FESTI
Festi
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
FESTI malware comes from a bot network also known as Spamnost. Its first appearance is in 2009. This malware uses a dropper to install itself in the system. After installation, it uses its rootkit functionality to perform malicious routines. One of the routines is updating its configuration data from its C&C server. It may also download plugins, which may send spammed messages and perform distributed denial of service (DDoS) attacks.
This malware also has the capability to bypass firewalls and HIPS (Host-based Intrusion Prevention System) technology. Also, this malware opens \Driver\Tcpip\Device\Tcp and \FileSystem\Ntfs\Ntfs to send and receive packet data over the network.
TECHNICAL DETAILS
Yes
Installation
This Trojan drops the following files:
- %System%\drivers\z{random letters}{random digit}.sys
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Other System Modifications
This Trojan adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\z{random letters}{random digit}
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\z{random letters}{random digit}
Type = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\z{random letters}{random digit}
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\z{random letters}{random digit}
Start = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\z{random letters}{random digit}
ImagePath = "%System%\drivers\z{random letters}5.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\z{random letters}{random digit}
DisplayName = "z{random letters}5.sys"
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}ol33.ru
- {BLOCKED}ort.ru