A little bit about viruses for ATM” centralshop cc

Description and operating principles:


The malware is installed by accessing the system unit of the ATM computer, with a flash memory inserted into the USB port and an executable file launched under an operating entry.

Interaction with ATM hardware is performed at driver level. The 2nd track and PIN-block are intercepted from the transactions. The PIN-block is decrypted on the PIN-keyboard (standard function, also for EPP). Ability to issue commands for direct cash withdrawal from cassettes.

PIN-block decryption vulnerability closed, track copying and cash disbursement capability preserved.

– Cash withdrawal device attack, PIN and track compromise does not occur.

-Boot the operating system from an external source: USB, CD-ROM/

– Integrity control or anti-virus programs are disabled.

-System DLLs are spoofed and registered in the registry.

– ATM reboot.

-Malware tracks PIN keystrokes:

12-digit activation code,

random code

in response to which a 6-digit code

must be entered

Backdoor.Padpin (Wincor)

Vulnerabilities used:

no BIOS password,

standard administrator password,

no security software,

erp keyboard not pci pts,

the keyboard was an EPPCI PTS, but it worked in non-PCI PTS mode.

– Copy program directories and registry clusters to the memory card.

– The stolen information is installed (embedded) in special software on the laptop to which it is connected



– A cash dispense command is sent to the dispenser.

USB Storage HID line used on Diebold

USB Storage HID: The device is inserted through a card reader and connected to the USB port with a manipulator. Malware is installed


The picture shows a so-called ruler device with a usb adaptor at the end of it. The device had this shape because the usb port in the ATM was located at the end of the card slot shown in Figure 4. The device was connected by inserting a plate of the desired length into the card-receiver up to the stop and interacting with the internal contents through the usb port.

Black Box attack

– ATM is turned off, the top cabinet is opened. The dispenser is disconnected from the USB hub, a plug is put into the hub to simulate the dispenser.

– Dispenser connects to a smartphone with a special app to accept remote commands to control the dispenser.

– ATM turns on and enters the customer service mode (it is possible to check balance and perform transactions without cash withdrawal).


The malicious code is installed from a bootable CD or external media


disables anti-virus protection on the infected system

The malware runs an infinite loop waiting for user input

a key generated from a randomly selected number

is used for each session.

When the correct key is entered, the malware displays information about the amount of money available in each dispenser cassette

allows you to retrieve 40 bills from the cassette of his choice


Turns an ATM into a skimmer.

]Progenitor of all current viruses.

activated by entering a card with specific data on the chip card track (Track 2)

execute commands through the interface, execute commands encoded on track 2

after the card is returned in a certain amount of time, a session key is entered to authenticate the user


After authentication, the program executes commands entered from the pinpad keypad


Show malware installation details Dispense cash – 40 bills from the specified cassette Start collecting inserted card data Print collected card data Perform self-delete Enable debug mode Perform update (updated malware is written to card)

.RIPPER similar to the previous trio, has been seen on ncr and wincor

activated at an infected ATM using a specially created card with an EMV chip

can control the card reader

capable of disabling ATM network interface

removes traces of activity

It is possible to dispense more than 40 bills at a time


Works with Diebold and NCR ATMs

Read and track all credit and debit card data

Read data from chip cards

Malware control via ATM PIN PAD

ATM withholding or on-demand card management (can be used for physical card theft)

Suppress ATM sensors to avoid being detected

centralshop cc

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *