Fanny Malware: "11.000 Computers Precursor Stuxnet Infected"

Still 11,000 computers worldwide are infected with a sophisticated worm that was developed in 2008 and is considered the forerunner of the infamous Stuxnet worm. The Fanny worm was yesterday already revealed by Kaspersky Lab, and today there are more details disclosed.

The worm used two zero-day vulnerabilities in Windows to spread via USB sticks. Connecting an infected USB drive on a Windows computer, even if it is disabled Autorun, was enough to get infected. The worm the LNK vulnerability used in this case that later was used by the Stuxnet worm. The second vulnerability used Fanny made sure that the malware had administrator rights. The vulnerabilities were patched by Microsoft in 2009 and 2010.

Although Stuxnet known as the first malware that used the LNK vulnerability, a Trojan horse in 2010 it was discovered that already spread through the leak. It was the Zlob Trojan, part of a large family of malware. However, no one paid attention given to this instance of malware in the anti-virus industry. The makers of Fanny used a common method to load the malware while starting Windows, making the creation as Zlob was detected.

Indeed, it was a registry value created to start automatically. According to researchers, the malware writers have done this deliberately, so as automatic control of anti-virus companies and researchers to lead the garden. That would detect the malware and namely because of the widely used starting technique, pay no further attention. Therefore, the deeper operation and functionality of Fanny remained hidden.

The main functionality of the worm is in the mapping of systems and networks that are not connected to the Internet. Where Stuxnet worked only on specific systems, Fanny infected all Windows computers where it landed. Not only could easily infect the worm computers. Once USB drives were connected to an infected computer, which also became infected and could spread the worm further.

The researchers knew the Command & Control server that the attackers used to control infected computers take over. In total still made 11,200 unique IP addresses connecting to this server. Sixty percent of it comes from Pakistan, followed by Indonesia (16%) and Vietnam (14%). Whether Pakistan was the original target of Fanny is unknown. The situation may be different when the worm was used between 2008 and 2010. However, the researchers note that the group that Fanny has also developed other malware made that it had provided to Pakistan.

However, the real targets of Fanny is unknown, say the researchers. Possible that the worm is used to select potential targets for Stuxnet. Another remarkable fact is the large number of infections in Pakistan. The use of USB drives is indeed a slow diffusion method. Therefore, the researchers also think that the first infections occurred in Pakistan.