The Stuxnet computer worm that was used to sabotage the Iranian nuclear program was likely preceded by another sophisticated malware program that used some of the same exploits and spread through USB thumb drives to computers isolated from the Internet.
The USB worm is called Fanny and is part of a sophisticated malware toolset used by a cyberespionage group that researchers from Russian antivirus firm Kaspersky Lab have dubbed Equation.
Kaspersky published a detailed report Monday about Equation, which it considers the most advanced group of attackers to date and whose activity spans back to 2001 and possibly even to 1996. Even though the company stopped short of directly linking the group to the U.S. National Security Agency, there are significant details that point to such links.
One of those apparent links lie in similarities between the Fanny worm, which has been used by the Equation group since at least 2008, and the Stuxnet worm, which according to multiple news articles and books that cite unnamed U.S. government sources, has been developed by the NSA and Israel's intelligence services.
Fanny is a worm that spreads through USB thumb drives and with the goal of gather intelligence. Its focus appears to be the mapping air-gapped computer networks — networks of computers that are isolated from the Internet.
There are several things that make Fanny remarkable. First, it used the same LNK exploit as Stuxnet to spread, but used it since before Stuxnet. The LNK vulnerability was patched by Microsoft in 2010 after Stuxnet was discovered, but Fanny had used it since 2008. The first known variant of Stuxnet dates from 2009. Fanny also exploited a second vulnerability in Windows that was a zero-day — unpatched flaw — at the time and was later used by some versions of Stuxnet.
There are other also other similarities between the two malware programs, the Kaspersky researchers said Tuesday in a blog post that contains an in-depth technical analysis of Fanny.
For example, it appears that both the developers of Stuxnet and of Fanny follow certain coding guidelines that involve the use of unique numbers, the researchers said.
The fact that two different computer worms used the same zero-day exploits in the same way and at around the same time indicates that their developers are either the same persons or working closely together, the Kaspersky researchers said.
The complexity of Fanny doesn't stop with its use of zero-days. For example, the malware program creates a hidden storage area on USB drives that are formatted with the FAT16 or FAT32 file system. It does this by using an undocumented combination of file system flags to create a 1MB container that is ignored by the standard FAT drivers used by Windows and other operating systems.
Sign up for CIO Asia eNewsletters.