Aysun wrote:No, I'm looking for a sample too. We can't contact anyone from conference and ask for hash of their sample maybe?try to contact the CCC http://ccc.de/en/contact
A forum for reverse engineering, OS internals and malware analysis
Texting ATMs for Cash Shows Cybercriminals’ Increasing Sophistication ~ http://www.symantec.com/connect/blogs/t ... istication
Well, there are some "commercial" and security issues involved in this ploutus campaign.
First there is the real threat.
I had the chance to analyse the malware so kindly provided here and it is a valid threat.
It is engineered by someone with deep knowledge of ATM functionality and exploits some features found in many ATM terminals in existence right now.
However, being a POI ( point of interaction) attack, it is relatively hard to scale since it requires phisycal access to the machine and PC cage.
Processors and providers and private owners are at risk if they do not have alarm systems installed on their ATM's.
Locking down BIOS is a good option but if the attacker has enough time he can open the PC cage and clear the BIOS NVRAM.
In some situations, the USB printer port was used to gain access to the PC by drilling holes in a predetermined area of the ATM fascia and plugging in a USB stick followed by a power cycle of the ATM.
In all presented and confirmed cases, the malware was delivered via a bootable disk to bypass some of the security software installed on the atm HDD since these are not active in offline mode.
This feature again prooves the knowledge in ATM systems and functionality by the malware creator.
Another way of installing the malware is to use technicians that service the machines.
There are several reports where the technicians were either bribed or threatened and forced to install the malware on the ATMs.
Another side of this is the "commercial" side which is much more interesting.
Now over 80% of the ATM's currently running in the world are running a version of windows.
Some of them are however unaffected by Ploutus(they run windows CE) but the rest of them are susceptible to this threat.
Now there are several interests in here.
New software licenses (XP ends support in April), new hardware( since w7 has a new driver model and the PC's in existence on ATM's are several years old, there is no chance in finding suitable drivers for more than 50% of the ATM fleet in existence, new security software and ATM application software.
One of the issues in ATM industry is the resilience of ATM network owners to changes.
Not because they would not welcome the change, But because it costs a big amount of money in new hardware( usualy the price of an ATM PC is twice or even three times more than an off the shelf PC ) and the entire software stack installed has to undergo a long line of tests and certifications that cost another truckload of money.
I personally believe that the current "plotus" threat, aside from the fact that is a security breach that has to be adressed, it is used by certain companies to push ATM owners into the costly upgrades they have been avoiding so far.
Again from the point of view of scale, ploutus is a single point infection and it cannot propagate itself like other malicious software due to the nature of the ATM networks and the restrictions imposed in them.
Compared to phisycal attacks, i would put ploutus on the same line if not less than attacks by explosives or gas.
And for these kinds of attacks, the ATM owners are already covered.
So ploutus is not as much a threat.
It is used as a way of pushing sales.
First there is the real threat.
I had the chance to analyse the malware so kindly provided here and it is a valid threat.
It is engineered by someone with deep knowledge of ATM functionality and exploits some features found in many ATM terminals in existence right now.
However, being a POI ( point of interaction) attack, it is relatively hard to scale since it requires phisycal access to the machine and PC cage.
Processors and providers and private owners are at risk if they do not have alarm systems installed on their ATM's.
Locking down BIOS is a good option but if the attacker has enough time he can open the PC cage and clear the BIOS NVRAM.
In some situations, the USB printer port was used to gain access to the PC by drilling holes in a predetermined area of the ATM fascia and plugging in a USB stick followed by a power cycle of the ATM.
In all presented and confirmed cases, the malware was delivered via a bootable disk to bypass some of the security software installed on the atm HDD since these are not active in offline mode.
This feature again prooves the knowledge in ATM systems and functionality by the malware creator.
Another way of installing the malware is to use technicians that service the machines.
There are several reports where the technicians were either bribed or threatened and forced to install the malware on the ATMs.
Another side of this is the "commercial" side which is much more interesting.
Now over 80% of the ATM's currently running in the world are running a version of windows.
Some of them are however unaffected by Ploutus(they run windows CE) but the rest of them are susceptible to this threat.
Now there are several interests in here.
New software licenses (XP ends support in April), new hardware( since w7 has a new driver model and the PC's in existence on ATM's are several years old, there is no chance in finding suitable drivers for more than 50% of the ATM fleet in existence, new security software and ATM application software.
One of the issues in ATM industry is the resilience of ATM network owners to changes.
Not because they would not welcome the change, But because it costs a big amount of money in new hardware( usualy the price of an ATM PC is twice or even three times more than an off the shelf PC ) and the entire software stack installed has to undergo a long line of tests and certifications that cost another truckload of money.
I personally believe that the current "plotus" threat, aside from the fact that is a security breach that has to be adressed, it is used by certain companies to push ATM owners into the costly upgrades they have been avoiding so far.
Again from the point of view of scale, ploutus is a single point infection and it cannot propagate itself like other malicious software due to the nature of the ATM networks and the restrictions imposed in them.
Compared to phisycal attacks, i would put ploutus on the same line if not less than attacks by explosives or gas.
And for these kinds of attacks, the ATM owners are already covered.
So ploutus is not as much a threat.
It is used as a way of pushing sales.
how exacly they work with ploutus and wats the code we must use for runing ploutus ??
thanks
thanks
peteramster wrote:how exacly they work with ploutus and wats the code we must use for runing ploutus ??read the thread again.
thanks
teddybear wrote:http://blog.spiderlabs.com/2013/10/havi ... outus.html
Many thanks for this informative thread and the share. I'm now trying to understand ploutus. I read that the newer version gets installed from mobile phone via a text message. Have to check all that. Thanks again.
Xylitol Thanks a +rep for the slick passcode entry its literally in my face . :/
New Variant of Ploutus ATM Malware Observed in the Wild in Latin America ~ https://www.fireeye.com/blog/threat-res ... riant.html
Diebold.exe - https://www.virustotal.com/en/file/04db ... 487265583/
AgilisConfigurationUtility.exe - https://www.virustotal.com/en/file/aee9 ... 487265968/
Diebold.exe - https://www.virustotal.com/en/file/04db ... 487265583/
AgilisConfigurationUtility.exe - https://www.virustotal.com/en/file/aee9 ... 487265968/
Attachments
infected
(311.63 KiB) Downloaded 94 times
(311.63 KiB) Downloaded 94 times
Seems, Fireeye missed this sample for their article:
Diebold.exe: https://virustotal.com/ru/file/0971c166 ... 487497822/ (also BKDR_PLOUTUS.D by TrendMicro)
MD5: 328ec445fce0ec1e15972fef9ec4ce38
SHA1: ad8a7c5d1287b1fb8b8e874ba9bdb7be0ee971f9
SHA256: 0971c166826163093093fb199d883f2544055bdcfc671e7789bd5088992debe5
Diebold.exe: https://virustotal.com/ru/file/0971c166 ... 487497822/ (also BKDR_PLOUTUS.D by TrendMicro)
MD5: 328ec445fce0ec1e15972fef9ec4ce38
SHA1: ad8a7c5d1287b1fb8b8e874ba9bdb7be0ee971f9
SHA256: 0971c166826163093093fb199d883f2544055bdcfc671e7789bd5088992debe5