FESTI
Festi
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
FESTI malware comes from a bot network also known as Spamnost. Its first appearance is in 2009. This malware uses a dropper to install itself in the system. After installation, it uses its rootkit functionality to perform malicious routines. One of the routines is updating its configuration data from its C&C server. It may also download plugins, which may send spammed messages and perform distributed denial of service (DDoS) attacks.
This malware also has the capability to bypass firewalls and HIPS (Host-based Intrusion Prevention System) technology. Also, this malware opens \Driver\Tcpip\Device\Tcp and \FileSystem\Ntfs\Ntfs to send and receive packet data over the network.
TECHNICAL DETAILS
Installation
This Trojan drops the following files:
- %System%\drivers\z{random letters}{random digit}.sys
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Other System Modifications
This Trojan adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\z{random letters}{random digit}
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\z{random letters}{random digit}
Type = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\z{random letters}{random digit}
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\z{random letters}{random digit}
Start = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\z{random letters}{random digit}
ImagePath = "%System%\drivers\z{random letters}5.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\z{random letters}{random digit}
DisplayName = "z{random letters}5.sys"
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}ol33.ru
- {BLOCKED}ort.ru