A lot has been said about the increased vulnerability of Windows XP machines, especially with end of life support ending on April 8, 2014. With many Indian banks still using ATMs powered by Windows XP, the recent discovery by Symantec may be an alarm for Indian businesses. In a blog, Symantec’s Daniel Regalado, explains how is this done:
Connecting a mobile phone to the ATM
The criminals can remotely control the ATM by using a mobile phone which is connected to the inside of the ATM. There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM).
The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus. Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used. Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.
Sending SMS messages to the ATM
After the mobile phone is connected to the ATM and set up is completed, the criminals can send specific SMS command messages to the phone attached inside the ATM. When the phone detects a new message under the required format, the mobile device will convert the message into a network packet and will forward it to the ATM through the USB cable.
The network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM. As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number “5449610000583686” at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus.
An example of such a command is shown below: cmd.exe /c PLOUTOS.EXE 5449610000583686=2836957412536985
In previous versions of Ploutus, the master criminal would have to share these digits with the money mule, which could allow the money mule to defraud the master criminal if they realize what the code allows them to do. In this version of Ploutus, the mule never sees the 16 digits, giving the master criminal added security and the ability to centrally control cash withdrawals. The code is active for 24 hours.
Using SMS messages to remotely control the ATM is a much more convenient method for all of the parties in this scheme, because it is discrete and works almost instantly. The master criminal knows exactly how much the money mule will be getting and the money mule does not need to linger for extended periods around an ATM waiting for it to issue the cash. The master criminal and money mule can synchronize their actions so that the money is issued just as the money mule pretends to withdraw cash or is walking past the ATM.
Putting it all together
Now that we have looked into the details of how this scheme works, here’s an overview of how it all fits together.
The attacker installs Ploutus on the ATM and connects a mobile phone to the machine with a USB cable.
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!
