Festi is a rootkit and a botnet created on its basis. It works under operating systems of the Windows family. Autumn of 2009 was the first time Festi came into the view of the companies engaged in the development and sale of antivirus software. At this time it was estimated that the botnet itself consisted of roughly 25.000 infected machines, while having a spam volume capacity of roughly 2.5 billion spam emails a day. Festi showed the greatest activity in 2011-2012. More recent estimates - dated August 2012 - display that the botnet is sending spam from 250,000 unique IP addresses, a quarter of the total amount of one million detected IP's sending spam mails. The main functionality of botnet Festi is spam sending and implementation of cyberattacks like "distributed denial of service".
All represented data about the architecture of botnet we have gathered from research ESET antivirus company. The loader downloads and sets up a bot which represents a kernel-mode driver which adds itself in the list of the drivers which are launching together with an operating system. On a hard disk drive only the part of a bot is stored which is responsible for communication with command center and loading of modules. After starting the bot periodically asks the command center for receiving a configuration, loading of the modules and the jobs necessary for execution.
From the researches which have been carried out by specialists of the antivirus company ESET, it is known that Festi has at least two modules. One of them intends for spam sending (BotSpam.dll), another for implementation of cyberattacks like "distributed denial of service" (BotDoS.dll). The module for implementation of cyberattacks like "distributed denial of service" supports the following types of cyberattacks, namely: TCP-flood, UDP-flood, DNS-flood, HTTP(s)-flood, and also flood packets with a random number in the issue of the used protocol.
The expert from the "Kaspersky Lab" researching botnet drew an output that there are more modules, but not all from them are used. Their list includes the module for socks-server implementation (BotSocks.dll) with the TCP and UDP protocols, the module for remote viewing and control of the computer of the user (BotRemote.dll), the module implementing search on a disk of the remote computer and in a local area network (BotSearch.dll) to which the remote computer is connected, grabber-modules for all browsers known at present time (BotGrabber.dll).
Modules are never saved on a hard disk drive that does almost impossible their detection.
The bot uses client-server model and for functioning implements own protocol of network interaction with command center which is used for receiving a configuration of a botnet, loading of modules, and also for obtaining jobs from command center and notification of command center about their execution. Data are encoded that interferes the determination of contents of network traffic.
Protection against Detection and Debugging
In case of installation the bot switches off a system firewall, hides the kernel-mode driver and the keys of the system registry necessary for loading and operation, protects itself and registry keys from deleting. Operation with a network occurs at a low level that allows to bypass network filters of the antivirus software easily. The use of network filters is observed to prevent their installation. The bot checks, whether it is launched under the virtual machine, in case of positive result of the check, it stops the activities. Festi periodically checks existence of a debugger and is able to remove breakpoints.
The Object-Oriented Approach to Development
Festi is created with use of object-oriented technology of software development that strongly complicates researches by a method of the reverse engineering and does a bot easily ported for other operating systems.
All control of botnet Festi is implemented by means of web interface and is carried out via browser.
Who Stands behind Festi
According to specialists of the antivirus company ESET, to American journalist and blogger Brian Krebs, the expert in information security field, according to American journalist of The New York Times newspaper Andrew Kramer, and also from the sources close to Russian intelligence services, the architect and the developer of botnet Festi — Russian hacker Igor Artimovich.
In conclusion it is possible to tell that botnet Festi was one of the most powerful botnets for sending spam and carrying out attacks like "distributed denial of service". The principles by which Festi botnet is constructed increase bot lifetime in the system as much as possible, hinder with bot detection by the antivirus software and network filters. The mechanism of modules allows to expand functionality of botnet in any side by means of creation and loading of necessary modules for achievement of different purposes, and the object-oriented approach to development complicates botnet researching with use of methods of the reverse engineering and gives the chance of bot porting on other operating systems through an accurate demarcation of specific to a concrete operating system functionality and remaining logic of bot. Powerful systems of counteraction to detection and debugging make Festi bot almost invisible and stealthy. The system of bindings and use of reserve command centers gives the chance of restoration of control over a botnet after change of command center. Festi is an atypical example of malicious software as the authors approached the process of its development extremely seriously.
- Lewis, Daren (November 5, 2009). "Festi Botnet spins up to become one of the main spamming botnets". Symantec Connect.
- Kaplan, Dan (November 6, 2009). "Festi botnet appears". SC Magazine.
- Jackson Higgins, Kelly (November 6, 2009). "New Spamming Botnet On The Rise - Dark Reading". darkreading.
- Wattanajantra, Asavin (November 6, 2009). "‘Festi’ growing to become spambot heavyweight". ITPRO.
- "Botnet Festi Rising Tremendously". SPAMfighter. November 18, 2009.
- Kirk, Jeremy (August 16, 2012). "Spamhaus Declares Grum Botnet Dead, but Festi Surges". PC World.
- Kirk, Jeremy (August 17, 2012). "Spamhaus declares Grum botnet dead, but Festi surges". PC Advisor.
- Saarinen, Juha (Aug 20, 2012). "Festi botnet cranks up spam volumes". ITNews.
- "Festi botnet helps launch denial-of-service ‘DDoS’ attack". Stop Hackers. June 13, 2012.
- Matrosov, Aleksandr (May 11, 2012). "King of Spam: Festi botnet analysis". ESET.
- Rodionov, Eugene (2011). "Festi botnet analysis and investigation" (PDF). ESET.
- Matrosov, Aleksandr (November 12–14, 2012). "Festi Botnet Analysis & Investigation" (PDF). AVAR 2012.
- Krebs, Brian (June 12, 2012). "Who Is the ‘Festi’ Botmaster?". Krebs On Security.
- Kramer, Andrew (September 2, 2013). "Online Attack Leads to Peek Into Spam Den". The New York Times.
- "Festi: malicious and incorporeal". Xakep Magazine. September 2012.
- Top 10 botnets and their impact, December 9, 2009, Top 10 botnets and their impact, Help Net Security
- The top 10 'most wanted' spam-spewing botnets Rustock, Mega-D, Festi, Pushdo among worst botnet offenders, July 15, 2010, Ellen Messmer, Network World
- The New Era of Botnets, White Paper
- Festi botnet takes over following Grum shutdown, August 17, 2012, ComputerWorld UK
- Spam botnets: The fall of Grum and the rise of Festi, August 16, 2012, Thomas Morrison, SPAMHAUS
- Spamhaus: Grum Dead, Festi Alive and Well August 22, 2012, Malcolm James, All Spammed Up
- The Global Botnet Threat, November 14, 2012, MacAfee