Those systems will simply ignore the hidden storage area because they'll view it as a corrupt data block, but Fanny has its own modified FAT driver that allows it to read and write data in that container. The malware uses it to store stolen files and information like the OS versions, Service Pack numbers, computer names, user names, company names and the running processes of infected computers.
If the rigged USB stick is later used to infect a computer that has Internet access, the malware will upload the data from the hidden container to the attackers. In turn, they can use this special storage area to save commands that will be executed on the air-gapped computers when the same USB drive is plugged back into them.
"While the true target of Fanny remains unknown, its unique capability to map air-gapped networks and communicate via USB sticks indicate a lot of work went into gaining the ability to access these air-gapped networks," the Kaspersky researchers said. "As a precursor for the versions of Stuxnet that could replicate through the network, it's possible that Fanny was used to map some of the future targets of Stuxnet."
Another testament to the sophistication of the Equation group is that they actually wanted the Fanny malware to be easily discoverable by anti-malware tools, but to appear as some low-risk threat.
Fanny has a rootkit component that hides files in Windows Explorer and also uses unusual start-up registry entries, so it is quite capable of remaining undetected for long periods of time. However, the attackers knew that if the malware was ever discovered despite these clever techniques, it will pique the interest of malware analysts.
Therefore they resorted to a deception technique that involves hiding in plain sight. Fanny creates a copy of one of its components to the Windows system32 directory — a common place for storing malware — and also creates a start-up registry in a predictable location that is commonly used by other malware programs.
This allowed it to masquerade as a run-of-the-mill worm and increased the chances that whoever found it would delete it without giving it much thought. And it worked. Kaspersky's own antivirus products detected Fanny in 2010 as a variant of Zlob, a large family of crimeware-grade malware that presented no interest for further analysis at the time.
According to Kaspersky, there are currently over 11,000 Fanny victims in countries like Pakistan, Indonesia, Vietnam, China, Bangladesh, Nigeria, the United Arab Emirates, Malaysia and Cambodia. However, the real number of victims since 2008 until now is likely to be much higher.
Pakistan currently accounts for the largest number of Fanny infections by far — almost 60 percent of the total. The country, along with Russia and Iran, are among the main targets of the Equation group when taking into account infection statistics from the group's other malware implants as well.
Sign up for CIO Asia eNewsletters.