«  m86security.com

Festi

 

June 7, 2010

Aliases

  • Generic Rootkit.dt
  • Virus.Rootkit.Win32.Agent
  • Rootkit.Win32.Tent.av
  • Backdoor:WinNT/Festi.A
  • Win32/Festi.A

Comments

Festi is a rootkit-based spamming botnet whose spam campaigns mainly focus on Replica products. Most of the time, Festi is installed by a dropper on to an infected host together with other malware, including other spambots like Pushdo, Rustock, Lethic and Donbot.  Festi may be downloaded by a Trojan (Harnig or Virut) or as a payload of a drive-by downlod websites. Because of its stealth, and the fact it is often installed alongside other spambots, Festi's presence is difficult to detect.

Features

  • Kernal mode rootkit-based spam engine
  • XOR encrypted spamming template
  • Installs to the infected system as a service

Spamming Rate

  • unknown

Command and Control

Festi spambot contacts to its command and control server through HTTP port 80. The HTTP request looks similar to this:

POST /update.php HTTP/1.1 
Accept: */* 
Accept-Language: en 
Content-Type: application/octet-stream 
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) 
Content-Length: 138    
Pragma: no-cache 

Approximately every minute the Festi bot sends an HTTP request to the control server. In return, the control server may reply with an encrypted spam template and/or list of target email addresses.

 

Here is a typical Festi spam sample:


 

Malware Behavior on Host

Festi is installed as a kernel-mode driver in the Windows system driver directory "%systemroot%\system32\drivers" using a random filename with .SYS file extension. The filename may use the following format:

z<random 6 to12 alphabet><single digit>.sys
example:
- zhkevjdp7.sys
- zuhllbgiv3.sys
- zemtmcscfjlo3.sys

Here is a screenshot of a Festi running as a rootkit as revealed by the Rootkit Unhooker tool:

 

It registers the malware as service by creating a registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\<malware filename> 
ImagePath = "%systemroot%\system32\drivers\<malware filename>.sys"
DisplayName = "<malware filename>"

Festi also bypasses the Windows firewall by adding itself to the firewall policy registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\List

© M86 Security

Last Reviewed: July 26, 2010 by Rodel Mendrez