Festi is a

rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...

and a

botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...

created on its basis. It works under operating systems of the Windows family. Autumn of 2009 was the first time Festi came into the view of the companies engaged in the development and sale of

antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...

. At this time it was estimated that the botnet itself consisted of roughly 25.000 infected machines, while having a spam volume capacity of roughly 2.5 billion spam emails a day. Festi showed the greatest activity in 2011-2012. More recent estimates - dated August 2012 - display that the botnet is sending spam from 250,000 unique IP addresses, a quarter of the total amount of one million detected IP's sending spam mails. The main functionality of botnet Festi is spam sending and implementation of

cyberattack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...

s like "

distributed denial of service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...

Distribution Methods

Distribution is carried with scheme PPI (Pay-Per-Install) use. For preventing of detection by antiviruses the loader extends ciphered that complicates

signature A signature (; from la, signare, "to sign") is a handwritten (and often stylized) depiction of someone's name, nickname, or even a simple "X" or other mark that a person writes on documents as a proof of identity and intent. The writer of a ...

based detection.

Architecture

All represented data about the architecture of botnet we have gathered from research ESET antivirus company. The loader downloads and sets up a bot which represents a kernel-mode driver which adds itself in the list of the drivers which are launching together with an operating system. On a hard disk drive only the part of a bot is stored which is responsible for communication with command center and loading of modules. After starting the bot periodically asks the command center for receiving a configuration, loading of the modules and the jobs necessary for execution.

Modules

From the researches which have been carried out by specialists of the antivirus company ESET, it is known that Festi has at least two modules. One of them intends for spam sending (BotSpam.dll), another for implementation of cyberattacks like "distributed denial of service" (BotDoS.dll). The module for implementation of cyberattacks like "distributed denial of service" supports the following types of cyberattacks, namely: TCP-flood, UDP-flood, DNS-flood, HTTP(s)-flood, and also flood packets with a random number in the issue of the used protocol. The expert from the "

Kaspersky Lab Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...

" researching botnet drew an output that there are more modules, but not all from them are used. Their list includes the module for socks-server implementation (BotSocks.dll) with the TCP and UDP protocols, the module for remote viewing and control of the computer of the user (BotRemote.dll), the module implementing search on a disk of the remote computer and in a local area network (BotSearch.dll) to which the remote computer is connected, grabber-modules for all browsers known at present time (BotGrabber.dll). Modules are never saved on a hard disk drive that does almost impossible their detection.

Network Interaction

The bot uses client-server model and for functioning implements own protocol of network interaction with command center which is used for receiving a configuration of a botnet, loading of modules, and also for obtaining jobs from command center and notification of command center about their execution. Data are encoded that interferes the determination of contents of network traffic.

Protection against Detection and Debugging

In case of installation the bot switches off a system firewall, hides the kernel-mode driver and the keys of the system registry necessary for loading and operation, protects itself and registry keys from deleting. Operation with a network occurs at a low level that allows to bypass network filters of the antivirus software easily. The use of network filters is observed to prevent their installation. The bot checks, whether it is launched under the

virtual machine In computing, a virtual machine (VM) is the virtualization/emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized hardw ...

, in case of positive result of the check, it stops the activities. Festi periodically checks existence of a

debugger A debugger or debugging tool is a computer program used to software testing, test and debugging, debug other programs (the "target" program). The main use of a debugger is to run the target program under controlled conditions that permit the pr ...

and is able to remove

breakpoint In software development, a breakpoint is an intentional stopping or pausing place in a program, put in place for debugging purposes. It is also sometimes simply referred to as a pause. More generally, a breakpoint is a means of acquiring know ...

The Object-Oriented Approach to Development

Festi is created with use of

object-oriented technology Object-oriented programming (OOP) is a programming paradigm based on the concept of " objects", which can contain data and code. The data is in the form of fields (often known as attributes or ''properties''), and the code is in the form of p ...

of software development that strongly complicates researches by a method of the

reverse engineering Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompli ...

and does a bot easily ported for other operating systems.

Control

All control of botnet Festi is implemented by means of web interface and is carried out via browser.

Who Stands behind Festi

According to specialists of the antivirus company ESET, to American journalist and blogger

Brian Krebs Brian Krebs (born 1972) is an American journalist and investigative reporter. He is best known for his coverage of profit-seeking cybercriminals.Perlroth, Nicole.Reporting From the Web's Underbelly. ''The New York Times''. Retrieved February 28, ...

, the expert in information security field, according to American journalist of

The New York Times ''The New York Times'' (''the Times'', ''NYT'', or the Gray Lady) is a daily newspaper based in New York City with a worldwide readership reported in 2020 to comprise a declining 840,000 paid print subscribers, and a growing 6 million paid ...

newspaper Andrew Kramer, and also from the sources close to Russian intelligence services, the architect and the developer of botnet Festi — Russian hacker Igor Artimovich.

Conclusion

In conclusion, it is possible to tell that botnet Festi was one of the most powerful botnets for sending spam and carrying out attacks like "distributed denial of service". The principles by which Festi botnet is constructed increase bot lifetime in the system as much as possible, hinder with bot detection by the antivirus software and network filters. The mechanism of modules allows to expand functionality of botnet in any side by means of creation and loading of necessary modules for achievement of different purposes, and the object-oriented approach to development complicates botnet researching with use of methods of the reverse engineering and gives the chance of bot porting on other operating systems through an accurate demarcation of specific to a concrete operating system functionality and remaining logic of bot. Powerful systems of counteraction to detection and debugging make Festi bot almost invisible and stealthy. The system of bindings and use of reserve command centers gives the chance of restoration of control over a botnet after change of command center. Festi is an atypical example of

malicious software Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, ...

as the authors approached the process of its development extremely seriously.

References

{{Reflist

External links

Top 10 botnets and their impact, December 9, 2009, Top 10 botnets and their impact, Help Net Security

* ttps://web.archive.org/web/20131228032416/http://www.mcafee.com/in/resources/white-papers/wp-new-era-of-botnets.pdf The New Era of Botnets, White Paper
Festi botnet takes over following Grum shutdown, August 17, 2012, ComputerWorld UK

Spam botnets: The fall of Grum and the rise of Festi, August 16, 2012, Thomas Morrison, SPAMHAUS

Spamhaus: Grum Dead, Festi Alive and Well August 22, 2012, Malcolm James, All Spammed Up

The Global Botnet Threat, November 14, 2012, MacAfee
Botnets Rootkits Windows trojans Cyberwarfare