A Windows rootkit that dates back to 2009 has reappeared in the wild, according to researchers at security firm Check Point, but there is no indication whether it is being controlled by its original owner or whether someone else has taken control of it.
Festi served as a bot and was part of a large and successful botnet used for launching distributed denial of service attacks and also for distributing spam.
Its author and operator, Igor Artimovich, was arrested in 2012 by Russian authorities and since then the rootkit seemed to disappear. The arrest happened after a DDoS attack against the Aeroflot website. The security firm ESET wrote a detailed analysis of Festi at that time.
Artimovich was sentenced to 2½ years in prison and released in August 2016.
{loadposition sam08}Check Point said the rootkit was now being distributed by the RIG exploit kit and the new variants had a new dropper that faked the appearance of an update for Adobe Flash Player so that it could gain elevated privileges.
The Adobe Flash Player update dialog box generated by Festi.
The new variant also had more than a few code changes, suggesting that whoever was behind it had access to the source code.
The Check Point researchers said they were uncertain whether Artimovich had resurrected Festi or whether the source code had been sold or stolen.
They said while the use of a dropper was not unusual, the Flash update pop-up was impressive as it resembled the original very closely.
"The fake installation window contains links such as 'See Details…' and 'End User Licence Agreement' which point to the real Adobe website. Additionally, if the user clicks 'Remind Me Later', the dropper exists and deletes itself, implying the operators prefer caution over additional infections," they wrote.
"The return of the Festi rootkit, after being gone for so long, is quite surprising. The operation so far indicates the current operator is cautious and prefers to stay under the radar.
"Additionally, the technical analysis indicates the current operator probably has possession of the source code, whether he is the original author or not. Still, it is too early to tell if this is just someone playing around with an old malware, or the start of a whole new chapter for Festi."
Graphics: courtesy Check Point and ESET