The Stuxnet computer worm- a serious threat that disrupted the Iranian nuclear program was headed by another significant yet sophisticated malware program that is somewhat similar and uses the same exploits like the previous one. It gets access into the computers isolated from the internet via USB thumb drives. This USB worm is referred to as Fanny and is considered to be a part of a malware tool set bought in use by the cyber espionage group which has been dubbed ‘Equation’ by the researchers from Russian antivirus firm Kaspersky Lab. In a detailed report published by Kaspersky considers Equation as the most advanced group of attackers up to date and is also described as “The Death Star of Malware Galaxy.” Its activity dates back to 2001 and even 1996. Though the firm stopped the group from directly linking to the U.S. National Security Agency, however, there lie certain substantial details pointing such links.
When talking about Fanny, it is a computer worm that spreads with the help of USB thumb drives. It focuses the mapping air-gapped computer networks- network of systems which are secluded from the internet.
There are certain things that make Fanny outstanding and notable. It used the similar LNK exploit as Stuxnet used to spread. Microsoft fixed the LNK vulnerability in 2010 soon after Stuxnet was revealed; however, Fanny used it since 2008. The first identified variant of Stuxnet spans from 2009. Furthermore, Fanny worm exploited a second vulnerability in Windows as well which was termed as zero day.
Researchers stated that the developers of both Stuxnet and Fanny follow various coding guidelines which include the usage of unique numbers. The fact that both the computer worms used similar zero day exploits, in the same manner and also at the same time signifies that the developers of the worms are either the same individuals or they might be working together.
How Fanny Worm Spreads to Computers
Fanny- the computer malware program develops a secret storage area on the USB drives formatted with the FAT32 or FAT16 file system. The program does this by making use of an undocumented combination of file system flags in order to build a 1MB container which is overlooked by the standard FAT drivers used by Windows and some other operating systems. The hidden storage area is ignored by such systems because it appears like a corrupt data block, however, Fanny feature sits own modified FAT driver that permits it to read and write data in the 1 MB container. It does this to mass information and files like the Service Pack numbers, OS versions, user names, company names, computer names as well as the running procedures of the computers which are infected.
If the USB drive is used later to damage a system with internet access, the malware program would upload the information from the hidden container to the hackers. Moreover, the special storage area developed by them can also be used to save commands which would be implemented on the air-gapped systems when the USB stick is plugged into them again.
Fanny features a rootkit constituent that is capable to hide files in Windows Explorer and also makes use of unusual start-up registry entries. By using this technique, it is able to remain unnoticed for long. The attackers are familiar with the fact that if in case the malware gets exposed despite of the clever methods, it would become a topic of annoyance for the malware analysts. For this reason, they moved to a deception method which comprises hiding in a plain sight. This means a copy of one of its constituents is developed by Fanny to the Windows system32 directory- a collective place wherein malware is stored. Furthermore, it also generates a start-up registry in an anticipated site which is used by some other malware programs.
This permitted it to trick as a run-of-the-mill worm and enlarged the chances that whosoever found it has the right to erase it without thinking much. Surprisingly, it worked! The antivirus products of Kaspersky also detected Fanny worm in 2010.
According to reports by Kaspersky, over 11,000 Fanny targets are found in countries including Indonesia, Pakistan, China, Vietnam, Indonesia, Bangladesh, United Arab Emirates, Cambodia, Malaysia and Nigeria. Moreover, since 2008, the number is likely to increase.
By far, Pakistan accounts for the highest number of Fanny infections; approximately, it can be said 60 percent of the total. The countries including Iran and Russia are considered to be the main targets of the Equation group.
The researchers at Kaspersky also stated that some other malware programs listed in the Equation group’s toolset have been used to infect several Iranian industrial automation companies that were the first victim of Stuxnet.
0 comments:
Post a Comment