Description and operating principles:
The malware is installed by accessing the system unit of the ATM computer, with a flash memory inserted into the USB port and an executable file launched under an operating entry.
Interaction with ATM hardware is performed at driver level. The 2nd track and PIN-block are intercepted from the transactions. The PIN-block is decrypted on the PIN-keyboard (standard function, also for EPP). Ability to issue commands for direct cash withdrawal from cassettes.
PIN-block decryption vulnerability closed, track copying and cash disbursement capability preserved.
– Cash withdrawal device attack, PIN and track compromise does not occur.
-Boot the operating system from an external source: USB, CD-ROM/
– Integrity control or anti-virus programs are disabled.
-System DLLs are spoofed and registered in the registry.
– ATM reboot.
-Malware tracks PIN keystrokes:
12-digit activation code,
in response to which a 6-digit code
must be entered
no BIOS password,
standard administrator password,
no security software,
erp keyboard not pci pts,
the keyboard was an EPPCI PTS, but it worked in non-PCI PTS mode.
– Copy program directories and registry clusters to the memory card.
– The stolen information is installed (embedded) in special software on the laptop to which it is connected
– A cash dispense command is sent to the dispenser.
USB Storage HID line used on Diebold
USB Storage HID: The device is inserted through a card reader and connected to the USB port with a manipulator. Malware is installed
The picture shows a so-called ruler device with a usb adaptor at the end of it. The device had this shape because the usb port in the ATM was located at the end of the card slot shown in Figure 4. The device was connected by inserting a plate of the desired length into the card-receiver up to the stop and interacting with the internal contents through the usb port.
Black Box attack
– ATM is turned off, the top cabinet is opened. The dispenser is disconnected from the USB hub, a plug is put into the hub to simulate the dispenser.
– Dispenser connects to a smartphone with a special app to accept remote commands to control the dispenser.
– ATM turns on and enters the customer service mode (it is possible to check balance and perform transactions without cash withdrawal).
The malicious code is installed from a bootable CD or external media
disables anti-virus protection on the infected system
The malware runs an infinite loop waiting for user input
a key generated from a randomly selected number
is used for each session.
When the correct key is entered, the malware displays information about the amount of money available in each dispenser cassette
allows you to retrieve 40 bills from the cassette of his choice
Turns an ATM into a skimmer.
]Progenitor of all current viruses.
activated by entering a card with specific data on the chip card track (Track 2)
execute commands through the interface, execute commands encoded on track 2
after the card is returned in a certain amount of time, a session key is entered to authenticate the user
After authentication, the program executes commands entered from the pinpad keypad
Show malware installation details Dispense cash – 40 bills from the specified cassette Start collecting inserted card data Print collected card data Perform self-delete Enable debug mode Perform update (updated malware is written to card)
.RIPPER similar to the previous trio, has been seen on ncr and wincor
activated at an infected ATM using a specially created card with an EMV chip
can control the card reader
capable of disabling ATM network interface
removes traces of activity
It is possible to dispense more than 40 bills at a time
Works with Diebold and NCR ATMs
Read and track all credit and debit card data
Read data from chip cards
Malware control via ATM PIN PAD
ATM withholding or on-demand card management (can be used for physical card theft)
Suppress ATM sensors to avoid being detected