Fanny superworm likely the precursor to Stuxnet

The worm, used by the Equation cyberespionage group, relied on zero-day exploits that were later used in Stuxnet

The Stuxnet computer worm that was used to sabotage the Iranian nuclear program was likely preceded by another sophisticated malware program that used some of the same exploits and spread through USB thumb drives to computers isolated from the Internet.

The USB worm is called Fanny and is part of a sophisticated malware toolset used by a cyberespionage group that researchers from Russian antivirus firm Kaspersky Lab have dubbed Equation.

Kaspersky published a detailed report Monday about Equation, which it considers the most advanced group of attackers to date and whose activity spans back to 2001 and possibly even to 1996. Even though the company stopped short of directly linking the group to the U.S. National Security Agency, there are significant details that point to such links.

One of those apparent links lie in similarities between the Fanny worm, which has been used by the Equation group since at least 2008, and the Stuxnet worm, which according to multiple news articles and books that cite unnamed U.S. government sources, has been developed by the NSA and Israel's intelligence services.

Fanny is a worm that spreads through USB thumb drives and with the goal of gather intelligence. Its focus appears to be the mapping air-gapped computer networks -- networks of computers that are isolated from the Internet.

There are several things that make Fanny remarkable. First, it used the same LNK exploit as Stuxnet to spread, but used it since before Stuxnet. The LNK vulnerability was patched by Microsoft in 2010 after Stuxnet was discovered, but Fanny had used it since 2008. The first known variant of Stuxnet dates from 2009. Fanny also exploited a second vulnerability in Windows that was a zero-day -- unpatched flaw -- at the time and was later used by some versions of Stuxnet.

There are other also other similarities between the two malware programs, the Kaspersky researchers said Tuesday in a blog post that contains an in-depth technical analysis of Fanny.

For example, it appears that both the developers of Stuxnet and of Fanny follow certain coding guidelines that involve the use of unique numbers, the researchers said.

The fact that two different computer worms used the same zero-day exploits in the same way and at around the same time indicates that their developers are either the same persons or working closely together, the Kaspersky researchers said.

The complexity of Fanny doesn't stop with its use of zero-days. For example, the malware program creates a hidden storage area on USB drives that are formatted with the FAT16 or FAT32 file system. It does this by using an undocumented combination of file system flags to create a 1MB container that is ignored by the standard FAT drivers used by Windows and other operating systems.

Those systems will simply ignore the hidden storage area because they'll view it as a corrupt data block, but Fanny has its own modified FAT driver that allows it to read and write data in that container. The malware uses it to store stolen files and information like the OS versions, Service Pack numbers, computer names, user names, company names and the running processes of infected computers.

If the rigged USB stick is later used to infect a computer that has Internet access, the malware will upload the data from the hidden container to the attackers. In turn, they can use this special storage area to save commands that will be executed on the air-gapped computers when the same USB drive is plugged back into them.

"While the true target of Fanny remains unknown, its unique capability to map air-gapped networks and communicate via USB sticks indicate a lot of work went into gaining the ability to access these air-gapped networks," the Kaspersky researchers said. "As a precursor for the versions of Stuxnet that could replicate through the network, it's possible that Fanny was used to map some of the future targets of Stuxnet."

Another testament to the sophistication of the Equation group is that they actually wanted the Fanny malware to be easily discoverable by anti-malware tools, but to appear as some low-risk threat.

Fanny has a rootkit component that hides files in Windows Explorer and also uses unusual start-up registry entries, so it is quite capable of remaining undetected for long periods of time. However, the attackers knew that if the malware was ever discovered despite these clever techniques, it will pique the interest of malware analysts.

Therefore they resorted to a deception technique that involves hiding in plain sight. Fanny creates a copy of one of its components to the Windows system32 directory -- a common place for storing malware -- and also creates a start-up registry in a predictable location that is commonly used by other malware programs.

This allowed it to masquerade as a run-of-the-mill worm and increased the chances that whoever found it would delete it without giving it much thought. And it worked. Kaspersky's own antivirus products detected Fanny in 2010 as a variant of Zlob, a large family of crimeware-grade malware that presented no interest for further analysis at the time.

According to Kaspersky, there are currently over 11,000 Fanny victims in countries like Pakistan, Indonesia, Vietnam, China, Bangladesh, Nigeria, the United Arab Emirates, Malaysia and Cambodia. However, the real number of victims since 2008 until now is likely to be much higher.

Pakistan currently accounts for the largest number of Fanny infections by far -- almost 60 percent of the total. The country, along with Russia and Iran, are among the main targets of the Equation group when taking into account infection statistics from the group's other malware implants as well.

The Kaspersky researchers also established that some of the other malware programs in the Equation group's toolset have been used to target some of the Iranian industrial automation companies that became the first Stuxnet victims.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityExploits / vulnerabilitiesspywaremalwarekaspersky lab

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?