The Stuxnet computer worm that was used to sabotage the Iranian nuclear program was likely preceded by another sophisticated malware program that used some of the same exploits and spread through USB thumb drives to computers isolated from the Internet.
The USB worm is called Fanny and is part of a sophisticated malware toolset used by a cyberespionage group that researchers from Russian antivirus firm Kaspersky Lab have dubbed Equation.
Kaspersky published a detailed report Monday about Equation, which it considers the most advanced group of attackers to date and whose activity spans back to 2001 and possibly even to 1996. Even though the company stopped short of directly linking the group to the U.S. National Security Agency, there are significant details that point to such links.
One of those apparent links lie in similarities between the Fanny worm, which has been used by the Equation group since at least 2008, and the Stuxnet worm, which according to multiple news articles and books that cite unnamed U.S. government sources, has been developed by the NSA and Israel’s intelligence services.
Crossing the moat
Fanny is a worm that spreads through USB thumb drives and with the goal of gathering intelligence. Its focus appears to be mapping air-gapped computer networks—networks of computers that are isolated from the Internet.
There are several things that make Fanny remarkable. First, it used the same LNK exploit as Stuxnet to spread, but used it since before Stuxnet. The LNK vulnerability was patched by Microsoft in 2010 after Stuxnet was discovered, but Fanny had used it since 2008. The first known variant of Stuxnet dates from 2009. Fanny also exploited a second vulnerability in Windows that was a zero-day—unpatched flaw—at the time and was later used by some versions of Stuxnet.
There are other also other similarities between the two malware programs, the Kaspersky researchers said Tuesday in a blog post that contains an in-depth technical analysis of Fanny.
For example, it appears that both the developers of Stuxnet and of Fanny follow certain coding guidelines that involve the use of unique numbers, the researchers said.
The fact that two different computer worms used the same zero-day exploits in the same way and at around the same time indicates that their developers are either the same persons or working closely together, the Kaspersky researchers said.
The complexity of Fanny doesn’t stop with its use of zero-days. For example, the malware program creates a hidden storage area on USB drives that are formatted with the FAT16 or FAT32 file system. It does this by using an undocumented combination of file system flags to create a 1MB container that is ignored by the standard FAT drivers used by Windows and other operating systems.
Hiding in plain sight
Those systems will simply ignore the hidden storage area because they’ll view it as a corrupt data block, but Fanny has its own modified FAT driver that allows it to read and write data in that container. The malware uses it to store stolen files and information like the OS versions, Service Pack numbers, computer names, user names, company names and the running processes of infected computers.
If the rigged USB stick is later used to infect a computer that has Internet access, the malware will upload the data from the hidden container to the attackers. In turn, they can use this special storage area to save commands that will be executed on the air-gapped computers when the same USB drive is plugged back into them.
“While the true target of Fanny remains unknown, its unique capability to map air-gapped networks and communicate via USB sticks indicate a lot of work went into gaining the ability to access these air-gapped networks,” the Kaspersky researchers said. “As a precursor for the versions of Stuxnet that could replicate through the network, it’s possible that Fanny was used to map some of the future targets of Stuxnet.”
Another testament to the sophistication of the Equation group is that they actually wanted the Fanny malware to be easily discoverable by anti-malware tools, but to appear as some low-risk threat.
Fanny has a rootkit component that hides files in Windows Explorer and also uses unusual start-up registry entries, so it is quite capable of remaining undetected for long periods of time. However, the attackers knew that if the malware was ever discovered despite these clever techniques, it will pique the interest of malware analysts.
Therefore they resorted to a deception technique that involves hiding in plain sight. Fanny creates a copy of one of its components to the Windows system32 directory—a common place for storing malware—and also creates a start-up registry in a predictable location that is commonly used by other malware programs.
This allowed it to masquerade as a run-of-the-mill worm and increased the chances that whoever found it would delete it without giving it much thought. And it worked. Kaspersky’s own antivirus products detected Fanny in 2010 as a variant of Zlob, a large family of crimeware-grade malware that presented no interest for further analysis at the time.
According to Kaspersky, there are currently over 11,000 Fanny victims in countries like Pakistan, Indonesia, Vietnam, China, Bangladesh, Nigeria, the United Arab Emirates, Malaysia and Cambodia. However, the real number of victims since 2008 until now is likely to be much higher.
Pakistan currently accounts for the largest number of Fanny infections by far—almost 60 percent of the total. The country, along with Russia and Iran, are among the main targets of the Equation group when taking into account infection statistics from the group’s other malware implants as well.
The Kaspersky researchers also established that some of the other malware programs in the Equation group’s toolset have been used to target some of the Iranian industrial automation companies that became the first Stuxnet victims.