Fanny superworm likely the precursor to Stuxnet

The worm, used by the Equation cyberespionage group, relied on zero-day exploits that were later used in Stuxnet

The Stuxnet computer worm that was used to sabotage the Iranian nuclear program was likely preceded by another sophisticated malware program that used some of the same exploits and spread through USB thumb drives to computers isolated from the Internet.

The USB worm is called Fanny and is part of a sophisticated malware toolset used by a cyberespionage group that researchers from Russian antivirus firm Kaspersky Lab have dubbed Equation.

Kaspersky published a detailed report Monday about Equation, which it considers the most advanced group of attackers to date and whose activity spans back to 2001 and possibly even to 1996. Even though the company stopped short of directly linking the group to the U.S. National Security Agency, there are significant details that point to such links.

One of those apparent links lie in similarities between the Fanny worm, which has been used by the Equation group since at least 2008, and the Stuxnet worm, which according to multiple news articles and books that cite unnamed U.S. government sources, has been developed by the NSA and Israel's intelligence services.

Fanny is a worm that spreads through USB thumb drives and with the goal of gather intelligence. Its focus appears to be the mapping air-gapped computer networks -- networks of computers that are isolated from the Internet.

There are several things that make Fanny remarkable. First, it used the same LNK exploit as Stuxnet to spread, but used it since before Stuxnet. The LNK vulnerability was patched by Microsoft in 2010 after Stuxnet was discovered, but Fanny had used it since 2008. The first known variant of Stuxnet dates from 2009. Fanny also exploited a second vulnerability in Windows that was a zero-day -- unpatched flaw -- at the time and was later used by some versions of Stuxnet.

There are other also other similarities between the two malware programs, the Kaspersky researchers said Tuesday in a blog post that contains an in-depth technical analysis of Fanny.

For example, it appears that both the developers of Stuxnet and of Fanny follow certain coding guidelines that involve the use of unique numbers, the researchers said.

The fact that two different computer worms used the same zero-day exploits in the same way and at around the same time indicates that their developers are either the same persons or working closely together, the Kaspersky researchers said.

The complexity of Fanny doesn't stop with its use of zero-days. For example, the malware program creates a hidden storage area on USB drives that are formatted with the FAT16 or FAT32 file system. It does this by using an undocumented combination of file system flags to create a 1MB container that is ignored by the standard FAT drivers used by Windows and other operating systems.

Those systems will simply ignore the hidden storage area because they'll view it as a corrupt data block, but Fanny has its own modified FAT driver that allows it to read and write data in that container. The malware uses it to store stolen files and information like the OS versions, Service Pack numbers, computer names, user names, company names and the running processes of infected computers.

If the rigged USB stick is later used to infect a computer that has Internet access, the malware will upload the data from the hidden container to the attackers. In turn, they can use this special storage area to save commands that will be executed on the air-gapped computers when the same USB drive is plugged back into them.

"While the true target of Fanny remains unknown, its unique capability to map air-gapped networks and communicate via USB sticks indicate a lot of work went into gaining the ability to access these air-gapped networks," the Kaspersky researchers said. "As a precursor for the versions of Stuxnet that could replicate through the network, it's possible that Fanny was used to map some of the future targets of Stuxnet."

Another testament to the sophistication of the Equation group is that they actually wanted the Fanny malware to be easily discoverable by anti-malware tools, but to appear as some low-risk threat.

Fanny has a rootkit component that hides files in Windows Explorer and also uses unusual start-up registry entries, so it is quite capable of remaining undetected for long periods of time. However, the attackers knew that if the malware was ever discovered despite these clever techniques, it will pique the interest of malware analysts.

Therefore they resorted to a deception technique that involves hiding in plain sight. Fanny creates a copy of one of its components to the Windows system32 directory -- a common place for storing malware -- and also creates a start-up registry in a predictable location that is commonly used by other malware programs.

This allowed it to masquerade as a run-of-the-mill worm and increased the chances that whoever found it would delete it without giving it much thought. And it worked. Kaspersky's own antivirus products detected Fanny in 2010 as a variant of Zlob, a large family of crimeware-grade malware that presented no interest for further analysis at the time.

According to Kaspersky, there are currently over 11,000 Fanny victims in countries like Pakistan, Indonesia, Vietnam, China, Bangladesh, Nigeria, the United Arab Emirates, Malaysia and Cambodia. However, the real number of victims since 2008 until now is likely to be much higher.

Pakistan currently accounts for the largest number of Fanny infections by far -- almost 60 percent of the total. The country, along with Russia and Iran, are among the main targets of the Equation group when taking into account infection statistics from the group's other malware implants as well.

The Kaspersky researchers also established that some of the other malware programs in the Equation group's toolset have been used to target some of the Iranian industrial automation companies that became the first Stuxnet victims.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityExploits / vulnerabilitiesspywaremalwarekaspersky lab

More about KasperskyMicrosoftNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place