King of spam:Festi botnet analysis
(Publication) Google search: [1]
| King of spam:Festi botnet analysis | |
|---|---|
| |
| Botnet | Festi |
| Malware | Festi_(bot) |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / May 11, 2012 |
| Editor/Conference | ESET |
| Link | http://blog.eset.com/wp-content/media files/king-of-spam-festi-botnet-analysis.pdf blog.eset.com (PDF) (blog.eset.com (PDF) Archive copy) |
| Author | Eugene Rodionov, Aleksandr Matrosov |
| Type | |
Abstract
“ The botnet Win32/Festi has been in business since the autumn of 2009 and is currently one of the most
powerful and active botnets for sending spam and performing DDoS attacks. The bot consists of two parts: the dropper and the main module, the kernel‐mode driver, which is detected by ESET as Win32/Rootki.Festi. In 2009 and early 2010 the bot was leased out for spam sending but was then restricted to major spam partners. According to statistics from M86 Security Labs, shown on the right, Win32/Festi is one of the three most active spam botnets in the world. In the autumn of 2011 the botnet migrated its C&C (Command & Control) servers to new domain names. All the previously‐used domains are still alive and are kept in reserve in case the primary domain/servers don’t respond. The botnet periodically migrates to new hosting and domain names in order to decrease the rate at which it is detected using C&C URLs and corresponding IP addresses. There are only C&C domain names inside the bot’s binary with no IP addresses. The previous versions of the bot communicated with C&C servers over HTTP (Hypertext Transfer Protocol) by encrypting POST requests. At the beginning of 2012 an updated version of the bot employed a new communication protocol which is capable of bypassing IPS and IDS systems operating at the network layer. In this report we analyze the latest version of the bot which appeared in February, and is detected by ESET products as Win32/Rootkit.Agent.NVG.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1006,
editor = {ESET},
author = {Eugene Rodionov, Aleksandr Matrosov},
title = {King of spam:Festi botnet analysis},
date = {11},
month = May,
year = {2012},
howpublished = {\url{http://blog.eset.com/wp-content/media_files/king-of-spam-festi-botnet-analysis.pdf blog.eset.com (PDF)}},
}