everyone, I think, knows ATMs, used ATMs
and our security researchers there
have something very interesting to tell us about electronic bank robberies
and because them, please welcome our two security researchers with a very warm applause
tw: are we on?
okay, well
welcome to our little talk here
and thanks for the introduction
as the angel said, I guess everybody knows what an ATM is
it's basically used by people to dispense money from their accounts
either because they live in countries like this one
where you really don't use credit cards to pay
or because you don't wanna be tracked, right?
we're gonna tell a little war story here
and that's a case of ATM hacking
a real world incident that occured this year
and you wanna remember this number here
because that's how you enable the hacked system
in case it's infected
and I'm gonna hand over to my co-speaker here
to tell you about the first few things here
sb: yeah, okay, so let's just have a quick look
what do we have in a cash machine
so of course we have a safe
that's where we want to get in
there's the money, we want to spend
so of course we have a normal computer
it's like a desktop computer
mostly it's running a normal operating system
most likely it's Windows XP
and with just a few different manufacturers that build the teller machines
and, yes
we as user, we use a common user interface
it's just a screen - most likely it's a touchscreen
or we have then the EPP number pads
where we put the PIN number for our card
tw: one thing I would like to add to this slide
you see the picture on the right hand side
that's a photo we took yesterday when we arived here at Hamburg main station
and it's interesting, because this is the state hacked ATMs are usually in
befor the bad guys go there and cash out
I don't know - maybe this one is infected, too
sb: this is not the first ATM hacking, of course
the most famous one was from Barnaby at the Black Hat in 2010
you see in the screenshot here
this was the user interface of his malware
so from the functionality it's quite alike
but not as nice
tw: has anybody in the room looked at this Ploutus thing by any chance?
no...
sb: okay, so of course we have a lot of POS malware
from mobile terminals
to steal just sensitive information
like the credit card data or paymant data or something
and the most famous ones this year even was the Ploutus malware
probably you've heard about it - quite famous
we had a quick look at Ploutus, too
it was written in .NET
from the functionality it's similar or the same
but not as advanced
why are we standing here and talking about this case?
we had an incident
a bank, they discovered, they had a lot of
empty teller machines and they started to
work in investigation for themselves
just a little bit of forensics and it was just limited success
but yeah, they had to do something about it and they tapped up surveillance
and improved monitoring
and they started to discover that the infection was conducted via an USB stick
they get to mange to arrest the guy and to secure this USB stick
and on the USB stick we found actually that malware and started to examine that
tw: yeah so to re-address that, before we go on
what they did was: they figured "okay there's something going on with our ATMs"
and they improved their surveillance technology, if you will
and then saw that guy trying to cash out from one of the hacked machines
and then they went there, arrested the guy
and confiscated the USB thumb drive that he was carrying
and that's where we started our analysis
right
sb: they plugged in a USB stick
they broke a small part of the chassis
it's just PVC, so it's not hard to break that
and they plugged in a USB device and forced the ATM to reboot
so you can do that by cutting the power off
or putting down the LAN interface or plug it out
they forced the ATM to reboot and therefore to reboot from the USB device
and what we found on the USB device was just a simple image of a Hiren boot CD
everyone can just download that
and within that Hiren boot CD it's just a mini XP running
and you have a folder where you can just put customer executables
that will automatically be started when the XP is booted
within this customer section we just found our malware
it was a batch that was called hack.bat
just very nice
so actually we thought that this is probably a fake
because they just wanted us to examine the wrong file
to save some time
because it was just that obvious
you will have a look at bat script afterwards
so you can see what I mean
so yes, it's just a mini-XP
you have the hack.bat
and this will actually start the real malware
the so-called atm.exe
and yeah... what we found then besides the bootable device on the stick were some very interesting files
they were obviously copied from the infected ATM teller machines
we can tell that, because there were three different ones that we found there
and it was very interesting what kind of data were copied from the ATMs
we found data like system data
like for example the software hive key
a lot of files that have cache data, credit card data, payment data, someting like that
from each of the infected teller machines
and of course we have our atm.exe
that was really interesting
and we take a quick look at the hack.bat script
so you see, it's very user friendly
because they implemented a lot of very interesting switches
we see, right at the top, that he begins to copy the software hive key of the infected machines
and at first he's checking if the system is already hacked or if he has to do it
the switches you can see here
they are all implemented
the most used one is of course "-hack"
we see otherwise, that you have some functionality like clear log files
or get the log files
this is the part where he copies really interesting data from the teller machines
of course the question is: why does he do that?
we answer that later
it also has got a functionality on it that he can cover his tracks
you can clear all files of the malware and remove it also
a little bit more about the installer of the atm.exe
tw: yeah, thanks
I mean of course we were curious
now that we know how the system gets infected
insert the USB drive, force a reboot and then the batch script runs
we were curious: how does the actual cash out process work?
how do you get money out of the thing?
what we did was
we took this atm.exe file - the executable
and reverse engineered that to recover the funtionality
and the next couple of slides talk about what we found in this executable
first of all
the atm.exe is a UPX packed thing
UPX is one of the standard packers
you can easily unpack the original code again
and then we came across an interesting fact
so we unpacked it and loaded it up into our analysis tools
what you can see on the right hand side
it's a little bit blurred, but we hope you can still read it
is IDA Pro, that probably many of you are familiar with
one of the state-of-the-art disassemblers
so we loaded that file up into IDA Pro, took a look at the code
and then we discovered something interesting
we discovered that the original executable contains a resource
if you are a little bit familiar with the PE format
the executable file format on Windows systems
you might know that there are containers that you can use to store additional data
or attatch data to a binary
they are called resources
so this binary had a resource and there was some encrypted data in there
which turned out to be a DLL that contains the actual malicious functionality
and the interesting thing is that this resource is XOR-encrypted
now XOR is not a particularly strong encryption scheme
but never the less, if the key is long enough
like 4 bytes in this case
I mean you can still probably brute-force it
but well, you know
we figured that every executable that's deployed onto an ATM has the resource
encrypted with a key that is derived from the volume serial
which is an ID that is assigned to a hard drive when it's formatted
by the operating system
that means that every executable that's deployed onto an ATM is taylored specifically for this ATM
so it's not mass-malware that you can install on any ATM
each executable only runs one one very specific ATM
and that's interesting
I mean of course that raises the question: How do they get this ID in the first place?
How do they create this binary with the encrypted resource?
Where do they get the volume serials from?
and there are basically two options
I mean we don't have the answers to these questions
but there are only two options
one is: they go to the ATMs the first time, run their stuff
and extract the volume serial ID from the system
then go home, prepare the malware and then come back to infect the system
which seems kind of risky, because
if you get caught while doing this... well then
you'll lose something
the other option is...
we'll leave that to your imagination
so what we did
what you see here on the right hand side is some code that is executed after the XOR-decryption of the resource
and if you look closely enought you can see in the first basic block up there
it checks if the first byte of the decrypted data is an "M"
and then the next one checks if the next byte - the second byte - is a "Z"
which is part of the PE file header - MZ header
so we figured: okay, this is probably an executable
and that's how we recovered the original code
we assumed that this is an executable and then
you can call it a known plaintext attack or something like that
we reverted the XOR-encryption and recovered the DLL
and after this happened, of course
the dropper runs some checksumming code
to verify that the extracted and decrypted code is actually the DLL it wants to run
so after we recovered this malicious DLL
we took a closer look at that one
and it's dropped into this path up there under the system directory
and the value in the squared brackets over there is again derived from the volume ID
so if you come across one of these DLLs
you can take a look at the file name
and that's linked to the ATM it's supposed to run on
because of the naming scheme here
so that's how - and of course I mean you can see all of that in the code
that the second value there is hard-coded
that's how we figured: okay this sample was supposed to run on an ATM with this volueme ID
and then we came across something else
something that's as interesting
this DLL, or the malware in general writes a log file
and stores this on the USB drive that's used for the infection process
and that's pretty verbose
if you look at this
again we have to apologize that's it a little blurry
but there you can see
it's basically what is executed when the batch script runs, right?
there is a file name up there
if you can see that 978-blablabla DLL and some others
and suprisingly this log file contained information about three other infections that took place
so we switch to the next slide
with that information we can say
we have information that these guys infected at least four ATMs
the ones where we had that DLL for
and then these other three
that we recover from the log file
log file - again - is XOR-encrypted, but the key is hard-coded
so we could recover it from the code and then decrypt the log file and read it
this is an abbreviated version
the most interesting lines from the log
you can see that these ATMs run in fact Windows XP
yeah...
sb: what probably is quite intersting here is that we have information about three different teller machines
that were infected with this USB device
in clear text and we have it additionally in this somehow encrypted log file
so the question is: Why do we have that twice?
Why do we have this log file?
And why didn't they remove that files?
actually for every new infection they have to build up a new exe device
which is encrypted with the volume serial ID from this machine
and they would have enough time to clear that up
but they didn't do it
so furthermore the question broke: Why didn't they?
tw: okay, now in this part we wanna talk a little bit more about the actual payload
the malicious code that's executed on the compromised ATM
you know, the interesting bit
what you can see here is a list of some facts that we discovered
again this file contains some encrypted resources
this time they're encrypted with the static key that you see up there
so by looking at the code we obtained this key and could easily recover the resources
and they contained images like the one you see on the right hand side, up there
obviously stuff they wanted to display on the ATM screen, right?
we changed the coloring scheme and some other stuff here a little bit
because we don't wanna disclose the target here
yeah that's what they store in these resources
another thing that was in there, is this sdelete tool from Sysinternals
maybe some of you are familiar with that
a publicly available tool for secure file deletion
so you know, you override the file with specific byte patterns before you remove it
and they used that to remove forensic artefacts
forensic traces from the system
for example when they're uninstalling the malware
because you can also uninstall it from an ATM
but in case this fails for whatever reason, they have some backup code in the malware
some backup secure undelete code that does basically the same stuff
it overwrites the data first and then it deletes the file
so it's kinda interesting that it put a lot of effort into
covering up their, you know
hiding their traces on the system
and by the way
we will give you a demo in a few minutes
and show you the whole process
how you interact with an infected ATM
you will see the other screens as well
then of course for most malware it's important to become persistent on the infected system
because when it reboots for whatever reason, you want the malware to automatically load again
and these guys do that by writing the drop DLL into the AppInit DLLs value in the windows registry
for those of you, who are not familiar with the value
you can specify libraries in there that are loaded into every process that starts up
so by this you make sure that the malicious DLL is loaded into every proess that starts
within the current logon session at least
what you see down there is some decompiled source code
basically the main function of the malware
of the DLL
and what you can see there
there are several checks running in cash client one
cash client is the term for the software that controlles the ATM
that is running on the ATM
and controls the dispenser and so on
so it does this check and if this returns true, it starts some routine
and if some other checks succeed, then it calls some other functions and so on
basically what's happening here is that the DLL checks the name of the process it's running in
and then depending on this name it invokes certain functionality
and we believe that by doing this they implement support for different cash clients
this line down here, running in lsass.exe is also interesting
because the DLL is also obviously loaded into
what's lsass again? local system...
some windows process
is also loaded into that one of course
because of the AppInit thing
if it's running in this, it doesn't interact with the cash client ATM software at all
the DLL that's running in there is an event processor
for example, if you wanna uninstall the software
you basically create an uninstall event
and then the instance running in this process here
handles the event and removes the file and so on
and cleans up all traces
sb: what's also quite interesting here
you can see that later on, when we discover the malware itself
they have really somthing like a development cycle
it's really professional made up
because within the first infections we could find this malicious DLL within this AppInit hive key
there was an incident where the forensic team could discover it there
because it's quite obvious, you know
the AppInit DLL key is very famous for any malware
that should start at startup
and they improved it
so later on, they just added this malicious DLL to the DLLs which are started
just when the cash client is started
so it's also started from the startup, but it's not as loud
so you have to have to search quite deeper to find it
tw: Where are we? Are we on time? How are we doing?
How much time do we have left?
okay, plenty of time
great
so we know, how the malware becomes persistent
we know how it makes sure that it runs on the system
so it injects this DLL into all these processes
now of course we wanna know how to interact with it
because there must be a way of interacting with the malware
and what we found out by reverse engineering code is that the DLL that's running in the cash client
installs a hook for keyboard events
so whenever you press a key on the keyboard which in this case is the num pad
this is trapped by the malware and processed
and what they do is, they process only number keys
for obvious reasons
because that's the only kind of keys that you can enter
and if you enter the code that you've seen on the first slide
you activate a hidden menu that allows you to choose the several options
that you can use to control the ATM
but they have implemented an additional measure
because, you know, it's possible that somebody by accident enters the right 12 digits
and then suprise this thing pops up
and you can dispense all the money from the ATM
of course they don't want that to happen
so they have implemented a challenge-response scheme
so when you enter the 12 digit code, the first menu allowes you to say
present me with a challenge
and then the malware generates a random or like a secret code
where the scheme to generate it is secret
and you have to enter a response
that's not easy to crack
what they do in this case
because of the poor guy who goes to the ATM to cash out is not the brain behind the whole operation
they're likely to get arrested
so they probably don't want to transfer the knowledge
how to generate the response for the challenge to these people
can you tell the story about the phone calls?
sb: yeah, actually they had a surveillance video where they could monitor just one of their cash guys
which just currently had entered the secret 12 digits
and you can see on this video that he has already one part of this hack view
and after that he just took a cell phone
and called somebody and you can see that within that call
he types another number and right after that, he starts cashing out the teller machines
that's exactly that challenge-response check, he was talking about
so this proves that they don't want anything to chance
they wanna control which teller machine is cached out and exactly when and who does the cash out
so this may implicate that they don't trust their own people, do they?
tw: so, I mean we tried to bring you this video where the guy makes the phone call
but obviously the bank that was targeted here
they're a little concerned about their identity beeing disclosed
so unfortunately we couldn't get it
but, well, you have to trust us on that
that's how they probably do it
another thing is that these guys already anticipated that somebody would get a copy of the malware
and then probably start to reverse engineer it
and understand how it works
and of course the worst thing that can happen is
if somebody recovers the challenge-response functionality in that code
and then goes to all the hacked ATMs and, you know, jackpots them
insted of these guys
so they figured: okay, we need a means to protect that really important code
and that's not the only part, that's protected
there are several pieces that are, you know, critical
so to speak
so this challenge-response thing is one of them
and the other parts that are protected is everything that interacts wih the cash client
so by looking at the code you would never see a direct API call or DLL function call
into the cash clients libraries
all of this stuff is protected
and I'm gonna talk a little bit more about how they do that
it's a little bit hard to put that...
to find the right words for it
we have a picture of that in our mind, but...
we call that a state machine
so their obfuscation method is basically control flow obfuscation
when you look at some code statially, you can see this function is calling that function
and then this is calling that under this condition and so on
that's the control flow in the code
but if you don't wanna disclose that function A is calling function B
you have to put something in between
that obfuscates this relationship
they implemented a state-machine
that's what we call it
and this state machine consumes a buffer
a static buffer that's somewhere in the binary
and performs some computation on the bytes
and the result is the address of the function to call
at some point you say: state machine, here is a buffer
do your thing
and then the state machine starts computing the address to call
or that's only one scenario
the other scenario is that you wanna compute a certain value
for example, you enter the response for a particular challenge
and then the state machine with its functions computes some other value
that it compares to a challange or something
and this computation as well is protected by the state machine
and you can see a little snippet of that on the right hand side
again, if you can read it, you can see there's a lot of junk code in there
those of you who are familiar with polymorphism
polymorphic malware or other stuff like that
you will immediately see that some of the functions in there are total garbage
like for example, the SUB AL e1
and then, you know, some values are subtracted from a register first and then added again
so it's basically doing nothing
this junk code stuff is one method of obfuscation
and the other is, what's usally called "spaghetti code"
you know, it's jumping back and forth
and calling subroutines all over the place
and I think it's really hard or next to impossible to reverse engineer that
at least we spent several days
weeks even
and we couldn't really figure out how the state machine works
and that's really the purpose
but fortunately for us there was a solution for this
and that is what the little colored bar at the bottom of the slide shows you
again, this is something that IDA Pro generates for you, this disassembler tool
you can see the blue stuff at the front
that's the real code of the malware
all of that lives in the code section
and is at the beginning
and the green stuff here is library functions
here we have some data
and at the end there is some code again
and suprisingly this is the state machine
and it's pretty convenient for us that this is somewhere else in the memory layout
so what you can do is
you can put a memory break point a the section here
and by doing this trap every attempt to execute the state machine code
and then when you're in the state machine
you put a break point on the original, on the real code, up there
and you get the exit point of the state machine
by doing this you can basically treat the state machine as a black box
you don't care about the calculations at all
you can still reconstruct the relationship between the calling function and the callee
okay
unfortunately we couldn't use this break point method to understand how these value calculations are performed
but, well, you still can inspect memory and somehow understand a little bit of that somehow at least
okay now we wanna demo to you how this thing looks like
unfortunately we don't own an ATM that we can infect
but we have a virtual machine here that's running the malware
and we've patched the malware a little bit here
I think we didn't tell you
so what's happening is these screens when you enter the secret code
these screens that you saw on the slide
they're displayed on a second desktop
on Windows you can have as many desktops
like virtual desktops as you want
and then switch back and forth between these desktops
so what's happening is
these screens are displayed on a second desktop
and then execution switches over
the displays which is over to this desktop
so you leave the original ATM display and it's process alone
you just switch over to your secret menu desktop
and when you're done, you can switch back
that's a little difficult to debug
because when you do that, when you're running in a debugger and using break points and stuff
and the malware all of a sudden switches to a second desktop
you can't control the debugger anymore, because it's running on the first desktop
so we had to patch a few things to make it more convenient for us to demonstrate this
and that's what we're gonna do now
can you...?
so we have this little Windows XP VM
because we want to be accurate, right?
and I'm gonna start two processes here
one is: I have some little batch scripts
one is the one that simulates the malware running in the lsass process
and the other one simulates the malware running in the cash client
this one here
and let's just presume that this is showing the stardard ATM screen here
so "Enter your PIN" and stuff like that, okay
so what we're gonna do now is
we're gonna enter the 12 digit secret code that we saw on the first slide
you remember that, right?
and if you do that, you're presented with this menu here
do you wanna talk about those values? how that's calculated?
sb: yeah probably
so the only thing which is hard coded are the three lines at the bottom here
and all of the rest is just generated with the actual amounts they find on this ATM
so the ATMs, they have a lot of loo files which they create
and they're just saved on the hard drive
and within that files
every payment transaction is noted
what the malware does is
it requests the newest of that files
and just pulls the values into that screen
and so the attacker is presented with the actual value of the amount of money
and there he can just choose which one he wants to cash out
so just the 100 bills, or all of them
this is quite interesting
we took this screen from an ATM which was already attacked
there you can see that especially, or only the $100 cash cassette was cashed out
because, you know how long it takes if you're just cashing out 100 or 200 Dollars or Euros
and if you can imagine if you have a whole cassette full of money
that takes a lot of time
so this is why they most likely just cashed out this cassette with the most valuable input
tw: so what I can do now is
I can either press "0" and then I leave that again
and, you know, ATM shows its standard screen again
or I press "1"
I'm gonna do that now, just to show you what's happening
and now it's challenging me with this code here
and I have to enter the response
and yeah, I mean, it's a 6 digit number
the problem is
because we're not running on a real ATM, we cannot simulate this here
so I mean, I can enter a number here
but even if it would be the right one and it would accept this
we wouldn't be able to go any further, because some pieces are missing here
unfortunately... let me restart this
there we go again
usually what happens is
you press "1"
you get the challenge code
you call your HQ
you get the response code
you enter your response code
and then you have access to this second level menu, so to speak
that allows you to actually cash out
well, as I said, we cannot really do that here
so we have to simulate the fact that we're authenticated
we entered the right response code
for that we patched a little bit in this DLL
unfortunately we have to wait for three minutes now
because there is a timeout
they implemented a timeout as a measure to not leave this screen open
when, you know, something happens
the guy has to run off or something
because police is coming or something
and then you don't want to leave this on the scren
so they implemented a timer that fires after three minutes
and then after three minutes this window is closed
we patched this timer, that after three minutes the second layer menu is opened instead
we have to talk a little bit more, until that happens now
sb: probably about the version number
cause there you can see, they named their software
typical software style of course
with a four digit value number
so they have really a development cycle
for this malware
and they really are improving that with nearly every attack they are doing
they collect all facts they have, they improve antiforensics
and build in a little more functionality
you can really track these changes, they made
this developement improves
tw: another thing we can tell you meanwhile is that this challenge code is generated from two things
again, we don't know how it's generated, we don't know the algorithm
but we do know the input
and the two things that are the input to this algorithm
are an ID that's unique to the ATM
or the station, whatever you wanna call it
and a random value
so there's some randomness in there
by this you make sure that even if the same random value is chosen
the codes are different for two different ATMs
so the guy has to in fact call you and ask for the code
he cannot, you know, just by accident enter the right thing and take the money for himself
alright now would be a good time for the timer to fire
let's see
okay, I have another story
the dropper executable
when something goes wrong, they calculate an error message, an error code
oh, there we go
and this error code is derived from the value 1337
so apparently they think they are leet
which didn't really stop us from reverse engineering their software
this screen is like what we showed on the second slide
which basically says "this terminal is out of order, go to the next one"
and when you see this
I mean, two purposes:
one: others who want to dispense money from the ATM, if they see this, they would not touch it
and go to another one
but this also tells you that now you can enter another code
which turns out to be the same 12 digit sequence that we already know
to enter the second hidden menu
and there we go
this is now the real menu that you can use to control the ATM
again, you see the first four lines show you how much money for the different bills
or different notes is in there
but now you can actually, you know, cash out
you can dispense that money from the machine
so for example if I press "1", hopefully I can get the 300 R-Dollars
or if I press "4", I can get the 50s
so let me do that now and you can pay attention to the purple line at the bottom
so I press "4" now
and it said "wait" or "waiting" or something like that
and now it says "command has failed"
which is too bad because I wanted money, but my VM...
the emulation is not that good
sb: still didn't get to manage to really cash out some money from that machine here
tw: that would be nice
so I could now try to cash out 1, 2, 3, 4
and always I get this failure message
but this is where the malware actually interacts with the cash client
it loads, or resolves the libraries that belong to this cash client and then calls the API functions
to trigger the dispense functionality
but the other options at the bottom of the screen are also interesting
let me show you "7" and "8" first
and that's why I have this little window open here
I hope you can see that
so this is my network connection
the network devices that are installed
and as she said, every ATM has a persistentnetwork connection to the bank
so they can control what's going on and monitor and so on
so probably before you wanna cash out, you wanna disable the network entirely
and they can use "7" and "8" to do that
so let me press "7", you take a look at that window on the right hand side
you can see, the adapters are disabled now
and now I'm going to press "8" again
and now they're enabled again
that's convenient, right
so you can disable and enable the network adapters entirely
if you press "6" you're going back to this mode
and finally you can also format the system
I mean obviously because you wanna remove all the traces
so if I press "5", you see that little screen, that we already know
from the slide
they're somewhat cautious here
again, if you do that, you can either press "0"
then you get back to the previous menu
or you can press "9" and confirm that you actually wanna format the system
and doing that' now
and again it presents you with a challenge and you have to enter a 6 digit response code
the algorighm that's used to calculate this here is different from the previous one
and I mean we figured it out somewhat
but the funny thing is, that it doesn't actually format the system
it just uninstalles the malware
I don't know what the right answer to this is now
if you enter the wrong one, it keeps asking
and interestingly you cannot get out of this state anymore
so if you don't know the right answer, you're trapped in this
and after three minutes the "out of order" thing is displayed again
but if you enter the sectet code, you don't have access to the main menu again
you will always end up in this screen
so unless you enter the right code here, well, you locked yourself out
alright
we wanna conclude with some speculation about the people behind this maybe
we obviously don't really know who it is
but, you know, there are some interesting facts
and after that we'll open it up for questions and, you know, a little Q&A
sb: what we really can tell for sure
that they want to make serious money with that
they put a lot of effort in implementing and investigating
in coding actually
they build up quite a big team to do that and they have apparently different roles
that are strictly assigned
so every role has his part and is able to do his part
so it's quite separated
for sure they have to have profound knowledge about the ATMs
so most likely they really had one
to test all these features and to really check whether the coding is correct
whether they get any error messages
something like that
so either they probably robbed one and reverse engineered the original cash client
to derive the malware from it
or they most likely had someone in the inside
which was just to...
which had to develop the original cash client
and therefore really knows exactly how this works
how it's possible just to trigger a cash out
without entering a valid card, the PIN code
circumvent all the security measures that are implemented here
they have quite good development skills
so the code is quite sorted
you see the development cycles
they implement new features just like the AppInit DLL key stuff and so on
at least they are capable of protecting the code against people like him
they're just trying to reverse engineer malware
and they really try to cover their tracks for forensic investigations
so they made it really hard to get the pieces together
to just have a full image of how that finally works together
tw: alright
that was almost the last slide
you guys remember the 12 digits
from the first slide
so next time, before you dispense the money from an ATM, enter the 12 digits first
to make sure that it's not hacked
right, and if it is hacked
then you enter this here
because that uninstalls the malware
applause
well then we do a short Q&A, if it's okay for you
please, everybody that has a question
please line up on the microphones
signed with the numbers
and then we will do a short Q&A from approximately 8 to 10 minutes
alright, let's start with you
hi, I have two questions
the first question is whether they were gathering PIN codes and no strips
to be able to use them later on
and the second question is whether the ATM is connected to the Internet through the network connection
I didn't get all of that
can the others be a little quiet
so we have the chance to understand the questions
sorry, can you please repeat?
so my first question is whether the PIN codes and this magnetic strip
or any other information linked to the credit card number is gathered by this malware
and the second question is wether net network connection gives Internet access to the ATM
let me answer the first one, and for the second one, I'll refer to her
so this one could gather information like credit card stuff and so on
but it doesn't
not this one
I didn't get the second question
second question was: can you access the ATMs over the Internet? is there internet connection?
no, actually they do not have an Internet connection
but it is possible to build, so far
we did that in a test, where we tested an ATM
you can use this USB connection where they plugged in the bootable device
and just put an UTMS stick there and then you have an Internet connection
but by default there is none
but we did that, yeah
okay, then let's take number 1
thank you for your talk
I have two short questions
what was the time span between the infection and the cash out?
and did the attackers try to intercept card data?
so, the second question is the same as the previous one
they don't intercept any card data
they don't gather like credit card information and stuff like that
they only like jackpot - as Barnaby Jack called it - the ATMs
they only dispense money from the ATM
for the first question, what was the first question again?
what was the time span between the infection and the cash out?
how much time is between the infection and the actual cash out
we discovered that were only two to three days
so they could have any time between that, but they really try to make it short
and of course they waited for the right time, so right after the recharging
because thats the point of the most money
okay, then number 3 please
hi, thank you for your talk
question about banking security
this beeing Windows XP, I missed the part of code signing
and verified publishers and such
do banks employ these security measures or not?
they do have security measures
but they're only implemented when the XP is running
so they have whitelisting for applications
they have monitoring for the process
and they have an anti-virus
and of course something like that
but in essence everyone can dump their own software on it and run it
there is no whitelist for signatures or publishers, right?
there is a whitelist
actually there is, but that was the point why they did that
via bootable USB stick
because they wrote this DLL just within the system folder
and they have a whitelist for applications, but not for the DLLs
which these applications are using
I mean, it goes without saying that you can take measures to make the ATMs more secure
because this is kind of a trivial attack
and as you said, everybody could do that
and that's kind of the reason why we're giving this talk
it's no use in keeping vulnerabilites secret
they should be like talked about openly
and then people can go and fix their problems, right
thank you
do we have a question from IRC or the community out there?
yes there was one question coming from IRC
which was: how to get on the USB printer port to reverse that machine?
can you repeat the question please?
how to get on the USB port or printer port to reverse that machine?
this was just via cutting a hole into the chassis
so this is just a...
this is no metal, this is not a safe
so this is just a plastic
and there you can just cut a hole in it
and then you can actually access the USB port
I mean, they physically damaged the ATM to be able to access the USB port
and then they had to cut the network connection
and that triggered a reboot
so it's really a trivial attack
not that hard
okay number 4 please
yes
two part question
you would think that banking and money would be a high priority thing to secure
why are they using Windows XP?
and the second one is
applause
second one is
if there was a time-frame of I think it was three days between the two attacks
why don't they realize, there is hole cut into their ATM and just...
change it out?
applause
there is a...
that depends on the USB port that they used
there is one on the back, so you don't see it
and the other is just...
you can cut that very exact and then they just repaired it afterwards
they just fixed it
and for the first question
the problem in the main cases is that there are hundreds of thousands of teller machines
for each bank
and that's just the problem
they are of course starting to renew that
but when they are at the end doing that
Windows has already realeased two newer versions of operating systems
and that's one part of it
and the other thing, if we had Windows 7 here it wouldn't change a thing
I mean, that's probably a question for the banks that we can't really answer
but as long as they're convered by insurances
they don't really have to care
which is of course kind of short sighted
but maybe thats how it works
okay and now the last question from number 1
hi there, I was just curious about this particular ATM model
if we're framing this picture of this is let's say the state of security and ATM technology
or if it's just let's say an example for how to not build an ATM
I mean are these bad guys simply the first who found out
well it's basically that simple
or is it just let's say a really bad model, they have exploiting?
that all depends on the original cash client
so the teller machines are all the same, but every bank has an own cash client
it's an own software which is really doing the cashing out
and they're all different
and you have to develop the malware exactly for just one cash client
because it won't work on others
I mean, sorry
I mean also speaking about this physical security
I mean, having an easy accessible USB port
and booting USB images without any additional security measure
I mean, is this state of the art?
no, it's not
actually this has been fixed
because there is an whole disk encryption in place now
that just prevents this way of attack
but yeah, it's not at all teller machine currently implemented
so yes, it's kind of state of the art
yeah, great, thank you
okay then now
thank you to our security researchers
give them a great and warm applause, please
thanks for coming, thank you
subtitles created by c3subtitles.de