                device #1
                                                  Systemroot

                       hook             forward          dispatch

    IRP                   ...
 Monitoring IRP_MJ_DIRECTORY_CONTROL request.
Festi: Protecting Kernel-Mode Driver

 Hooking Systemroot

             Festi                Filter          File system
             driver             driver #1            driver


           Malicious
            device
                          ...   Attached
                                device #1
                                                  Systemroot

                       hook             forward          dispatch

    IRP                   ...
 Monitoring IRP_MJ_DIRECTORY_CONTROL request.
Festi: Protecting Kernel-Mode Driver

 Hooking Systemroot

             Festi                Filter          File system
             driver             driver #1            driver


           Malicious
            device
                          ...   Attached
                                device #1
                                                  Systemroot

                       hook             forward          dispatch

    IRP                   ...
 Monitoring IRP_MJ_DIRECTORY_CONTROL request.
Festi: Protecting Registry
 Splicing ZwEnumerateKey system routine




 Registering for receiving Shutdown notifications to restore the
  registry.
Festi: Anti-Debugging & VM


 Detecting & counteracting system debuggers:
   KdDebuggerEnabled
   overwriting debugging registers dr0-dr3

 Detecting WinPcap:
   looking for driver npf.sys (network packet filter)

 Detecting VMWare virtual environment:
   using documented feature “get version”
Festi: Anti-Debugging & VM


 Detecting & counteracting system debuggers:
   KdDebuggerEnabled
   overwriting debugging registers dr0-dr3

 Detecting WinPcap:
   looking for driver npf.sys (network packet filter)

 Detecting VMWare virtual environment:
   using documented feature “get version”
Festi: Anti-Debugging & VM


 Detecting & counteracting system debuggers:
   KdDebuggerEnabled
   overwriting debugging registers dr0-dr3

 Detecting WinPcap:
   looking for driver npf.sys (network packet filter)

 Detecting VMWare virtual environment:
   using documented feature “get version”
Festi: Anti-Debugging & VM


 Detecting & counteracting system debuggers:
   KdDebuggerEnabled
   overwriting debugging registers dr0-dr3

 Detecting WinPcap:
   looking for driver npf.sys (network packet filter)

 Detecting VMWare virtual environment:
   using documented feature “get version”
Festi: Network Communication
Festi: Network Interface Architecture

 Festi relies on custom implementation of network sockets in
  kernel mode:
   provides encrypted tunnel with C&C servers
   bypasses personal firewalls and HIPS systems
   provides unified network interface for the plugins

 Bypassing personal firewalls & HIPS:
   Employs custom implementation of ZwCreateFile system routine to
    access DeviceTcp and DeviceUdp devices
   bypasses device filters in tcpip.sys driver stack
Festi: Custom Implementation of ZwCreateFile
                  Execute ObCreateObject to
                       create file object


                  Initialize security attributes
                      of created file object


                Execute ObInsertObject to insert
              created file object into FILE_OBJECT
                             type list


                   Create IRP request with
                  MajorFunction code set to
                      IRP_MJ_CREATE



              Send created IRP request directly to
                        tcpip.sys driver
Festi: Bypassing Filters in Tcpip.sys driver stack
           IRP                                   IRP
                        original                                        Festi


                  Attached           Filter                Attached             Filter driver
     forward
                  device #N        driver #N               device #N                 #N
        ...

                  ...




                                                           ...
                  Attached           Filter                Attached             Filter driver
      forward     device #1        driver #1               device #1                 #1



                 DeviceTcp                              DeviceTcp
                                   Tcpip.sys                                     Tcpip.sys
      dispatch        or                                       or
                                    driver     dispatch                           driver
                 DeviceUdp                              DeviceUdp
Festi: C&C Domain Names
 There are two domain names in .config section:
   primary C&C server
   reserved C&C server

 If neither of these are available Festi employs DGA:
   DGA takes as input current day/month/year and bot version_info

                  Date         Festi_v1          Festi_v2
              07/11/2012   fzcbihskf.com   hjbfherjhff.com
              08/11/2012   pzcaihszf.com   jjbjherchff.com
              09/11/2012   dzcxifsff.com   xjbnhcrwhff.com
              10/11/2012   azcgnfsmf.com   ljbnqcrnhff.com
              11/11/2012   bzcfnfsif.com   fjblqcrmhff.com
Festi: C&C Domain Names
 There are two domain names in .config section:
   primary C&C server
   reserved C&C server

 If neither of these are available Festi employs DGA:
   DGA takes as input current day/month/year and bot version_info

                  Date         Festi_v1          Festi_v2
              07/11/2012   fzcbihskf.com   hjbfherjhff.com
              08/11/2012   pzcaihszf.com   jjbjherchff.com
              09/11/2012   dzcxifsff.com   xjbnhcrwhff.com
              10/11/2012   azcgnfsmf.com   ljbnqcrnhff.com
              11/11/2012   bzcfnfsif.com   fjblqcrmhff.com
Festi: Communication Protocol Work Phase


 The communication protocol with C&C consists of 2 stages:
   initialization – resolving C&C domain name
   work phase – downloading plugins & tasks



 Initialization stage:
   the bot manually resolves C&C domain name using Google DNS
    servers: 8.8.8.8 and 8.8.4.4
Festi: Communication Protocol

 The message to C&C consists of:    Message header:
   message header                     the bot version
   plugin specific data               presence of debugger
                                       Presence of VMWare
                                       System information
 Plugin specific data:
   tag – 16 bit integer
   value – word, dword, null-
    terminated string, etc.
Festi: Plugin Interface
Festi: Plugins

 Festi plugins are volatile modules in kernel-mode address space:
   downloaded each time the bot is activated
   never stored on the hard drive

 The plugins are capable of:
   sending spam – BotSpam.dll
   performing DDoS attacks – BotDoS.dll
   providing proxy service – BotSocks.dll
Festi: Plugin Interface


         Array of pointers
            to plugins
                                     Plugin 1
              Plugin1        struct PLUGIN_INTERFACE
                                     Plugin 2
              Plugin2        struct PLUGIN_INTERFACE
                                     Plugin 3
              Plugin3        struct PLUGIN_INTERFACE

                ...
                                     Plugin N
              PluginN        struct PLUGIN_INTERFACE
Festi: Loading of Plugins
                                Decompress
                                   plugin

                            Map plugin image into
                            system address space

                           Initialize IAT and apply
                       relocations to mapped image

                          Get exported routines:
                      CreateModule & DeleteModule


                                  Execute
                               CreateModule
                                  routine

       Unmap plugin image                     Get plugin ID & version info


                                                    Register plugin by ID
Festi: Plugin Activities
Festi: DDoS Plugin (BotDos.dll)
 Supports four types of DDoS attacks:
  TCP flood
  UDP flood
  DNS flood
  HTTP flood
Festi: SOCKS Plugin (BotSocks.dll)
Support two types of proxy service:
 SOCKS over TCP
 SOCKS over UDP
Festi: Spam Plugin
Festi: Spam Plugin (BotSpam.dll)
Festi: Spam Plugin (BotSpam.dll)
Festi: Spam Plugin (BotSpam.dll)
Festi: Obtaining Spam Information

Festi                                                       Festi
 bot                                                        C&C
                 initiate encrypted connection
 1

            email-list         sender-parameters             2


                   spam-templates               smpt-list    3

                         start spam send
 4

                                  update-list                5
Festi: Obtaining Spam Information

Festi                                                       Festi
 bot                                                        C&C
                 initiate encrypted connection
 1

            email-list         sender-parameters             2


                   spam-templates               smpt-list    3

                         start spam send
 4

                                  update-list                5
Festi: Obtaining Spam Information

Festi                                                       Festi
 bot                                                        C&C
                 initiate encrypted connection
 1

            email-list         sender-parameters             2


                   spam-templates               smpt-list    3

                         start spam send
 4

                                  update-list                5
Conclusion

 Festi is one of the most powerful botnets for sending spam and
  performing DDoS attacks


 Design principles and implementation features of the bot:
    allow it to counteract security software
    harden tracking of the botnet
    make it relatively easy to derive the bot implementations for other
     platforms
Thank you for your attention!



Eugene Rodionov         Aleksandr Matrosov
rodionov@eset.sk        matrosov@eset.sk
@vxradius               @matrosov

More Related Content

What's hot

Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Positive Hack Days
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 

What's hot (13)

Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
 
Android Multimedia Support
Android Multimedia SupportAndroid Multimedia Support
Android Multimedia Support
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
 
Android Audio System
Android Audio SystemAndroid Audio System
Android Audio System
 
Secure boot general
Secure boot generalSecure boot general
Secure boot general
 

Viewers also liked

Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 

Viewers also liked (15)

Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
42054960
4205496042054960
42054960
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine  by Igor SkochinskySecret of Intel Management Engine  by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 

Similar to Festi botnet analysis and investigation

Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstr...Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
DefconRussia
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 

Similar to Festi botnet analysis and investigation (20)

Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstr...Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Hunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memoryHunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memory
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by  Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by  Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012
 
Beginners guide on how to start exploring IoT 2nd session
Beginners  guide on how to start exploring IoT 2nd sessionBeginners  guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 -  Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 -  Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 

Recently uploaded

Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
Overkill Security
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
Wonjun Hwang
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi Daparthi
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 

Festi botnet analysis and investigation

  • 1. Festi Botnet Analysis & Investigation Aleksandr Matrosov Eugene Rodionov
  • 2. Outline of The Presentation  Investigation  The purpose of the botnet  C&C migration  Who is behind the botnet?  Analysis  Implementation details  The bot Architecture  components, interfaces, plugins, etc.  Self-defense  The botnet’s activities:  Spam, DDoS, Proxy.
  • 5. Festi: C&C migration Beginning 2012 Autumn 2011 muduck.ru (173.212.248.51) vilturt.ru C&C migration moduck.ru (173.212.248.51) pyatochek.ru reghostin.ru (178.162.179.47) valdispit.ru hostikareg.ru (178.162.179.47) Autumn 2012 suduck.ru (37.59.50.89) 133import.ru (178.162.179.70) 02school33.ru (178.162.179.70)
  • 6. Festi: C&C Domain Names  There are two domain names in .config section:  primary C&C server  reserved C&C server  If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
  • 8. Who is behind the Festi botnet?
  • 11. Simple dropper used by third party PPI service PPI service Load PPI dropper Run Festi dropper
  • 12. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 13. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 14. Festi: Configuration information The bot’s configuration information is hardcoded into the driver’s binary:  This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
  • 15. Festi: Configuration information The bot’s configuration information is hardcoded into the driver’s binary:  This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
  • 16. Festi: Configuration information The bot’s configuration information is hardcoded into the driver’s binary:  This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
  • 17. Festi: Entry Point Call Graph
  • 18. Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
  • 20. Festi: Self-Defense Features  The bot implements rootkit functionality:  hides its kernel-mode driver  hides its kernel-mode driver registry key  conceals its network communication  The bot protects its kernel-mode driver and corresponding registry entry from removal  The bot detects VMWare virtual environment and debuggers
  • 21. Festi: Protecting Kernel-Mode Driver  Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ...  Monitoring IRP_MJ_DIRECTORY_CONTROL request.
  • 22. Festi: Protecting Kernel-Mode Driver  Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ...  Monitoring IRP_MJ_DIRECTORY_CONTROL request.
  • 23. Festi: Protecting Kernel-Mode Driver  Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ...  Monitoring IRP_MJ_DIRECTORY_CONTROL request.
  • 24. Festi: Protecting Registry  Splicing ZwEnumerateKey system routine  Registering for receiving Shutdown notifications to restore the registry.
  • 25. Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
  • 26. Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
  • 27. Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
  • 28. Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
  • 30. Festi: Network Interface Architecture  Festi relies on custom implementation of network sockets in kernel mode:  provides encrypted tunnel with C&C servers  bypasses personal firewalls and HIPS systems  provides unified network interface for the plugins  Bypassing personal firewalls & HIPS:  Employs custom implementation of ZwCreateFile system routine to access DeviceTcp and DeviceUdp devices  bypasses device filters in tcpip.sys driver stack
  • 31. Festi: Custom Implementation of ZwCreateFile Execute ObCreateObject to create file object Initialize security attributes of created file object Execute ObInsertObject to insert created file object into FILE_OBJECT type list Create IRP request with MajorFunction code set to IRP_MJ_CREATE Send created IRP request directly to tcpip.sys driver
  • 32. Festi: Bypassing Filters in Tcpip.sys driver stack IRP IRP original Festi Attached Filter Attached Filter driver forward device #N driver #N device #N #N ... ... ... Attached Filter Attached Filter driver forward device #1 driver #1 device #1 #1 DeviceTcp DeviceTcp Tcpip.sys Tcpip.sys dispatch or or driver dispatch driver DeviceUdp DeviceUdp
  • 33. Festi: C&C Domain Names  There are two domain names in .config section:  primary C&C server  reserved C&C server  If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
  • 34. Festi: C&C Domain Names  There are two domain names in .config section:  primary C&C server  reserved C&C server  If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
  • 35. Festi: Communication Protocol Work Phase  The communication protocol with C&C consists of 2 stages:  initialization – resolving C&C domain name  work phase – downloading plugins & tasks  Initialization stage:  the bot manually resolves C&C domain name using Google DNS servers: 8.8.8.8 and 8.8.4.4
  • 36. Festi: Communication Protocol  The message to C&C consists of:  Message header:  message header  the bot version  plugin specific data  presence of debugger  Presence of VMWare  System information  Plugin specific data:  tag – 16 bit integer  value – word, dword, null- terminated string, etc.
  • 38. Festi: Plugins  Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive  The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
  • 39. Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
  • 40. Festi: Loading of Plugins Decompress plugin Map plugin image into system address space Initialize IAT and apply relocations to mapped image Get exported routines: CreateModule & DeleteModule Execute CreateModule routine Unmap plugin image Get plugin ID & version info Register plugin by ID
  • 42. Festi: DDoS Plugin (BotDos.dll)  Supports four types of DDoS attacks:  TCP flood  UDP flood  DNS flood  HTTP flood
  • 43. Festi: SOCKS Plugin (BotSocks.dll) Support two types of proxy service:  SOCKS over TCP  SOCKS over UDP
  • 45. Festi: Spam Plugin (BotSpam.dll)
  • 46. Festi: Spam Plugin (BotSpam.dll)
  • 47. Festi: Spam Plugin (BotSpam.dll)
  • 48. Festi: Obtaining Spam Information Festi Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
  • 49. Festi: Obtaining Spam Information Festi Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
  • 50. Festi: Obtaining Spam Information Festi Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
  • 51. Conclusion  Festi is one of the most powerful botnets for sending spam and performing DDoS attacks  Design principles and implementation features of the bot:  allow it to counteract security software  harden tracking of the botnet  make it relatively easy to derive the bot implementations for other platforms
  • 52.
  • 53. Thank you for your attention! Eugene Rodionov Aleksandr Matrosov rodionov@eset.sk matrosov@eset.sk @vxradius @matrosov