SlideShare a Scribd company logo
Festi Botnet Analysis & Investigation


   Aleksandr Matrosov
   Eugene Rodionov
Outline of The Presentation

 Investigation
    The purpose of the botnet
    C&C migration
    Who is behind the botnet?

 Analysis
    Implementation details
    The bot Architecture
       components, interfaces, plugins, etc.
    Self-defense

 The botnet’s activities:
    Spam, DDoS, Proxy.
Festi: Investigation
Festi: Statistics
Festi: C&C migration

                                                        Beginning 2012
 Autumn 2011
                                                muduck.ru (173.212.248.51)
vilturt.ru             C&C migration            moduck.ru (173.212.248.51)
pyatochek.ru                                    reghostin.ru (178.162.179.47)
valdispit.ru                                    hostikareg.ru (178.162.179.47)




                         Autumn 2012

               suduck.ru (37.59.50.89)
               133import.ru (178.162.179.70)
               02school33.ru (178.162.179.70)
Festi: C&C Domain Names
 There are two domain names in .config section:
   primary C&C server
   reserved C&C server

 If neither of these are available Festi employs DGA:
   DGA takes as input current day/month/year and bot version_info

                  Date         Festi_v1          Festi_v2
              07/11/2012   fzcbihskf.com   hjbfherjhff.com
              08/11/2012   pzcaihszf.com   jjbjherchff.com
              09/11/2012   dzcxifsff.com   xjbnhcrwhff.com
              10/11/2012   azcgnfsmf.com   ljbnqcrnhff.com
              11/11/2012   bzcfnfsif.com   fjblqcrmhff.com
Festi: C&C panel (2010)
Who is behind the Festi botnet?
http://krebsonsecurity.com/2012/06/who-is-the-festi-botmaster/
Festi: Analysis
Simple dropper used by third party PPI service


   PPI service




Load PPI dropper




Run Festi dropper
Main Festi Functionality store in kernel mode
     Win32/Festi
      Dropper


               Install kernel-mode
                       driver
                                                                              user-mode

                                                                              kernel-mode



                              Win32/Festi
                              kernel-mode
                                 driver

                                             Download plugins


                               Win32/Festi
     Win32/Festi
      Plugin 1                  Plugin 2            ...         Win32/Festi
                                                                 Plugin N
Main Festi Functionality store in kernel mode
     Win32/Festi
      Dropper


               Install kernel-mode
                       driver
                                                                              user-mode

                                                                              kernel-mode



                              Win32/Festi
                              kernel-mode
                                 driver

                                             Download plugins


                               Win32/Festi
     Win32/Festi
      Plugin 1                  Plugin 2            ...         Win32/Festi
                                                                 Plugin N
Festi: Configuration information
The bot’s configuration information is hardcoded into
the driver’s binary:




 This section contains encrypted information:
   URLs of C&C servers
   Key to encrypt data transmitted between the bot and C&C
   Bot version information and etc
Festi: Configuration information
The bot’s configuration information is hardcoded into
the driver’s binary:




 This section contains encrypted information:
   URLs of C&C servers
   Key to encrypt data transmitted between the bot and C&C
   Bot version information and etc
Festi: Configuration information
The bot’s configuration information is hardcoded into
the driver’s binary:




 This section contains encrypted information:
   URLs of C&C servers
   Key to encrypt data transmitted between the bot and C&C
   Bot version information and etc
Festi: Entry Point Call Graph
Festi: Architecture



                      Win32/Festi
     Win32/Festi                      Win32/Festi
                      C&C Protocol
   Plugin Manager                    Network Socket
                        Parser




                      Win32/Festi
                       Memory
                       Manager
Festi: Self-Defense
Festi: Self-Defense Features

 The bot implements rootkit functionality:
   hides its kernel-mode driver
   hides its kernel-mode driver registry key
   conceals its network communication

 The bot protects its kernel-mode driver and corresponding
  registry entry from removal

 The bot detects VMWare virtual environment and debuggers
Festi: Protecting Kernel-Mode Driver

 Hooking Systemroot

             Festi                Filter          File system
             driver             driver #1            driver


           Malicious
            device
                          ...   Attached
                                device #1
                                                  Systemroot

                       hook             forward          dispatch

    IRP                   ...
 Monitoring IRP_MJ_DIRECTORY_CONTROL request.
Festi: Protecting Kernel-Mode Driver

 Hooking Systemroot

             Festi                Filter          File system
             driver             driver #1            driver


           Malicious
            device
                          ...   Attached
                                device #1
                                                  Systemroot

                       hook             forward          dispatch

    IRP                   ...
 Monitoring IRP_MJ_DIRECTORY_CONTROL request.
Festi: Protecting Kernel-Mode Driver

 Hooking Systemroot

             Festi                Filter          File system
             driver             driver #1            driver


           Malicious
            device
                          ...   Attached
                                device #1
                                                  Systemroot

                       hook             forward          dispatch

    IRP                   ...
 Monitoring IRP_MJ_DIRECTORY_CONTROL request.
Festi: Protecting Registry
 Splicing ZwEnumerateKey system routine




 Registering for receiving Shutdown notifications to restore the
  registry.
Festi: Anti-Debugging & VM


 Detecting & counteracting system debuggers:
   KdDebuggerEnabled
   overwriting debugging registers dr0-dr3

 Detecting WinPcap:
   looking for driver npf.sys (network packet filter)

 Detecting VMWare virtual environment:
   using documented feature “get version”
Festi: Anti-Debugging & VM


 Detecting & counteracting system debuggers:
   KdDebuggerEnabled
   overwriting debugging registers dr0-dr3

 Detecting WinPcap:
   looking for driver npf.sys (network packet filter)

 Detecting VMWare virtual environment:
   using documented feature “get version”
Festi: Anti-Debugging & VM


 Detecting & counteracting system debuggers:
   KdDebuggerEnabled
   overwriting debugging registers dr0-dr3

 Detecting WinPcap:
   looking for driver npf.sys (network packet filter)

 Detecting VMWare virtual environment:
   using documented feature “get version”
Festi: Anti-Debugging & VM


 Detecting & counteracting system debuggers:
   KdDebuggerEnabled
   overwriting debugging registers dr0-dr3

 Detecting WinPcap:
   looking for driver npf.sys (network packet filter)

 Detecting VMWare virtual environment:
   using documented feature “get version”
Festi: Network Communication
Festi: Network Interface Architecture

 Festi relies on custom implementation of network sockets in
  kernel mode:
   provides encrypted tunnel with C&C servers
   bypasses personal firewalls and HIPS systems
   provides unified network interface for the plugins

 Bypassing personal firewalls & HIPS:
   Employs custom implementation of ZwCreateFile system routine to
    access DeviceTcp and DeviceUdp devices
   bypasses device filters in tcpip.sys driver stack
Festi: Custom Implementation of ZwCreateFile
                  Execute ObCreateObject to
                       create file object


                  Initialize security attributes
                      of created file object


                Execute ObInsertObject to insert
              created file object into FILE_OBJECT
                             type list


                   Create IRP request with
                  MajorFunction code set to
                      IRP_MJ_CREATE



              Send created IRP request directly to
                        tcpip.sys driver
Festi: Bypassing Filters in Tcpip.sys driver stack
           IRP                                   IRP
                        original                                        Festi


                  Attached           Filter                Attached             Filter driver
     forward
                  device #N        driver #N               device #N                 #N
        ...

                  ...




                                                           ...
                  Attached           Filter                Attached             Filter driver
      forward     device #1        driver #1               device #1                 #1



                 DeviceTcp                              DeviceTcp
                                   Tcpip.sys                                     Tcpip.sys
      dispatch        or                                       or
                                    driver     dispatch                           driver
                 DeviceUdp                              DeviceUdp
Festi: C&C Domain Names
 There are two domain names in .config section:
   primary C&C server
   reserved C&C server

 If neither of these are available Festi employs DGA:
   DGA takes as input current day/month/year and bot version_info

                  Date         Festi_v1          Festi_v2
              07/11/2012   fzcbihskf.com   hjbfherjhff.com
              08/11/2012   pzcaihszf.com   jjbjherchff.com
              09/11/2012   dzcxifsff.com   xjbnhcrwhff.com
              10/11/2012   azcgnfsmf.com   ljbnqcrnhff.com
              11/11/2012   bzcfnfsif.com   fjblqcrmhff.com
Festi: C&C Domain Names
 There are two domain names in .config section:
   primary C&C server
   reserved C&C server

 If neither of these are available Festi employs DGA:
   DGA takes as input current day/month/year and bot version_info

                  Date         Festi_v1          Festi_v2
              07/11/2012   fzcbihskf.com   hjbfherjhff.com
              08/11/2012   pzcaihszf.com   jjbjherchff.com
              09/11/2012   dzcxifsff.com   xjbnhcrwhff.com
              10/11/2012   azcgnfsmf.com   ljbnqcrnhff.com
              11/11/2012   bzcfnfsif.com   fjblqcrmhff.com
Festi: Communication Protocol Work Phase


 The communication protocol with C&C consists of 2 stages:
   initialization – resolving C&C domain name
   work phase – downloading plugins & tasks



 Initialization stage:
   the bot manually resolves C&C domain name using Google DNS
    servers: 8.8.8.8 and 8.8.4.4
Festi: Communication Protocol

 The message to C&C consists of:    Message header:
   message header                     the bot version
   plugin specific data               presence of debugger
                                       Presence of VMWare
                                       System information
 Plugin specific data:
   tag – 16 bit integer
   value – word, dword, null-
    terminated string, etc.
Festi: Plugin Interface
Festi: Plugins

 Festi plugins are volatile modules in kernel-mode address space:
   downloaded each time the bot is activated
   never stored on the hard drive

 The plugins are capable of:
   sending spam – BotSpam.dll
   performing DDoS attacks – BotDoS.dll
   providing proxy service – BotSocks.dll
Festi: Plugin Interface


         Array of pointers
            to plugins
                                     Plugin 1
              Plugin1        struct PLUGIN_INTERFACE
                                     Plugin 2
              Plugin2        struct PLUGIN_INTERFACE
                                     Plugin 3
              Plugin3        struct PLUGIN_INTERFACE

                ...
                                     Plugin N
              PluginN        struct PLUGIN_INTERFACE
Festi: Loading of Plugins
                                Decompress
                                   plugin

                            Map plugin image into
                            system address space

                           Initialize IAT and apply
                       relocations to mapped image

                          Get exported routines:
                      CreateModule & DeleteModule


                                  Execute
                               CreateModule
                                  routine

       Unmap plugin image                     Get plugin ID & version info


                                                    Register plugin by ID
Festi: Plugin Activities
Festi: DDoS Plugin (BotDos.dll)
 Supports four types of DDoS attacks:
  TCP flood
  UDP flood
  DNS flood
  HTTP flood
Festi: SOCKS Plugin (BotSocks.dll)
Support two types of proxy service:
 SOCKS over TCP
 SOCKS over UDP
Festi: Spam Plugin
Festi: Spam Plugin (BotSpam.dll)
Festi: Spam Plugin (BotSpam.dll)
Festi: Spam Plugin (BotSpam.dll)
Festi: Obtaining Spam Information

Festi                                                       Festi
 bot                                                        C&C
                 initiate encrypted connection
 1

            email-list         sender-parameters             2


                   spam-templates               smpt-list    3

                         start spam send
 4

                                  update-list                5
Festi: Obtaining Spam Information

Festi                                                       Festi
 bot                                                        C&C
                 initiate encrypted connection
 1

            email-list         sender-parameters             2


                   spam-templates               smpt-list    3

                         start spam send
 4

                                  update-list                5
Festi: Obtaining Spam Information

Festi                                                       Festi
 bot                                                        C&C
                 initiate encrypted connection
 1

            email-list         sender-parameters             2


                   spam-templates               smpt-list    3

                         start spam send
 4

                                  update-list                5
Conclusion

 Festi is one of the most powerful botnets for sending spam and
  performing DDoS attacks


 Design principles and implementation features of the bot:
    allow it to counteract security software
    harden tracking of the botnet
    make it relatively easy to derive the bot implementations for other
     platforms
Thank you for your attention!



Eugene Rodionov         Aleksandr Matrosov
rodionov@eset.sk        matrosov@eset.sk
@vxradius               @matrosov

More Related Content

What's hot

Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Positive Hack Days
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Alex Matrosov
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
E Hacking
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Alex Matrosov
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
Chris Simmonds
 
Android Multimedia Support
Android Multimedia SupportAndroid Multimedia Support
Android Multimedia Support
Jussi Pohjolainen
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Igor Korkin
 
Android Audio System
Android Audio SystemAndroid Audio System
Android Audio System
Yi-Hsiang Huang
 
Secure boot general
Secure boot generalSecure boot general
Secure boot general
Prabhu Swamy
 

What's hot (13)

Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
 
Android Multimedia Support
Android Multimedia SupportAndroid Multimedia Support
Android Multimedia Support
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesDivide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
 
Android Audio System
Android Audio SystemAndroid Audio System
Android Audio System
 
Secure boot general
Secure boot generalSecure boot general
Secure boot general
 

Viewers also liked

Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
42054960
4205496042054960
42054960
andres castillo
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
Aleksey Lukatskiy
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine  by Igor SkochinskySecret of Intel Management Engine  by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
CODE BLUE
 

Viewers also liked (15)

Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
42054960
4205496042054960
42054960
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine  by Igor SkochinskySecret of Intel Management Engine  by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 

Similar to Festi botnet analysis and investigation

Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstr...Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
DefconRussia
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
Roberto Suggi Liverani
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
DefconRussia
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
Hunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memoryHunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memory
Cysinfo Cyber Security Community
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
securityxploded
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
EnergySec
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by  Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by  Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
AlienVault
 
Android Internals
Android InternalsAndroid Internals
Android Internals
Opersys inc.
 
FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012
Nouh Walid
 
Beginners guide on how to start exploring IoT 2nd session
Beginners  guide on how to start exploring IoT 2nd sessionBeginners  guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 -  Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 -  Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
Chetan Ganatra
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
Shota Shinogi
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 

Similar to Festi botnet analysis and investigation (20)

Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstr...Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Hunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memoryHunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memory
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by  Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by  Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012
 
Beginners guide on how to start exploring IoT 2nd session
Beginners  guide on how to start exploring IoT 2nd sessionBeginners  guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 -  Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 -  Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 

Recently uploaded

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 

Recently uploaded (20)

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 

Festi botnet analysis and investigation

  • 1. Festi Botnet Analysis & Investigation Aleksandr Matrosov Eugene Rodionov
  • 2. Outline of The Presentation  Investigation  The purpose of the botnet  C&C migration  Who is behind the botnet?  Analysis  Implementation details  The bot Architecture  components, interfaces, plugins, etc.  Self-defense  The botnet’s activities:  Spam, DDoS, Proxy.
  • 5. Festi: C&C migration Beginning 2012 Autumn 2011 muduck.ru (173.212.248.51) vilturt.ru C&C migration moduck.ru (173.212.248.51) pyatochek.ru reghostin.ru (178.162.179.47) valdispit.ru hostikareg.ru (178.162.179.47) Autumn 2012 suduck.ru (37.59.50.89) 133import.ru (178.162.179.70) 02school33.ru (178.162.179.70)
  • 6. Festi: C&C Domain Names  There are two domain names in .config section:  primary C&C server  reserved C&C server  If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
  • 8. Who is behind the Festi botnet?
  • 11. Simple dropper used by third party PPI service PPI service Load PPI dropper Run Festi dropper
  • 12. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 13. Main Festi Functionality store in kernel mode Win32/Festi Dropper Install kernel-mode driver user-mode kernel-mode Win32/Festi kernel-mode driver Download plugins Win32/Festi Win32/Festi Plugin 1 Plugin 2 ... Win32/Festi Plugin N
  • 14. Festi: Configuration information The bot’s configuration information is hardcoded into the driver’s binary:  This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
  • 15. Festi: Configuration information The bot’s configuration information is hardcoded into the driver’s binary:  This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
  • 16. Festi: Configuration information The bot’s configuration information is hardcoded into the driver’s binary:  This section contains encrypted information:  URLs of C&C servers  Key to encrypt data transmitted between the bot and C&C  Bot version information and etc
  • 17. Festi: Entry Point Call Graph
  • 18. Festi: Architecture Win32/Festi Win32/Festi Win32/Festi C&C Protocol Plugin Manager Network Socket Parser Win32/Festi Memory Manager
  • 20. Festi: Self-Defense Features  The bot implements rootkit functionality:  hides its kernel-mode driver  hides its kernel-mode driver registry key  conceals its network communication  The bot protects its kernel-mode driver and corresponding registry entry from removal  The bot detects VMWare virtual environment and debuggers
  • 21. Festi: Protecting Kernel-Mode Driver  Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ...  Monitoring IRP_MJ_DIRECTORY_CONTROL request.
  • 22. Festi: Protecting Kernel-Mode Driver  Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ...  Monitoring IRP_MJ_DIRECTORY_CONTROL request.
  • 23. Festi: Protecting Kernel-Mode Driver  Hooking Systemroot Festi Filter File system driver driver #1 driver Malicious device ... Attached device #1 Systemroot hook forward dispatch IRP ...  Monitoring IRP_MJ_DIRECTORY_CONTROL request.
  • 24. Festi: Protecting Registry  Splicing ZwEnumerateKey system routine  Registering for receiving Shutdown notifications to restore the registry.
  • 25. Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
  • 26. Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
  • 27. Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
  • 28. Festi: Anti-Debugging & VM  Detecting & counteracting system debuggers:  KdDebuggerEnabled  overwriting debugging registers dr0-dr3  Detecting WinPcap:  looking for driver npf.sys (network packet filter)  Detecting VMWare virtual environment:  using documented feature “get version”
  • 30. Festi: Network Interface Architecture  Festi relies on custom implementation of network sockets in kernel mode:  provides encrypted tunnel with C&C servers  bypasses personal firewalls and HIPS systems  provides unified network interface for the plugins  Bypassing personal firewalls & HIPS:  Employs custom implementation of ZwCreateFile system routine to access DeviceTcp and DeviceUdp devices  bypasses device filters in tcpip.sys driver stack
  • 31. Festi: Custom Implementation of ZwCreateFile Execute ObCreateObject to create file object Initialize security attributes of created file object Execute ObInsertObject to insert created file object into FILE_OBJECT type list Create IRP request with MajorFunction code set to IRP_MJ_CREATE Send created IRP request directly to tcpip.sys driver
  • 32. Festi: Bypassing Filters in Tcpip.sys driver stack IRP IRP original Festi Attached Filter Attached Filter driver forward device #N driver #N device #N #N ... ... ... Attached Filter Attached Filter driver forward device #1 driver #1 device #1 #1 DeviceTcp DeviceTcp Tcpip.sys Tcpip.sys dispatch or or driver dispatch driver DeviceUdp DeviceUdp
  • 33. Festi: C&C Domain Names  There are two domain names in .config section:  primary C&C server  reserved C&C server  If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
  • 34. Festi: C&C Domain Names  There are two domain names in .config section:  primary C&C server  reserved C&C server  If neither of these are available Festi employs DGA:  DGA takes as input current day/month/year and bot version_info Date Festi_v1 Festi_v2 07/11/2012 fzcbihskf.com hjbfherjhff.com 08/11/2012 pzcaihszf.com jjbjherchff.com 09/11/2012 dzcxifsff.com xjbnhcrwhff.com 10/11/2012 azcgnfsmf.com ljbnqcrnhff.com 11/11/2012 bzcfnfsif.com fjblqcrmhff.com
  • 35. Festi: Communication Protocol Work Phase  The communication protocol with C&C consists of 2 stages:  initialization – resolving C&C domain name  work phase – downloading plugins & tasks  Initialization stage:  the bot manually resolves C&C domain name using Google DNS servers: 8.8.8.8 and 8.8.4.4
  • 36. Festi: Communication Protocol  The message to C&C consists of:  Message header:  message header  the bot version  plugin specific data  presence of debugger  Presence of VMWare  System information  Plugin specific data:  tag – 16 bit integer  value – word, dword, null- terminated string, etc.
  • 38. Festi: Plugins  Festi plugins are volatile modules in kernel-mode address space:  downloaded each time the bot is activated  never stored on the hard drive  The plugins are capable of:  sending spam – BotSpam.dll  performing DDoS attacks – BotDoS.dll  providing proxy service – BotSocks.dll
  • 39. Festi: Plugin Interface Array of pointers to plugins Plugin 1 Plugin1 struct PLUGIN_INTERFACE Plugin 2 Plugin2 struct PLUGIN_INTERFACE Plugin 3 Plugin3 struct PLUGIN_INTERFACE ... Plugin N PluginN struct PLUGIN_INTERFACE
  • 40. Festi: Loading of Plugins Decompress plugin Map plugin image into system address space Initialize IAT and apply relocations to mapped image Get exported routines: CreateModule & DeleteModule Execute CreateModule routine Unmap plugin image Get plugin ID & version info Register plugin by ID
  • 42. Festi: DDoS Plugin (BotDos.dll)  Supports four types of DDoS attacks:  TCP flood  UDP flood  DNS flood  HTTP flood
  • 43. Festi: SOCKS Plugin (BotSocks.dll) Support two types of proxy service:  SOCKS over TCP  SOCKS over UDP
  • 45. Festi: Spam Plugin (BotSpam.dll)
  • 46. Festi: Spam Plugin (BotSpam.dll)
  • 47. Festi: Spam Plugin (BotSpam.dll)
  • 48. Festi: Obtaining Spam Information Festi Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
  • 49. Festi: Obtaining Spam Information Festi Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
  • 50. Festi: Obtaining Spam Information Festi Festi bot C&C initiate encrypted connection 1 email-list sender-parameters 2 spam-templates smpt-list 3 start spam send 4 update-list 5
  • 51. Conclusion  Festi is one of the most powerful botnets for sending spam and performing DDoS attacks  Design principles and implementation features of the bot:  allow it to counteract security software  harden tracking of the botnet  make it relatively easy to derive the bot implementations for other platforms
  • 52.
  • 53. Thank you for your attention! Eugene Rodionov Aleksandr Matrosov rodionov@eset.sk matrosov@eset.sk @vxradius @matrosov