[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:09.46,0:00:15.34,Default,,0000,0000,0000,,everyone, I think, knows ATMs, used ATMs
Dialogue: 0,0:00:15.34,0:00:20.18,Default,,0000,0000,0000,,and our security researchers there
Dialogue: 0,0:00:20.18,0:00:28.70,Default,,0000,0000,0000,,have something very interesting to tell us about electronic bank robberies
Dialogue: 0,0:00:28.70,0:00:39.63,Default,,0000,0000,0000,,and because them, please welcome our two security researchers with a very warm applause
Dialogue: 0,0:00:46.82,0:00:48.10,Default,,0000,0000,0000,,tw: are we on?
Dialogue: 0,0:00:48.10,0:00:49.10,Default,,0000,0000,0000,,okay, well
Dialogue: 0,0:00:49.11,0:00:51.54,Default,,0000,0000,0000,,welcome to our little talk here
Dialogue: 0,0:00:51.54,0:00:54.10,Default,,0000,0000,0000,,and thanks for the introduction
Dialogue: 0,0:00:54.10,0:00:58.14,Default,,0000,0000,0000,,as the angel said, I guess everybody knows what an ATM is
Dialogue: 0,0:00:58.14,0:01:02.60,Default,,0000,0000,0000,,it's basically used by people to dispense money from their accounts
Dialogue: 0,0:01:02.60,0:01:06.18,Default,,0000,0000,0000,,either because they live in countries like this one
Dialogue: 0,0:01:06.18,0:01:09.26,Default,,0000,0000,0000,,where you really don't use credit cards to pay
Dialogue: 0,0:01:09.26,0:01:13.94,Default,,0000,0000,0000,,or because you don't wanna be tracked, right?
Dialogue: 0,0:01:13.94,0:01:19.60,Default,,0000,0000,0000,,we're gonna tell a little war story here
Dialogue: 0,0:01:19.60,0:01:22.46,Default,,0000,0000,0000,,and that's a case of ATM hacking
Dialogue: 0,0:01:22.46,0:01:26.98,Default,,0000,0000,0000,,a real world incident that occured this year
Dialogue: 0,0:01:26.98,0:01:29.62,Default,,0000,0000,0000,,and you wanna remember this number here
Dialogue: 0,0:01:29.62,0:01:35.42,Default,,0000,0000,0000,,because that's how you enable the hacked system
Dialogue: 0,0:01:35.42,0:01:37.46,Default,,0000,0000,0000,,in case it's infected
Dialogue: 0,0:01:37.46,0:01:41.38,Default,,0000,0000,0000,,and I'm gonna hand over to my co-speaker here
Dialogue: 0,0:01:41.38,0:01:44.74,Default,,0000,0000,0000,,to tell you about the first few things here
Dialogue: 0,0:01:44.74,0:01:48.70,Default,,0000,0000,0000,,sb: yeah, okay, so let's just have a quick look
Dialogue: 0,0:01:48.70,0:01:51.50,Default,,0000,0000,0000,,what do we have in a cash machine
Dialogue: 0,0:01:51.50,0:01:54.10,Default,,0000,0000,0000,,so of course we have a safe
Dialogue: 0,0:01:54.10,0:01:55.94,Default,,0000,0000,0000,,that's where we want to get in
Dialogue: 0,0:01:55.94,0:01:57.98,Default,,0000,0000,0000,,there's the money, we want to spend
Dialogue: 0,0:01:57.98,0:02:00.98,Default,,0000,0000,0000,,so of course we have a normal computer
Dialogue: 0,0:02:00.98,0:02:02.90,Default,,0000,0000,0000,,it's like a desktop computer
Dialogue: 0,0:02:02.90,0:02:06.38,Default,,0000,0000,0000,,mostly it's running a normal operating system
Dialogue: 0,0:02:06.38,0:02:08.78,Default,,0000,0000,0000,,most likely it's Windows XP
Dialogue: 0,0:02:08.78,0:02:16.50,Default,,0000,0000,0000,,and with just a few different manufacturers that build the teller machines
Dialogue: 0,0:02:16.50,0:02:19.21,Default,,0000,0000,0000,,and, yes
Dialogue: 0,0:02:19.21,0:02:22.42,Default,,0000,0000,0000,,we as user, we use a common user interface
Dialogue: 0,0:02:22.42,0:02:25.70,Default,,0000,0000,0000,,it's just a screen - most likely it's a touchscreen
Dialogue: 0,0:02:25.70,0:02:28.30,Default,,0000,0000,0000,,or we have then the EPP number pads
Dialogue: 0,0:02:28.30,0:02:32.14,Default,,0000,0000,0000,,where we put the PIN number for our card
Dialogue: 0,0:02:32.14,0:02:34.22,Default,,0000,0000,0000,,tw: one thing I would like to add to this slide
Dialogue: 0,0:02:34.22,0:02:37.14,Default,,0000,0000,0000,,you see the picture on the right hand side
Dialogue: 0,0:02:37.14,0:02:41.78,Default,,0000,0000,0000,,that's a photo we took yesterday when we arived here at Hamburg main station
Dialogue: 0,0:02:41.78,0:02:46.78,Default,,0000,0000,0000,,and it's interesting, because this is the state hacked ATMs are usually in
Dialogue: 0,0:02:46.78,0:02:49.62,Default,,0000,0000,0000,,befor the bad guys go there and cash out
Dialogue: 0,0:02:49.62,0:02:55.50,Default,,0000,0000,0000,,I don't know - maybe this one is infected, too
Dialogue: 0,0:02:55.50,0:03:00.26,Default,,0000,0000,0000,,sb: this is not the first ATM hacking, of course
Dialogue: 0,0:03:00.26,0:03:08.42,Default,,0000,0000,0000,,the most famous one was from Barnaby at the Black Hat in 2010
Dialogue: 0,0:03:08.42,0:03:12.34,Default,,0000,0000,0000,,you see in the screenshot here
Dialogue: 0,0:03:12.34,0:03:15.34,Default,,0000,0000,0000,,this was the user interface of his malware
Dialogue: 0,0:03:15.34,0:03:20.74,Default,,0000,0000,0000,,so from the functionality it's quite alike
Dialogue: 0,0:03:20.74,0:03:24.50,Default,,0000,0000,0000,,but not as nice
Dialogue: 0,0:03:24.50,0:03:32.42,Default,,0000,0000,0000,,tw: has anybody in the room looked at this Ploutus thing by any chance?
Dialogue: 0,0:03:32.42,0:03:34.86,Default,,0000,0000,0000,,no...
Dialogue: 0,0:03:34.86,0:03:41.50,Default,,0000,0000,0000,,sb: okay, so of course we have a lot of POS malware
Dialogue: 0,0:03:41.50,0:03:43.62,Default,,0000,0000,0000,,from mobile terminals
Dialogue: 0,0:03:43.62,0:03:46.54,Default,,0000,0000,0000,,to steal just sensitive information
Dialogue: 0,0:03:46.54,0:03:49.82,Default,,0000,0000,0000,,like the credit card data or paymant data or something
Dialogue: 0,0:03:49.82,0:03:54.22,Default,,0000,0000,0000,,and the most famous ones this year even was the Ploutus malware
Dialogue: 0,0:03:54.22,0:03:57.26,Default,,0000,0000,0000,,probably you've heard about it - quite famous
Dialogue: 0,0:03:57.26,0:04:01.18,Default,,0000,0000,0000,,we had a quick look at Ploutus, too
Dialogue: 0,0:04:01.18,0:04:03.14,Default,,0000,0000,0000,,it was written in .NET
Dialogue: 0,0:04:03.14,0:04:06.50,Default,,0000,0000,0000,,from the functionality it's similar or the same
Dialogue: 0,0:04:06.50,0:04:14.66,Default,,0000,0000,0000,,but not as advanced
Dialogue: 0,0:04:14.66,0:04:19.38,Default,,0000,0000,0000,,why are we standing here and talking about this case?
Dialogue: 0,0:04:19.38,0:04:22.46,Default,,0000,0000,0000,,we had an incident
Dialogue: 0,0:04:22.46,0:04:27.20,Default,,0000,0000,0000,,a bank, they discovered, they had a lot of
Dialogue: 0,0:04:27.20,0:04:30.74,Default,,0000,0000,0000,,empty teller machines and they started to
Dialogue: 0,0:04:30.74,0:04:35.10,Default,,0000,0000,0000,,work in investigation for themselves
Dialogue: 0,0:04:35.10,0:04:40.42,Default,,0000,0000,0000,,just a little bit of forensics and it was just limited success
Dialogue: 0,0:04:40.42,0:04:45.82,Default,,0000,0000,0000,,but yeah, they had to do something about it and they tapped up surveillance
Dialogue: 0,0:04:45.82,0:04:50.18,Default,,0000,0000,0000,,and improved monitoring
Dialogue: 0,0:04:50.18,0:05:04.82,Default,,0000,0000,0000,,and they started to discover that the infection was conducted via an USB stick
Dialogue: 0,0:05:04.82,0:05:11.42,Default,,0000,0000,0000,,they get to mange to arrest the guy and to secure this USB stick
Dialogue: 0,0:05:11.42,0:05:16.98,Default,,0000,0000,0000,,and on the USB stick we found actually that malware and started to examine that
Dialogue: 0,0:05:16.98,0:05:19.26,Default,,0000,0000,0000,,tw: yeah so to re-address that, before we go on
Dialogue: 0,0:05:19.26,0:05:23.98,Default,,0000,0000,0000,,what they did was: they figured "okay there's something going on with our ATMs"
Dialogue: 0,0:05:23.98,0:05:28.18,Default,,0000,0000,0000,,and they improved their surveillance technology, if you will
Dialogue: 0,0:05:28.18,0:05:32.42,Default,,0000,0000,0000,,and then saw that guy trying to cash out from one of the hacked machines
Dialogue: 0,0:05:32.42,0:05:34.62,Default,,0000,0000,0000,,and then they went there, arrested the guy
Dialogue: 0,0:05:34.62,0:05:38.54,Default,,0000,0000,0000,,and confiscated the USB thumb drive that he was carrying
Dialogue: 0,0:05:38.54,0:05:43.60,Default,,0000,0000,0000,,and that's where we started our analysis
Dialogue: 0,0:05:43.60,0:05:49.94,Default,,0000,0000,0000,,right
Dialogue: 0,0:05:49.94,0:05:54.22,Default,,0000,0000,0000,,sb: they plugged in a USB stick
Dialogue: 0,0:05:54.22,0:05:59.14,Default,,0000,0000,0000,,they broke a small part of the chassis
Dialogue: 0,0:05:59.14,0:06:03.46,Default,,0000,0000,0000,,it's just PVC, so it's not hard to break that
Dialogue: 0,0:06:03.46,0:06:07.58,Default,,0000,0000,0000,,and they plugged in a USB device and forced the ATM to reboot
Dialogue: 0,0:06:07.58,0:06:10.26,Default,,0000,0000,0000,,so you can do that by cutting the power off
Dialogue: 0,0:06:10.26,0:06:15.26,Default,,0000,0000,0000,,or putting down the LAN interface or plug it out
Dialogue: 0,0:06:15.26,0:06:22.34,Default,,0000,0000,0000,,they forced the ATM to reboot and therefore to reboot from the USB device
Dialogue: 0,0:06:22.34,0:06:28.38,Default,,0000,0000,0000,,and what we found on the USB device was just a simple image of a Hiren boot CD
Dialogue: 0,0:06:28.38,0:06:30.54,Default,,0000,0000,0000,,everyone can just download that
Dialogue: 0,0:06:30.54,0:06:35.18,Default,,0000,0000,0000,,and within that Hiren boot CD it's just a mini XP running
Dialogue: 0,0:06:35.18,0:06:41.90,Default,,0000,0000,0000,,and you have a folder where you can just put customer executables
Dialogue: 0,0:06:41.90,0:06:48.46,Default,,0000,0000,0000,,that will automatically be started when the XP is booted
Dialogue: 0,0:06:48.46,0:06:53.82,Default,,0000,0000,0000,,within this customer section we just found our malware
Dialogue: 0,0:06:53.82,0:07:00.46,Default,,0000,0000,0000,,it was a batch that was called hack.bat
Dialogue: 0,0:07:00.46,0:07:02.38,Default,,0000,0000,0000,,just very nice
Dialogue: 0,0:07:02.38,0:07:07.62,Default,,0000,0000,0000,,so actually we thought that this is probably a fake
Dialogue: 0,0:07:07.62,0:07:11.46,Default,,0000,0000,0000,,because they just wanted us to examine the wrong file
Dialogue: 0,0:07:11.46,0:07:13.18,Default,,0000,0000,0000,,to save some time
Dialogue: 0,0:07:13.18,0:07:14.94,Default,,0000,0000,0000,,because it was just that obvious
Dialogue: 0,0:07:14.94,0:07:18.54,Default,,0000,0000,0000,,you will have a look at bat script afterwards
Dialogue: 0,0:07:18.54,0:07:21.10,Default,,0000,0000,0000,,so you can see what I mean
Dialogue: 0,0:07:21.10,0:07:23.26,Default,,0000,0000,0000,,so yes, it's just a mini-XP
Dialogue: 0,0:07:23.26,0:07:26.20,Default,,0000,0000,0000,,you have the hack.bat
Dialogue: 0,0:07:26.20,0:07:31.18,Default,,0000,0000,0000,,and this will actually start the real malware
Dialogue: 0,0:07:31.18,0:07:33.78,Default,,0000,0000,0000,,the so-called atm.exe
Dialogue: 0,0:07:33.78,0:07:43.38,Default,,0000,0000,0000,,and yeah... what we found then besides the bootable device on the stick were some very interesting files
Dialogue: 0,0:07:43.38,0:07:48.18,Default,,0000,0000,0000,,they were obviously copied from the infected ATM teller machines
Dialogue: 0,0:07:48.18,0:07:52.18,Default,,0000,0000,0000,,we can tell that, because there were three different ones that we found there
Dialogue: 0,0:07:52.18,0:07:58.50,Default,,0000,0000,0000,,and it was very interesting what kind of data were copied from the ATMs
Dialogue: 0,0:07:58.50,0:08:03.22,Default,,0000,0000,0000,,we found data like system data
Dialogue: 0,0:08:03.22,0:08:09.42,Default,,0000,0000,0000,,like for example the software hive key
Dialogue: 0,0:08:09.42,0:08:17.50,Default,,0000,0000,0000,,a lot of files that have cache data, credit card data, payment data, someting like that
Dialogue: 0,0:08:17.50,0:08:22.26,Default,,0000,0000,0000,,from each of the infected teller machines
Dialogue: 0,0:08:22.26,0:08:26.82,Default,,0000,0000,0000,,and of course we have our atm.exe
Dialogue: 0,0:08:26.82,0:08:28.86,Default,,0000,0000,0000,,that was really interesting
Dialogue: 0,0:08:28.86,0:08:36.30,Default,,0000,0000,0000,,and we take a quick look at the hack.bat script
Dialogue: 0,0:08:36.30,0:08:38.66,Default,,0000,0000,0000,,so you see, it's very user friendly
Dialogue: 0,0:08:38.66,0:08:44.46,Default,,0000,0000,0000,,because they implemented a lot of very interesting switches
Dialogue: 0,0:08:44.46,0:08:54.54,Default,,0000,0000,0000,,we see, right at the top, that he begins to copy the software hive key of the infected machines
Dialogue: 0,0:08:54.54,0:09:01.94,Default,,0000,0000,0000,,and at first he's checking if the system is already hacked or if he has to do it
Dialogue: 0,0:09:01.94,0:09:04.62,Default,,0000,0000,0000,,the switches you can see here
Dialogue: 0,0:09:04.62,0:09:09.14,Default,,0000,0000,0000,,they are all implemented
Dialogue: 0,0:09:09.14,0:09:12.60,Default,,0000,0000,0000,,the most used one is of course "-hack"
Dialogue: 0,0:09:12.60,0:09:16.62,Default,,0000,0000,0000,,we see otherwise, that you have some functionality like clear log files
Dialogue: 0,0:09:16.62,0:09:18.34,Default,,0000,0000,0000,,or get the log files
Dialogue: 0,0:09:18.34,0:09:24.54,Default,,0000,0000,0000,,this is the part where he copies really interesting data from the teller machines
Dialogue: 0,0:09:24.54,0:09:28.30,Default,,0000,0000,0000,,of course the question is: why does he do that?
Dialogue: 0,0:09:28.30,0:09:32.42,Default,,0000,0000,0000,,we answer that later
Dialogue: 0,0:09:32.42,0:09:39.98,Default,,0000,0000,0000,,it also has got a functionality on it that he can cover his tracks
Dialogue: 0,0:09:39.98,0:09:49.34,Default,,0000,0000,0000,,you can clear all files of the malware and remove it also
Dialogue: 0,0:09:49.34,0:09:54.70,Default,,0000,0000,0000,,a little bit more about the installer of the atm.exe
Dialogue: 0,0:09:54.70,0:09:55.94,Default,,0000,0000,0000,,tw: yeah, thanks
Dialogue: 0,0:09:55.94,0:09:57.78,Default,,0000,0000,0000,,I mean of course we were curious
Dialogue: 0,0:09:57.78,0:10:00.54,Default,,0000,0000,0000,,now that we know how the system gets infected
Dialogue: 0,0:10:00.54,0:10:05.60,Default,,0000,0000,0000,,insert the USB drive, force a reboot and then the batch script runs
Dialogue: 0,0:10:05.60,0:10:09.82,Default,,0000,0000,0000,,we were curious: how does the actual cash out process work?
Dialogue: 0,0:10:09.82,0:10:11.98,Default,,0000,0000,0000,,how do you get money out of the thing?
Dialogue: 0,0:10:11.98,0:10:13.74,Default,,0000,0000,0000,,what we did was
Dialogue: 0,0:10:13.74,0:10:16.50,Default,,0000,0000,0000,,we took this atm.exe file - the executable
Dialogue: 0,0:10:16.50,0:10:19.26,Default,,0000,0000,0000,,and reverse engineered that to recover the funtionality
Dialogue: 0,0:10:19.26,0:10:24.74,Default,,0000,0000,0000,,and the next couple of slides talk about what we found in this executable
Dialogue: 0,0:10:24.74,0:10:27.20,Default,,0000,0000,0000,,first of all
Dialogue: 0,0:10:27.20,0:10:30.78,Default,,0000,0000,0000,,the atm.exe is a UPX packed thing
Dialogue: 0,0:10:30.78,0:10:33.42,Default,,0000,0000,0000,,UPX is one of the standard packers
Dialogue: 0,0:10:33.42,0:10:38.14,Default,,0000,0000,0000,,you can easily unpack the original code again
Dialogue: 0,0:10:38.14,0:10:41.58,Default,,0000,0000,0000,,and then we came across an interesting fact
Dialogue: 0,0:10:41.58,0:10:44.90,Default,,0000,0000,0000,,so we unpacked it and loaded it up into our analysis tools
Dialogue: 0,0:10:44.90,0:10:46.94,Default,,0000,0000,0000,,what you can see on the right hand side
Dialogue: 0,0:10:46.94,0:10:49.66,Default,,0000,0000,0000,,it's a little bit blurred, but we hope you can still read it
Dialogue: 0,0:10:49.66,0:10:53.30,Default,,0000,0000,0000,,is IDA Pro, that probably many of you are familiar with
Dialogue: 0,0:10:53.30,0:10:56.82,Default,,0000,0000,0000,,one of the state-of-the-art disassemblers
Dialogue: 0,0:10:56.82,0:10:59.58,Default,,0000,0000,0000,,so we loaded that file up into IDA Pro, took a look at the code
Dialogue: 0,0:10:59.58,0:11:02.60,Default,,0000,0000,0000,,and then we discovered something interesting
Dialogue: 0,0:11:02.60,0:11:07.46,Default,,0000,0000,0000,,we discovered that the original executable contains a resource
Dialogue: 0,0:11:07.46,0:11:10.14,Default,,0000,0000,0000,,if you are a little bit familiar with the PE format
Dialogue: 0,0:11:10.14,0:11:12.78,Default,,0000,0000,0000,,the executable file format on Windows systems
Dialogue: 0,0:11:12.78,0:11:17.38,Default,,0000,0000,0000,,you might know that there are containers that you can use to store additional data
Dialogue: 0,0:11:17.38,0:11:19.20,Default,,0000,0000,0000,,or attatch data to a binary
Dialogue: 0,0:11:19.20,0:11:20.42,Default,,0000,0000,0000,,they are called resources
Dialogue: 0,0:11:20.42,0:11:24.46,Default,,0000,0000,0000,,so this binary had a resource and there was some encrypted data in there
Dialogue: 0,0:11:24.46,0:11:30.86,Default,,0000,0000,0000,,which turned out to be a DLL that contains the actual malicious functionality
Dialogue: 0,0:11:30.86,0:11:35.22,Default,,0000,0000,0000,,and the interesting thing is that this resource is XOR-encrypted
Dialogue: 0,0:11:35.22,0:11:38.70,Default,,0000,0000,0000,,now XOR is not a particularly strong encryption scheme
Dialogue: 0,0:11:38.70,0:11:41.78,Default,,0000,0000,0000,,but never the less, if the key is long enough
Dialogue: 0,0:11:41.78,0:11:43.18,Default,,0000,0000,0000,,like 4 bytes in this case
Dialogue: 0,0:11:43.18,0:11:45.18,Default,,0000,0000,0000,,I mean you can still probably brute-force it
Dialogue: 0,0:11:45.18,0:11:47.26,Default,,0000,0000,0000,,but well, you know
Dialogue: 0,0:11:47.26,0:11:54.62,Default,,0000,0000,0000,,we figured that every executable that's deployed onto an ATM has the resource
Dialogue: 0,0:11:54.62,0:12:01.58,Default,,0000,0000,0000,,encrypted with a key that is derived from the volume serial
Dialogue: 0,0:12:01.58,0:12:04.78,Default,,0000,0000,0000,,which is an ID that is assigned to a hard drive when it's formatted
Dialogue: 0,0:12:04.78,0:12:06.42,Default,,0000,0000,0000,,by the operating system
Dialogue: 0,0:12:06.42,0:12:13.46,Default,,0000,0000,0000,,that means that every executable that's deployed onto an ATM is taylored specifically for this ATM
Dialogue: 0,0:12:13.46,0:12:17.62,Default,,0000,0000,0000,,so it's not mass-malware that you can install on any ATM
Dialogue: 0,0:12:17.62,0:12:21.83,Default,,0000,0000,0000,,each executable only runs one one very specific ATM
Dialogue: 0,0:12:21.83,0:12:23.58,Default,,0000,0000,0000,,and that's interesting
Dialogue: 0,0:12:23.58,0:12:29.50,Default,,0000,0000,0000,,I mean of course that raises the question: How do they get this ID in the first place?
Dialogue: 0,0:12:29.50,0:12:32.46,Default,,0000,0000,0000,,How do they create this binary with the encrypted resource?
Dialogue: 0,0:12:32.46,0:12:35.14,Default,,0000,0000,0000,,Where do they get the volume serials from?
Dialogue: 0,0:12:35.14,0:12:36.74,Default,,0000,0000,0000,,and there are basically two options
Dialogue: 0,0:12:36.74,0:12:38.34,Default,,0000,0000,0000,,I mean we don't have the answers to these questions
Dialogue: 0,0:12:38.34,0:12:40.10,Default,,0000,0000,0000,,but there are only two options
Dialogue: 0,0:12:40.10,0:12:46.90,Default,,0000,0000,0000,,one is: they go to the ATMs the first time, run their stuff
Dialogue: 0,0:12:46.90,0:12:50.20,Default,,0000,0000,0000,,and extract the volume serial ID from the system
Dialogue: 0,0:12:50.20,0:12:53.42,Default,,0000,0000,0000,,then go home, prepare the malware and then come back to infect the system
Dialogue: 0,0:12:53.42,0:12:56.41,Default,,0000,0000,0000,,which seems kind of risky, because
Dialogue: 0,0:12:56.41,0:12:59.53,Default,,0000,0000,0000,,if you get caught while doing this... well then
Dialogue: 0,0:12:59.53,0:13:01.01,Default,,0000,0000,0000,,you'll lose something
Dialogue: 0,0:13:01.01,0:13:04.38,Default,,0000,0000,0000,,the other option is...
Dialogue: 0,0:13:04.38,0:13:08.33,Default,,0000,0000,0000,,we'll leave that to your imagination
Dialogue: 0,0:13:14.59,0:13:16.20,Default,,0000,0000,0000,,so what we did
Dialogue: 0,0:13:16.20,0:13:25.58,Default,,0000,0000,0000,,what you see here on the right hand side is some code that is executed after the XOR-decryption of the resource
Dialogue: 0,0:13:25.58,0:13:29.30,Default,,0000,0000,0000,,and if you look closely enought you can see in the first basic block up there
Dialogue: 0,0:13:29.30,0:13:33.20,Default,,0000,0000,0000,,it checks if the first byte of the decrypted data is an "M"
Dialogue: 0,0:13:33.20,0:13:36.58,Default,,0000,0000,0000,,and then the next one checks if the next byte - the second byte - is a "Z"
Dialogue: 0,0:13:36.58,0:13:40.58,Default,,0000,0000,0000,,which is part of the PE file header - MZ header
Dialogue: 0,0:13:40.58,0:13:45.38,Default,,0000,0000,0000,,so we figured: okay, this is probably an executable
Dialogue: 0,0:13:45.38,0:13:47.70,Default,,0000,0000,0000,,and that's how we recovered the original code
Dialogue: 0,0:13:47.70,0:13:50.34,Default,,0000,0000,0000,,we assumed that this is an executable and then
Dialogue: 0,0:13:50.34,0:13:52.42,Default,,0000,0000,0000,,you can call it a known plaintext attack or something like that
Dialogue: 0,0:13:52.42,0:13:57.86,Default,,0000,0000,0000,,we reverted the XOR-encryption and recovered the DLL
Dialogue: 0,0:13:57.86,0:14:01.90,Default,,0000,0000,0000,,and after this happened, of course
Dialogue: 0,0:14:01.90,0:14:06.22,Default,,0000,0000,0000,,the dropper runs some checksumming code
Dialogue: 0,0:14:06.22,0:14:16.50,Default,,0000,0000,0000,,to verify that the extracted and decrypted code is actually the DLL it wants to run
Dialogue: 0,0:14:21.74,0:14:24.30,Default,,0000,0000,0000,,so after we recovered this malicious DLL
Dialogue: 0,0:14:24.30,0:14:26.38,Default,,0000,0000,0000,,we took a closer look at that one
Dialogue: 0,0:14:26.38,0:14:33.26,Default,,0000,0000,0000,,and it's dropped into this path up there under the system directory
Dialogue: 0,0:14:33.26,0:14:38.18,Default,,0000,0000,0000,,and the value in the squared brackets over there is again derived from the volume ID
Dialogue: 0,0:14:38.18,0:14:40.82,Default,,0000,0000,0000,,so if you come across one of these DLLs
Dialogue: 0,0:14:40.82,0:14:42.82,Default,,0000,0000,0000,,you can take a look at the file name
Dialogue: 0,0:14:42.82,0:14:45.90,Default,,0000,0000,0000,,and that's linked to the ATM it's supposed to run on
Dialogue: 0,0:14:45.90,0:14:48.14,Default,,0000,0000,0000,,because of the naming scheme here
Dialogue: 0,0:14:48.14,0:14:53.20,Default,,0000,0000,0000,,so that's how - and of course I mean you can see all of that in the code
Dialogue: 0,0:14:53.20,0:14:56.60,Default,,0000,0000,0000,,that the second value there is hard-coded
Dialogue: 0,0:14:56.60,0:15:03.46,Default,,0000,0000,0000,,that's how we figured: okay this sample was supposed to run on an ATM with this volueme ID
Dialogue: 0,0:15:03.46,0:15:06.26,Default,,0000,0000,0000,,and then we came across something else
Dialogue: 0,0:15:06.26,0:15:08.46,Default,,0000,0000,0000,,something that's as interesting
Dialogue: 0,0:15:08.46,0:15:13.46,Default,,0000,0000,0000,,this DLL, or the malware in general writes a log file
Dialogue: 0,0:15:13.46,0:15:17.18,Default,,0000,0000,0000,,and stores this on the USB drive that's used for the infection process
Dialogue: 0,0:15:17.18,0:15:19.07,Default,,0000,0000,0000,,and that's pretty verbose
Dialogue: 0,0:15:19.07,0:15:20.97,Default,,0000,0000,0000,,if you look at this
Dialogue: 0,0:15:20.97,0:15:22.86,Default,,0000,0000,0000,,again we have to apologize that's it a little blurry
Dialogue: 0,0:15:22.86,0:15:25.70,Default,,0000,0000,0000,,but there you can see
Dialogue: 0,0:15:25.70,0:15:28.54,Default,,0000,0000,0000,,it's basically what is executed when the batch script runs, right?
Dialogue: 0,0:15:28.54,0:15:31.66,Default,,0000,0000,0000,,there is a file name up there
Dialogue: 0,0:15:31.66,0:15:35.98,Default,,0000,0000,0000,,if you can see that 978-blablabla DLL and some others
Dialogue: 0,0:15:35.98,0:15:44.38,Default,,0000,0000,0000,,and suprisingly this log file contained information about three other infections that took place
Dialogue: 0,0:15:44.38,0:15:48.82,Default,,0000,0000,0000,,so we switch to the next slide
Dialogue: 0,0:15:48.82,0:15:50.82,Default,,0000,0000,0000,,with that information we can say
Dialogue: 0,0:15:50.82,0:15:54.90,Default,,0000,0000,0000,,we have information that these guys infected at least four ATMs
Dialogue: 0,0:15:54.90,0:15:57.20,Default,,0000,0000,0000,,the ones where we had that DLL for
Dialogue: 0,0:15:57.20,0:15:58.78,Default,,0000,0000,0000,,and then these other three
Dialogue: 0,0:15:58.78,0:16:01.86,Default,,0000,0000,0000,,that we recover from the log file
Dialogue: 0,0:16:01.86,0:16:04.78,Default,,0000,0000,0000,,log file - again - is XOR-encrypted, but the key is hard-coded
Dialogue: 0,0:16:04.78,0:16:08.70,Default,,0000,0000,0000,,so we could recover it from the code and then decrypt the log file and read it
Dialogue: 0,0:16:08.70,0:16:11.90,Default,,0000,0000,0000,,this is an abbreviated version
Dialogue: 0,0:16:11.90,0:16:13.90,Default,,0000,0000,0000,,the most interesting lines from the log
Dialogue: 0,0:16:13.90,0:16:18.34,Default,,0000,0000,0000,,you can see that these ATMs run in fact Windows XP
Dialogue: 0,0:16:18.34,0:16:19.52,Default,,0000,0000,0000,,yeah...
Dialogue: 0,0:16:21.94,0:16:29.54,Default,,0000,0000,0000,,sb: what probably is quite intersting here is that we have information about three different teller machines
Dialogue: 0,0:16:29.54,0:16:31.94,Default,,0000,0000,0000,,that were infected with this USB device
Dialogue: 0,0:16:31.94,0:16:37.34,Default,,0000,0000,0000,,in clear text and we have it additionally in this somehow encrypted log file
Dialogue: 0,0:16:37.34,0:16:41.74,Default,,0000,0000,0000,,so the question is: Why do we have that twice?
Dialogue: 0,0:16:41.74,0:16:43.38,Default,,0000,0000,0000,,Why do we have this log file?
Dialogue: 0,0:16:43.38,0:16:45.26,Default,,0000,0000,0000,,And why didn't they remove that files?
Dialogue: 0,0:16:45.26,0:16:50.86,Default,,0000,0000,0000,,actually for every new infection they have to build up a new exe device
Dialogue: 0,0:16:50.86,0:16:55.60,Default,,0000,0000,0000,,which is encrypted with the volume serial ID from this machine
Dialogue: 0,0:16:55.60,0:16:58.20,Default,,0000,0000,0000,,and they would have enough time to clear that up
Dialogue: 0,0:16:58.20,0:16:59.58,Default,,0000,0000,0000,,but they didn't do it
Dialogue: 0,0:16:59.58,0:17:04.49,Default,,0000,0000,0000,,so furthermore the question broke: Why didn't they?
Dialogue: 0,0:17:09.22,0:17:12.86,Default,,0000,0000,0000,,tw: okay, now in this part we wanna talk a little bit more about the actual payload
Dialogue: 0,0:17:12.86,0:17:17.50,Default,,0000,0000,0000,,the malicious code that's executed on the compromised ATM
Dialogue: 0,0:17:17.50,0:17:20.03,Default,,0000,0000,0000,,you know, the interesting bit
Dialogue: 0,0:17:21.14,0:17:25.26,Default,,0000,0000,0000,,what you can see here is a list of some facts that we discovered
Dialogue: 0,0:17:25.26,0:17:29.50,Default,,0000,0000,0000,,again this file contains some encrypted resources
Dialogue: 0,0:17:29.50,0:17:33.26,Default,,0000,0000,0000,,this time they're encrypted with the static key that you see up there
Dialogue: 0,0:17:33.26,0:17:37.70,Default,,0000,0000,0000,,so by looking at the code we obtained this key and could easily recover the resources
Dialogue: 0,0:17:37.70,0:17:43.14,Default,,0000,0000,0000,,and they contained images like the one you see on the right hand side, up there
Dialogue: 0,0:17:43.14,0:17:48.94,Default,,0000,0000,0000,,obviously stuff they wanted to display on the ATM screen, right?
Dialogue: 0,0:17:48.94,0:17:52.82,Default,,0000,0000,0000,,we changed the coloring scheme and some other stuff here a little bit
Dialogue: 0,0:17:52.82,0:17:55.58,Default,,0000,0000,0000,,because we don't wanna disclose the target here
Dialogue: 0,0:17:55.58,0:18:00.26,Default,,0000,0000,0000,,yeah that's what they store in these resources
Dialogue: 0,0:18:00.26,0:18:04.26,Default,,0000,0000,0000,,another thing that was in there, is this sdelete tool from Sysinternals
Dialogue: 0,0:18:04.26,0:18:08.18,Default,,0000,0000,0000,,maybe some of you are familiar with that
Dialogue: 0,0:18:08.18,0:18:10.98,Default,,0000,0000,0000,,a publicly available tool for secure file deletion
Dialogue: 0,0:18:10.98,0:18:16.20,Default,,0000,0000,0000,,so you know, you override the file with specific byte patterns before you remove it
Dialogue: 0,0:18:16.20,0:18:19.38,Default,,0000,0000,0000,,and they used that to remove forensic artefacts
Dialogue: 0,0:18:19.38,0:18:21.30,Default,,0000,0000,0000,,forensic traces from the system
Dialogue: 0,0:18:21.30,0:18:23.30,Default,,0000,0000,0000,,for example when they're uninstalling the malware
Dialogue: 0,0:18:23.30,0:18:25.86,Default,,0000,0000,0000,,because you can also uninstall it from an ATM
Dialogue: 0,0:18:25.86,0:18:30.94,Default,,0000,0000,0000,,but in case this fails for whatever reason, they have some backup code in the malware
Dialogue: 0,0:18:30.94,0:18:34.78,Default,,0000,0000,0000,,some backup secure undelete code that does basically the same stuff
Dialogue: 0,0:18:34.78,0:18:37.54,Default,,0000,0000,0000,,it overwrites the data first and then it deletes the file
Dialogue: 0,0:18:37.54,0:18:40.42,Default,,0000,0000,0000,,so it's kinda interesting that it put a lot of effort into
Dialogue: 0,0:18:40.42,0:18:42.42,Default,,0000,0000,0000,,covering up their, you know
Dialogue: 0,0:18:42.42,0:18:45.54,Default,,0000,0000,0000,,hiding their traces on the system
Dialogue: 0,0:18:45.54,0:18:47.10,Default,,0000,0000,0000,,and by the way
Dialogue: 0,0:18:47.10,0:18:49.20,Default,,0000,0000,0000,,we will give you a demo in a few minutes
Dialogue: 0,0:18:49.20,0:18:51.90,Default,,0000,0000,0000,,and show you the whole process
Dialogue: 0,0:18:51.90,0:18:54.26,Default,,0000,0000,0000,,how you interact with an infected ATM
Dialogue: 0,0:18:54.26,0:18:57.50,Default,,0000,0000,0000,,you will see the other screens as well
Dialogue: 0,0:19:01.86,0:19:07.38,Default,,0000,0000,0000,,then of course for most malware it's important to become persistent on the infected system
Dialogue: 0,0:19:07.38,0:19:13.78,Default,,0000,0000,0000,,because when it reboots for whatever reason, you want the malware to automatically load again
Dialogue: 0,0:19:13.78,0:19:27.03,Default,,0000,0000,0000,,and these guys do that by writing the drop DLL into the AppInit DLLs value in the windows registry
Dialogue: 0,0:19:27.03,0:19:29.34,Default,,0000,0000,0000,,for those of you, who are not familiar with the value
Dialogue: 0,0:19:29.34,0:19:34.86,Default,,0000,0000,0000,,you can specify libraries in there that are loaded into every process that starts up
Dialogue: 0,0:19:34.86,0:19:39.70,Default,,0000,0000,0000,,so by this you make sure that the malicious DLL is loaded into every proess that starts
Dialogue: 0,0:19:39.70,0:19:42.91,Default,,0000,0000,0000,,within the current logon session at least
Dialogue: 0,0:19:43.98,0:19:48.18,Default,,0000,0000,0000,,what you see down there is some decompiled source code
Dialogue: 0,0:19:48.18,0:19:51.58,Default,,0000,0000,0000,,basically the main function of the malware
Dialogue: 0,0:19:51.58,0:19:53.14,Default,,0000,0000,0000,,of the DLL
Dialogue: 0,0:19:53.14,0:19:54.98,Default,,0000,0000,0000,,and what you can see there
Dialogue: 0,0:19:54.98,0:19:58.10,Default,,0000,0000,0000,,there are several checks running in cash client one
Dialogue: 0,0:19:58.10,0:20:01.14,Default,,0000,0000,0000,,cash client is the term for the software that controlles the ATM
Dialogue: 0,0:20:01.14,0:20:02.66,Default,,0000,0000,0000,,that is running on the ATM
Dialogue: 0,0:20:02.66,0:20:04.90,Default,,0000,0000,0000,,and controls the dispenser and so on
Dialogue: 0,0:20:04.90,0:20:09.14,Default,,0000,0000,0000,,so it does this check and if this returns true, it starts some routine
Dialogue: 0,0:20:09.14,0:20:14.26,Default,,0000,0000,0000,,and if some other checks succeed, then it calls some other functions and so on
Dialogue: 0,0:20:14.26,0:20:20.46,Default,,0000,0000,0000,,basically what's happening here is that the DLL checks the name of the process it's running in
Dialogue: 0,0:20:20.46,0:20:24.34,Default,,0000,0000,0000,,and then depending on this name it invokes certain functionality
Dialogue: 0,0:20:24.34,0:20:29.94,Default,,0000,0000,0000,,and we believe that by doing this they implement support for different cash clients
Dialogue: 0,0:20:29.94,0:20:36.58,Default,,0000,0000,0000,,this line down here, running in lsass.exe is also interesting
Dialogue: 0,0:20:36.58,0:20:40.54,Default,,0000,0000,0000,,because the DLL is also obviously loaded into
Dialogue: 0,0:20:40.54,0:20:42.34,Default,,0000,0000,0000,,what's lsass again? local system...
Dialogue: 0,0:20:42.34,0:20:44.86,Default,,0000,0000,0000,,some windows process
Dialogue: 0,0:20:44.86,0:20:47.30,Default,,0000,0000,0000,,is also loaded into that one of course
Dialogue: 0,0:20:47.30,0:20:49.66,Default,,0000,0000,0000,,because of the AppInit thing
Dialogue: 0,0:20:49.66,0:20:54.26,Default,,0000,0000,0000,,if it's running in this, it doesn't interact with the cash client ATM software at all
Dialogue: 0,0:20:54.26,0:21:00.60,Default,,0000,0000,0000,,the DLL that's running in there is an event processor
Dialogue: 0,0:21:00.60,0:21:02.86,Default,,0000,0000,0000,,for example, if you wanna uninstall the software
Dialogue: 0,0:21:02.86,0:21:05.46,Default,,0000,0000,0000,,you basically create an uninstall event
Dialogue: 0,0:21:05.46,0:21:07.94,Default,,0000,0000,0000,,and then the instance running in this process here
Dialogue: 0,0:21:07.94,0:21:11.14,Default,,0000,0000,0000,,handles the event and removes the file and so on
Dialogue: 0,0:21:11.14,0:21:13.14,Default,,0000,0000,0000,,and cleans up all traces
Dialogue: 0,0:21:13.14,0:21:15.62,Default,,0000,0000,0000,,sb: what's also quite interesting here
Dialogue: 0,0:21:15.62,0:21:19.10,Default,,0000,0000,0000,,you can see that later on, when we discover the malware itself
Dialogue: 0,0:21:19.10,0:21:22.10,Default,,0000,0000,0000,,they have really somthing like a development cycle
Dialogue: 0,0:21:22.10,0:21:24.26,Default,,0000,0000,0000,,it's really professional made up
Dialogue: 0,0:21:24.26,0:21:31.90,Default,,0000,0000,0000,,because within the first infections we could find this malicious DLL within this AppInit hive key
Dialogue: 0,0:21:31.90,0:21:37.78,Default,,0000,0000,0000,,there was an incident where the forensic team could discover it there
Dialogue: 0,0:21:37.78,0:21:39.90,Default,,0000,0000,0000,,because it's quite obvious, you know
Dialogue: 0,0:21:39.90,0:21:45.42,Default,,0000,0000,0000,,the AppInit DLL key is very famous for any malware
Dialogue: 0,0:21:45.42,0:21:47.58,Default,,0000,0000,0000,,that should start at startup
Dialogue: 0,0:21:47.58,0:21:48.90,Default,,0000,0000,0000,,and they improved it
Dialogue: 0,0:21:48.90,0:21:55.22,Default,,0000,0000,0000,,so later on, they just added this malicious DLL to the DLLs which are started
Dialogue: 0,0:21:55.22,0:21:56.94,Default,,0000,0000,0000,,just when the cash client is started
Dialogue: 0,0:21:56.94,0:22:00.58,Default,,0000,0000,0000,,so it's also started from the startup, but it's not as loud
Dialogue: 0,0:22:00.58,0:22:05.22,Default,,0000,0000,0000,,so you have to have to search quite deeper to find it
Dialogue: 0,0:22:07.62,0:22:10.26,Default,,0000,0000,0000,,tw: Where are we? Are we on time? How are we doing?
Dialogue: 0,0:22:10.26,0:22:12.62,Default,,0000,0000,0000,,How much time do we have left?
Dialogue: 0,0:22:18.42,0:22:19.25,Default,,0000,0000,0000,,okay, plenty of time
Dialogue: 0,0:22:19.25,0:22:20.42,Default,,0000,0000,0000,,great
Dialogue: 0,0:22:20.42,0:22:28.18,Default,,0000,0000,0000,,so we know, how the malware becomes persistent
Dialogue: 0,0:22:28.18,0:22:31.62,Default,,0000,0000,0000,,we know how it makes sure that it runs on the system
Dialogue: 0,0:22:31.62,0:22:36.90,Default,,0000,0000,0000,,so it injects this DLL into all these processes
Dialogue: 0,0:22:36.90,0:22:39.70,Default,,0000,0000,0000,,now of course we wanna know how to interact with it
Dialogue: 0,0:22:39.70,0:22:41.82,Default,,0000,0000,0000,,because there must be a way of interacting with the malware
Dialogue: 0,0:22:41.82,0:22:50.54,Default,,0000,0000,0000,,and what we found out by reverse engineering code is that the DLL that's running in the cash client
Dialogue: 0,0:22:50.54,0:22:53.50,Default,,0000,0000,0000,,installs a hook for keyboard events
Dialogue: 0,0:22:53.50,0:22:57.62,Default,,0000,0000,0000,,so whenever you press a key on the keyboard which in this case is the num pad
Dialogue: 0,0:22:57.62,0:23:02.94,Default,,0000,0000,0000,,this is trapped by the malware and processed
Dialogue: 0,0:23:02.94,0:23:05.90,Default,,0000,0000,0000,,and what they do is, they process only number keys
Dialogue: 0,0:23:05.90,0:23:07.18,Default,,0000,0000,0000,,for obvious reasons
Dialogue: 0,0:23:07.18,0:23:08.98,Default,,0000,0000,0000,,because that's the only kind of keys that you can enter
Dialogue: 0,0:23:08.98,0:23:11.78,Default,,0000,0000,0000,,and if you enter the code that you've seen on the first slide
Dialogue: 0,0:23:11.78,0:23:19.62,Default,,0000,0000,0000,,you activate a hidden menu that allows you to choose the several options
Dialogue: 0,0:23:19.62,0:23:24.20,Default,,0000,0000,0000,,that you can use to control the ATM
Dialogue: 0,0:23:27.87,0:23:29.54,Default,,0000,0000,0000,,but they have implemented an additional measure
Dialogue: 0,0:23:29.54,0:23:34.22,Default,,0000,0000,0000,,because, you know, it's possible that somebody by accident enters the right 12 digits
Dialogue: 0,0:23:34.22,0:23:37.10,Default,,0000,0000,0000,,and then {\i1}suprise{\i0} this thing pops up
Dialogue: 0,0:23:37.10,0:23:39.50,Default,,0000,0000,0000,,and you can dispense all the money from the ATM
Dialogue: 0,0:23:39.50,0:23:41.70,Default,,0000,0000,0000,,of course they don't want that to happen
Dialogue: 0,0:23:41.70,0:23:44.26,Default,,0000,0000,0000,,so they have implemented a challenge-response scheme
Dialogue: 0,0:23:44.26,0:23:48.30,Default,,0000,0000,0000,,so when you enter the 12 digit code, the first menu allowes you to say
Dialogue: 0,0:23:48.30,0:23:50.30,Default,,0000,0000,0000,,present me with a challenge
Dialogue: 0,0:23:50.30,0:23:54.70,Default,,0000,0000,0000,,and then the malware generates a random or like a secret code
Dialogue: 0,0:23:54.70,0:23:57.46,Default,,0000,0000,0000,,where the scheme to generate it is secret
Dialogue: 0,0:23:57.46,0:23:59.90,Default,,0000,0000,0000,,and you have to enter a response
Dialogue: 0,0:23:59.90,0:24:02.14,Default,,0000,0000,0000,,that's not easy to crack
Dialogue: 0,0:24:02.14,0:24:03.98,Default,,0000,0000,0000,,what they do in this case
Dialogue: 0,0:24:03.98,0:24:10.10,Default,,0000,0000,0000,,because of the poor guy who goes to the ATM to cash out is not the brain behind the whole operation
Dialogue: 0,0:24:10.10,0:24:13.66,Default,,0000,0000,0000,,they're likely to get arrested
Dialogue: 0,0:24:13.66,0:24:17.54,Default,,0000,0000,0000,,so they probably don't want to transfer the knowledge
Dialogue: 0,0:24:17.54,0:24:21.10,Default,,0000,0000,0000,,how to generate the response for the challenge to these people
Dialogue: 0,0:24:21.10,0:24:26.14,Default,,0000,0000,0000,,can you tell the story about the phone calls?
Dialogue: 0,0:24:26.14,0:24:32.66,Default,,0000,0000,0000,,sb: yeah, actually they had a surveillance video where they could monitor just one of their cash guys
Dialogue: 0,0:24:32.66,0:24:37.38,Default,,0000,0000,0000,,which just currently had entered the secret 12 digits
Dialogue: 0,0:24:37.38,0:24:43.46,Default,,0000,0000,0000,,and you can see on this video that he has already one part of this hack view
Dialogue: 0,0:24:43.46,0:24:47.78,Default,,0000,0000,0000,,and after that he just took a cell phone
Dialogue: 0,0:24:47.78,0:24:52.62,Default,,0000,0000,0000,,and called somebody and you can see that within that call
Dialogue: 0,0:24:52.62,0:24:59.82,Default,,0000,0000,0000,,he types another number and right after that, he starts cashing out the teller machines
Dialogue: 0,0:24:59.82,0:25:05.70,Default,,0000,0000,0000,,that's exactly that challenge-response check, he was talking about
Dialogue: 0,0:25:05.70,0:25:10.30,Default,,0000,0000,0000,,so this proves that they don't want anything to chance
Dialogue: 0,0:25:10.30,0:25:18.50,Default,,0000,0000,0000,,they wanna control which teller machine is cached out and exactly when and who does the cash out
Dialogue: 0,0:25:18.50,0:25:24.62,Default,,0000,0000,0000,,so this may implicate that they don't trust their own people, do they?
Dialogue: 0,0:25:24.62,0:25:30.74,Default,,0000,0000,0000,,tw: so, I mean we tried to bring you this video where the guy makes the phone call
Dialogue: 0,0:25:30.74,0:25:34.14,Default,,0000,0000,0000,,but obviously the bank that was targeted here
Dialogue: 0,0:25:34.14,0:25:38.62,Default,,0000,0000,0000,,they're a little concerned about their identity beeing disclosed
Dialogue: 0,0:25:38.62,0:25:40.62,Default,,0000,0000,0000,,so unfortunately we couldn't get it
Dialogue: 0,0:25:40.62,0:25:43.62,Default,,0000,0000,0000,,but, well, you have to trust us on that
Dialogue: 0,0:25:43.62,0:25:46.14,Default,,0000,0000,0000,,that's how they probably do it
Dialogue: 0,0:25:46.14,0:25:52.66,Default,,0000,0000,0000,,another thing is that these guys already anticipated that somebody would get a copy of the malware
Dialogue: 0,0:25:52.66,0:25:55.30,Default,,0000,0000,0000,,and then probably start to reverse engineer it
Dialogue: 0,0:25:55.30,0:25:58.10,Default,,0000,0000,0000,,and understand how it works
Dialogue: 0,0:25:58.10,0:25:59.78,Default,,0000,0000,0000,,and of course the worst thing that can happen is
Dialogue: 0,0:25:59.78,0:26:03.70,Default,,0000,0000,0000,,if somebody recovers the challenge-response functionality in that code
Dialogue: 0,0:26:03.70,0:26:09.26,Default,,0000,0000,0000,,and then goes to all the hacked ATMs and, you know, jackpots them
Dialogue: 0,0:26:09.26,0:26:11.18,Default,,0000,0000,0000,,insted of these guys
Dialogue: 0,0:26:11.18,0:26:15.22,Default,,0000,0000,0000,,so they figured: okay, we need a means to protect that really important code
Dialogue: 0,0:26:15.22,0:26:18.26,Default,,0000,0000,0000,,and that's not the only part, that's protected
Dialogue: 0,0:26:18.26,0:26:22.50,Default,,0000,0000,0000,,there are several pieces that are, you know, critical
Dialogue: 0,0:26:22.50,0:26:24.26,Default,,0000,0000,0000,,so to speak
Dialogue: 0,0:26:24.26,0:26:26.90,Default,,0000,0000,0000,,so this challenge-response thing is one of them
Dialogue: 0,0:26:26.90,0:26:31.74,Default,,0000,0000,0000,,and the other parts that are protected is everything that interacts wih the cash client
Dialogue: 0,0:26:31.74,0:26:37.94,Default,,0000,0000,0000,,so by looking at the code you would never see a direct API call or DLL function call
Dialogue: 0,0:26:37.94,0:26:40.26,Default,,0000,0000,0000,,into the cash clients libraries
Dialogue: 0,0:26:40.26,0:26:41.86,Default,,0000,0000,0000,,all of this stuff is protected
Dialogue: 0,0:26:41.86,0:26:46.22,Default,,0000,0000,0000,,and I'm gonna talk a little bit more about how they do that
Dialogue: 0,0:26:48.23,0:26:51.62,Default,,0000,0000,0000,,it's a little bit hard to put that...
Dialogue: 0,0:26:51.62,0:26:53.70,Default,,0000,0000,0000,,to find the right words for it
Dialogue: 0,0:26:53.70,0:26:57.34,Default,,0000,0000,0000,,we have a picture of that in our mind, but...
Dialogue: 0,0:26:57.34,0:26:59.50,Default,,0000,0000,0000,,we call that a state machine
Dialogue: 0,0:26:59.50,0:27:04.14,Default,,0000,0000,0000,,so their obfuscation method is basically control flow obfuscation
Dialogue: 0,0:27:04.14,0:27:08.54,Default,,0000,0000,0000,,when you look at some code statially, you can see this function is calling that function
Dialogue: 0,0:27:08.54,0:27:11.18,Default,,0000,0000,0000,,and then this is calling that under this condition and so on
Dialogue: 0,0:27:11.18,0:27:13.30,Default,,0000,0000,0000,,that's the control flow in the code
Dialogue: 0,0:27:13.30,0:27:16.90,Default,,0000,0000,0000,,but if you don't wanna disclose that function A is calling function B
Dialogue: 0,0:27:16.90,0:27:19.38,Default,,0000,0000,0000,,you have to put something in between
Dialogue: 0,0:27:19.38,0:27:21.30,Default,,0000,0000,0000,,that obfuscates this relationship
Dialogue: 0,0:27:21.30,0:27:25.22,Default,,0000,0000,0000,,they implemented a state-machine
Dialogue: 0,0:27:25.22,0:27:26.98,Default,,0000,0000,0000,,that's what we call it
Dialogue: 0,0:27:26.98,0:27:28.58,Default,,0000,0000,0000,,and this state machine consumes a buffer
Dialogue: 0,0:27:28.58,0:27:31.18,Default,,0000,0000,0000,,a static buffer that's somewhere in the binary
Dialogue: 0,0:27:31.18,0:27:34.14,Default,,0000,0000,0000,,and performs some computation on the bytes
Dialogue: 0,0:27:34.14,0:27:37.22,Default,,0000,0000,0000,,and the result is the address of the function to call
Dialogue: 0,0:27:37.22,0:27:41.98,Default,,0000,0000,0000,,at some point you say: state machine, here is a buffer
Dialogue: 0,0:27:41.98,0:27:43.46,Default,,0000,0000,0000,,do your thing
Dialogue: 0,0:27:43.46,0:27:46.30,Default,,0000,0000,0000,,and then the state machine starts computing the address to call
Dialogue: 0,0:27:46.30,0:27:48.38,Default,,0000,0000,0000,,or that's only one scenario
Dialogue: 0,0:27:48.38,0:27:51.20,Default,,0000,0000,0000,,the other scenario is that you wanna compute a certain value
Dialogue: 0,0:27:51.20,0:27:54.60,Default,,0000,0000,0000,,for example, you enter the response for a particular challenge
Dialogue: 0,0:27:54.60,0:28:01.58,Default,,0000,0000,0000,,and then the state machine with its functions computes some other value
Dialogue: 0,0:28:01.58,0:28:04.86,Default,,0000,0000,0000,,that it compares to a challange or something
Dialogue: 0,0:28:04.86,0:28:08.94,Default,,0000,0000,0000,,and this computation as well is protected by the state machine
Dialogue: 0,0:28:08.94,0:28:13.18,Default,,0000,0000,0000,,and you can see a little snippet of that on the right hand side
Dialogue: 0,0:28:13.18,0:28:17.38,Default,,0000,0000,0000,,again, if you can read it, you can see there's a lot of junk code in there
Dialogue: 0,0:28:17.38,0:28:21.60,Default,,0000,0000,0000,,those of you who are familiar with polymorphism
Dialogue: 0,0:28:21.60,0:28:23.54,Default,,0000,0000,0000,,polymorphic malware or other stuff like that
Dialogue: 0,0:28:23.54,0:28:28.14,Default,,0000,0000,0000,,you will immediately see that some of the functions in there are total garbage
Dialogue: 0,0:28:28.14,0:28:31.50,Default,,0000,0000,0000,,like for example, the SUB AL e1
Dialogue: 0,0:28:31.50,0:28:36.50,Default,,0000,0000,0000,,and then, you know, some values are subtracted from a register first and then added again
Dialogue: 0,0:28:36.50,0:28:38.74,Default,,0000,0000,0000,,so it's basically doing nothing
Dialogue: 0,0:28:38.74,0:28:44.70,Default,,0000,0000,0000,,this junk code stuff is one method of obfuscation
Dialogue: 0,0:28:44.70,0:28:47.74,Default,,0000,0000,0000,,and the other is, what's usally called "spaghetti code"
Dialogue: 0,0:28:47.74,0:28:49.62,Default,,0000,0000,0000,,you know, it's jumping back and forth
Dialogue: 0,0:28:49.62,0:28:52.50,Default,,0000,0000,0000,,and calling subroutines all over the place
Dialogue: 0,0:28:52.50,0:28:56.98,Default,,0000,0000,0000,,and I think it's really hard or next to impossible to reverse engineer that
Dialogue: 0,0:28:56.98,0:28:59.46,Default,,0000,0000,0000,,at least we spent several days
Dialogue: 0,0:28:59.46,0:29:00.74,Default,,0000,0000,0000,,weeks even
Dialogue: 0,0:29:00.74,0:29:02.90,Default,,0000,0000,0000,,and we couldn't really figure out how the state machine works
Dialogue: 0,0:29:02.90,0:29:04.22,Default,,0000,0000,0000,,and that's really the purpose
Dialogue: 0,0:29:04.22,0:29:08.38,Default,,0000,0000,0000,,but fortunately for us there was a solution for this
Dialogue: 0,0:29:08.38,0:29:12.70,Default,,0000,0000,0000,,and that is what the little colored bar at the bottom of the slide shows you
Dialogue: 0,0:29:12.70,0:29:17.50,Default,,0000,0000,0000,,again, this is something that IDA Pro generates for you, this disassembler tool
Dialogue: 0,0:29:17.50,0:29:20.30,Default,,0000,0000,0000,,you can see the blue stuff at the front
Dialogue: 0,0:29:20.30,0:29:24.78,Default,,0000,0000,0000,,that's the real code of the malware
Dialogue: 0,0:29:24.78,0:29:27.10,Default,,0000,0000,0000,,all of that lives in the code section
Dialogue: 0,0:29:27.10,0:29:28.70,Default,,0000,0000,0000,,and is at the beginning
Dialogue: 0,0:29:28.70,0:29:31.54,Default,,0000,0000,0000,,and the green stuff here is library functions
Dialogue: 0,0:29:31.54,0:29:33.98,Default,,0000,0000,0000,,here we have some data
Dialogue: 0,0:29:33.98,0:29:36.70,Default,,0000,0000,0000,,and at the end there is some code again
Dialogue: 0,0:29:36.70,0:29:39.10,Default,,0000,0000,0000,,and suprisingly this is the state machine
Dialogue: 0,0:29:39.10,0:29:42.78,Default,,0000,0000,0000,,and it's pretty convenient for us that this is somewhere else in the memory layout
Dialogue: 0,0:29:42.78,0:29:43.98,Default,,0000,0000,0000,,so what you can do is
Dialogue: 0,0:29:43.98,0:29:46.78,Default,,0000,0000,0000,,you can put a memory break point a the section here
Dialogue: 0,0:29:46.78,0:29:51.74,Default,,0000,0000,0000,,and by doing this trap every attempt to execute the state machine code
Dialogue: 0,0:29:51.74,0:29:54.14,Default,,0000,0000,0000,,and then when you're in the state machine
Dialogue: 0,0:29:54.14,0:29:57.66,Default,,0000,0000,0000,,you put a break point on the original, on the real code, up there
Dialogue: 0,0:29:57.66,0:30:01.80,Default,,0000,0000,0000,,and you get the exit point of the state machine
Dialogue: 0,0:30:01.80,0:30:05.58,Default,,0000,0000,0000,,by doing this you can basically treat the state machine as a black box
Dialogue: 0,0:30:05.58,0:30:07.58,Default,,0000,0000,0000,,you don't care about the calculations at all
Dialogue: 0,0:30:07.58,0:30:12.20,Default,,0000,0000,0000,,you can still reconstruct the relationship between the calling function and the callee
Dialogue: 0,0:30:12.20,0:30:14.98,Default,,0000,0000,0000,,okay
Dialogue: 0,0:30:14.98,0:30:23.58,Default,,0000,0000,0000,,unfortunately we couldn't use this break point method to understand how these value calculations are performed
Dialogue: 0,0:30:23.58,0:30:29.22,Default,,0000,0000,0000,,but, well, you still can inspect memory and somehow understand a little bit of that somehow at least
Dialogue: 0,0:30:33.26,0:30:38.46,Default,,0000,0000,0000,,okay now we wanna demo to you how this thing looks like
Dialogue: 0,0:30:38.46,0:30:42.20,Default,,0000,0000,0000,,unfortunately we don't own an ATM that we can infect
Dialogue: 0,0:30:42.20,0:30:46.71,Default,,0000,0000,0000,,but we have a virtual machine here that's running the malware
Dialogue: 0,0:30:48.27,0:30:50.50,Default,,0000,0000,0000,,and we've patched the malware a little bit here
Dialogue: 0,0:30:50.50,0:30:51.90,Default,,0000,0000,0000,,I think we didn't tell you
Dialogue: 0,0:30:51.90,0:30:54.42,Default,,0000,0000,0000,,so what's happening is these screens when you enter the secret code
Dialogue: 0,0:30:54.42,0:30:57.18,Default,,0000,0000,0000,,these screens that you saw on the slide
Dialogue: 0,0:30:57.18,0:31:01.14,Default,,0000,0000,0000,,they're displayed on a second desktop
Dialogue: 0,0:31:01.14,0:31:03.58,Default,,0000,0000,0000,,on Windows you can have as many desktops
Dialogue: 0,0:31:03.58,0:31:05.66,Default,,0000,0000,0000,,like virtual desktops as you want
Dialogue: 0,0:31:05.66,0:31:08.26,Default,,0000,0000,0000,,and then switch back and forth between these desktops
Dialogue: 0,0:31:08.26,0:31:09.42,Default,,0000,0000,0000,,so what's happening is
Dialogue: 0,0:31:09.42,0:31:11.18,Default,,0000,0000,0000,,these screens are displayed on a second desktop
Dialogue: 0,0:31:11.18,0:31:15.30,Default,,0000,0000,0000,,and then execution switches over
Dialogue: 0,0:31:15.30,0:31:17.94,Default,,0000,0000,0000,,the displays which is over to this desktop
Dialogue: 0,0:31:17.94,0:31:21.70,Default,,0000,0000,0000,,so you leave the original ATM display and it's process alone
Dialogue: 0,0:31:21.70,0:31:24.34,Default,,0000,0000,0000,,you just switch over to your secret menu desktop
Dialogue: 0,0:31:24.34,0:31:27.15,Default,,0000,0000,0000,,and when you're done, you can switch back
Dialogue: 0,0:31:28.10,0:31:31.14,Default,,0000,0000,0000,,that's a little difficult to debug
Dialogue: 0,0:31:31.14,0:31:34.62,Default,,0000,0000,0000,,because when you do that, when you're running in a debugger and using break points and stuff
Dialogue: 0,0:31:34.62,0:31:38.74,Default,,0000,0000,0000,,and the malware all of a sudden switches to a second desktop
Dialogue: 0,0:31:38.74,0:31:42.20,Default,,0000,0000,0000,,you can't control the debugger anymore, because it's running on the first desktop
Dialogue: 0,0:31:42.20,0:31:47.74,Default,,0000,0000,0000,,so we had to patch a few things to make it more convenient for us to demonstrate this
Dialogue: 0,0:31:47.74,0:31:50.88,Default,,0000,0000,0000,,and that's what we're gonna do now
Dialogue: 0,0:31:56.14,0:31:57.82,Default,,0000,0000,0000,,can you...?
Dialogue: 0,0:31:57.82,0:32:01.58,Default,,0000,0000,0000,,so we have this little Windows XP VM
Dialogue: 0,0:32:01.58,0:32:04.14,Default,,0000,0000,0000,,because we want to be accurate, right?
Dialogue: 0,0:32:04.14,0:32:07.70,Default,,0000,0000,0000,,and I'm gonna start two processes here
Dialogue: 0,0:32:07.70,0:32:11.58,Default,,0000,0000,0000,,one is: I have some little batch scripts
Dialogue: 0,0:32:11.58,0:32:17.62,Default,,0000,0000,0000,,one is the one that simulates the malware running in the lsass process
Dialogue: 0,0:32:17.62,0:32:23.86,Default,,0000,0000,0000,,and the other one simulates the malware running in the cash client
Dialogue: 0,0:32:23.86,0:32:25.22,Default,,0000,0000,0000,,this one here
Dialogue: 0,0:32:25.22,0:32:32.20,Default,,0000,0000,0000,,and let's just presume that this is showing the stardard ATM screen here
Dialogue: 0,0:32:32.20,0:32:34.82,Default,,0000,0000,0000,,so "Enter your PIN" and stuff like that, okay
Dialogue: 0,0:32:34.82,0:32:36.78,Default,,0000,0000,0000,,so what we're gonna do now is
Dialogue: 0,0:32:36.78,0:32:40.70,Default,,0000,0000,0000,,we're gonna enter the 12 digit secret code that we saw on the first slide
Dialogue: 0,0:32:40.70,0:32:44.47,Default,,0000,0000,0000,,you remember that, right?
Dialogue: 0,0:32:48.31,0:32:52.34,Default,,0000,0000,0000,,and if you do that, you're presented with this menu here
Dialogue: 0,0:32:58.65,0:33:01.50,Default,,0000,0000,0000,,do you wanna talk about those values? how that's calculated?
Dialogue: 0,0:33:01.50,0:33:02.90,Default,,0000,0000,0000,,sb: yeah probably
Dialogue: 0,0:33:02.90,0:33:08.10,Default,,0000,0000,0000,,so the only thing which is hard coded are the three lines at the bottom here
Dialogue: 0,0:33:08.10,0:33:16.26,Default,,0000,0000,0000,,and all of the rest is just generated with the actual amounts they find on this ATM
Dialogue: 0,0:33:16.26,0:33:20.54,Default,,0000,0000,0000,,so the ATMs, they have a lot of loo files which they create
Dialogue: 0,0:33:20.54,0:33:23.98,Default,,0000,0000,0000,,and they're just saved on the hard drive
Dialogue: 0,0:33:23.98,0:33:25.66,Default,,0000,0000,0000,,and within that files
Dialogue: 0,0:33:25.66,0:33:31.18,Default,,0000,0000,0000,,every payment transaction is noted
Dialogue: 0,0:33:31.18,0:33:34.26,Default,,0000,0000,0000,,what the malware does is
Dialogue: 0,0:33:34.26,0:33:36.74,Default,,0000,0000,0000,,it requests the newest of that files
Dialogue: 0,0:33:36.74,0:33:41.70,Default,,0000,0000,0000,,and just pulls the values into that screen
Dialogue: 0,0:33:41.70,0:33:48.14,Default,,0000,0000,0000,,and so the attacker is presented with the actual value of the amount of money
Dialogue: 0,0:33:48.14,0:33:52.66,Default,,0000,0000,0000,,and there he can just choose which one he wants to cash out
Dialogue: 0,0:33:52.66,0:33:57.70,Default,,0000,0000,0000,,so just the 100 bills, or all of them
Dialogue: 0,0:33:57.70,0:33:59.70,Default,,0000,0000,0000,,this is quite interesting
Dialogue: 0,0:33:59.70,0:34:05.74,Default,,0000,0000,0000,,we took this screen from an ATM which was already attacked
Dialogue: 0,0:34:05.74,0:34:14.22,Default,,0000,0000,0000,,there you can see that especially, or only the $100 cash cassette was cashed out
Dialogue: 0,0:34:14.22,0:34:24.50,Default,,0000,0000,0000,,because, you know how long it takes if you're just cashing out 100 or 200 Dollars or Euros
Dialogue: 0,0:34:24.50,0:34:30.66,Default,,0000,0000,0000,,and if you can imagine if you have a whole cassette full of money
Dialogue: 0,0:34:30.66,0:34:33.42,Default,,0000,0000,0000,,that takes a lot of time
Dialogue: 0,0:34:33.42,0:34:43.42,Default,,0000,0000,0000,,so this is why they most likely just cashed out this cassette with the most valuable input
Dialogue: 0,0:34:43.42,0:34:48.50,Default,,0000,0000,0000,,tw: so what I can do now is
Dialogue: 0,0:34:48.50,0:34:51.34,Default,,0000,0000,0000,,I can either press "0" and then I leave that again
Dialogue: 0,0:34:51.34,0:34:55.30,Default,,0000,0000,0000,,and, you know, ATM shows its standard screen again
Dialogue: 0,0:34:55.30,0:34:57.30,Default,,0000,0000,0000,,or I press "1"
Dialogue: 0,0:34:57.30,0:35:01.38,Default,,0000,0000,0000,,I'm gonna do that now, just to show you what's happening
Dialogue: 0,0:35:01.38,0:35:05.42,Default,,0000,0000,0000,,and now it's challenging me with this code here
Dialogue: 0,0:35:05.42,0:35:09.26,Default,,0000,0000,0000,,and I have to enter the response
Dialogue: 0,0:35:09.26,0:35:12.66,Default,,0000,0000,0000,,and yeah, I mean, it's a 6 digit number
Dialogue: 0,0:35:12.66,0:35:14.26,Default,,0000,0000,0000,,the problem is
Dialogue: 0,0:35:14.26,0:35:17.70,Default,,0000,0000,0000,,because we're not running on a real ATM, we cannot simulate this here
Dialogue: 0,0:35:17.70,0:35:20.10,Default,,0000,0000,0000,,so I mean, I can enter a number here
Dialogue: 0,0:35:20.10,0:35:24.90,Default,,0000,0000,0000,,but even if it would be the right one and it would accept this
Dialogue: 0,0:35:24.90,0:35:29.62,Default,,0000,0000,0000,,we wouldn't be able to go any further, because some pieces are missing here
Dialogue: 0,0:35:29.62,0:35:33.58,Default,,0000,0000,0000,,unfortunately... let me restart this
Dialogue: 0,0:35:45.14,0:35:46.98,Default,,0000,0000,0000,,there we go again
Dialogue: 0,0:35:49.79,0:35:52.42,Default,,0000,0000,0000,,usually what happens is
Dialogue: 0,0:35:52.42,0:35:54.10,Default,,0000,0000,0000,,you press "1"
Dialogue: 0,0:35:54.10,0:35:57.20,Default,,0000,0000,0000,,you get the challenge code
Dialogue: 0,0:35:57.20,0:35:59.42,Default,,0000,0000,0000,,you call your HQ
Dialogue: 0,0:35:59.42,0:36:00.76,Default,,0000,0000,0000,,you get the response code
Dialogue: 0,0:36:00.76,0:36:02.18,Default,,0000,0000,0000,,you enter your response code
Dialogue: 0,0:36:02.18,0:36:05.74,Default,,0000,0000,0000,,and then you have access to this second level menu, so to speak
Dialogue: 0,0:36:05.74,0:36:08.86,Default,,0000,0000,0000,,that allows you to actually cash out
Dialogue: 0,0:36:08.86,0:36:12.90,Default,,0000,0000,0000,,well, as I said, we cannot really do that here
Dialogue: 0,0:36:12.90,0:36:17.20,Default,,0000,0000,0000,,so we have to simulate the fact that we're authenticated
Dialogue: 0,0:36:17.20,0:36:20.34,Default,,0000,0000,0000,,we entered the right response code
Dialogue: 0,0:36:20.34,0:36:24.11,Default,,0000,0000,0000,,for that we patched a little bit in this DLL
Dialogue: 0,0:36:24.11,0:36:27.07,Default,,0000,0000,0000,,unfortunately we have to wait for three minutes now
Dialogue: 0,0:36:27.07,0:36:29.10,Default,,0000,0000,0000,,because there is a timeout
Dialogue: 0,0:36:29.10,0:36:33.54,Default,,0000,0000,0000,,they implemented a timeout as a measure to not leave this screen open
Dialogue: 0,0:36:33.54,0:36:35.60,Default,,0000,0000,0000,,when, you know, something happens
Dialogue: 0,0:36:35.60,0:36:37.62,Default,,0000,0000,0000,,the guy has to run off or something
Dialogue: 0,0:36:37.62,0:36:39.62,Default,,0000,0000,0000,,because police is coming or something
Dialogue: 0,0:36:39.62,0:36:41.38,Default,,0000,0000,0000,,and then you don't want to leave this on the scren
Dialogue: 0,0:36:41.38,0:36:44.94,Default,,0000,0000,0000,,so they implemented a timer that fires after three minutes
Dialogue: 0,0:36:44.94,0:36:48.20,Default,,0000,0000,0000,,and then after three minutes this window is closed
Dialogue: 0,0:36:48.20,0:36:53.58,Default,,0000,0000,0000,,we patched this timer, that after three minutes the second layer menu is opened instead
Dialogue: 0,0:36:53.58,0:36:57.90,Default,,0000,0000,0000,,we have to talk a little bit more, until that happens now
Dialogue: 0,0:36:57.90,0:37:01.54,Default,,0000,0000,0000,,sb: probably about the version number
Dialogue: 0,0:37:01.54,0:37:05.50,Default,,0000,0000,0000,,cause there you can see, they named their software
Dialogue: 0,0:37:05.50,0:37:10.78,Default,,0000,0000,0000,,typical software style of course
Dialogue: 0,0:37:10.78,0:37:13.26,Default,,0000,0000,0000,,with a four digit value number
Dialogue: 0,0:37:13.26,0:37:15.42,Default,,0000,0000,0000,,so they have really a development cycle
Dialogue: 0,0:37:15.42,0:37:17.20,Default,,0000,0000,0000,,for this malware
Dialogue: 0,0:37:17.20,0:37:23.30,Default,,0000,0000,0000,,and they really are improving that with nearly every attack they are doing
Dialogue: 0,0:37:23.30,0:37:27.30,Default,,0000,0000,0000,,they collect all facts they have, they improve antiforensics
Dialogue: 0,0:37:27.30,0:37:31.50,Default,,0000,0000,0000,,and build in a little more functionality
Dialogue: 0,0:37:31.50,0:37:36.78,Default,,0000,0000,0000,,you can really track these changes, they made
Dialogue: 0,0:37:36.78,0:37:39.82,Default,,0000,0000,0000,,this developement improves
Dialogue: 0,0:37:42.84,0:37:48.78,Default,,0000,0000,0000,,tw: another thing we can tell you meanwhile is that this challenge code is generated from two things
Dialogue: 0,0:37:48.78,0:37:51.78,Default,,0000,0000,0000,,again, we don't know how it's generated, we don't know the algorithm
Dialogue: 0,0:37:51.78,0:37:53.62,Default,,0000,0000,0000,,but we do know the input
Dialogue: 0,0:37:53.62,0:37:56.90,Default,,0000,0000,0000,,and the two things that are the input to this algorithm
Dialogue: 0,0:37:56.90,0:38:01.62,Default,,0000,0000,0000,,are an ID that's unique to the ATM
Dialogue: 0,0:38:01.62,0:38:04.60,Default,,0000,0000,0000,,or the station, whatever you wanna call it
Dialogue: 0,0:38:04.60,0:38:05.66,Default,,0000,0000,0000,,and a random value
Dialogue: 0,0:38:05.66,0:38:07.30,Default,,0000,0000,0000,,so there's some randomness in there
Dialogue: 0,0:38:07.30,0:38:11.86,Default,,0000,0000,0000,,by this you make sure that even if the same random value is chosen
Dialogue: 0,0:38:11.86,0:38:14.38,Default,,0000,0000,0000,,the codes are different for two different ATMs
Dialogue: 0,0:38:14.38,0:38:18.46,Default,,0000,0000,0000,,so the guy has to in fact call you and ask for the code
Dialogue: 0,0:38:18.46,0:38:23.58,Default,,0000,0000,0000,,he cannot, you know, just by accident enter the right thing and take the money for himself
Dialogue: 0,0:38:23.58,0:38:30.52,Default,,0000,0000,0000,,alright now would be a good time for the timer to fire
Dialogue: 0,0:38:33.49,0:38:34.94,Default,,0000,0000,0000,,let's see
Dialogue: 0,0:38:34.94,0:38:37.60,Default,,0000,0000,0000,,okay, I have another story
Dialogue: 0,0:38:37.60,0:38:40.14,Default,,0000,0000,0000,,the dropper executable
Dialogue: 0,0:38:40.14,0:38:45.90,Default,,0000,0000,0000,,when something goes wrong, they calculate an error message, an error code
Dialogue: 0,0:38:45.90,0:38:46.98,Default,,0000,0000,0000,,oh, there we go
Dialogue: 0,0:38:46.98,0:38:50.26,Default,,0000,0000,0000,,and this error code is derived from the value 1337
Dialogue: 0,0:38:50.26,0:38:52.82,Default,,0000,0000,0000,,so apparently they think they are leet
Dialogue: 0,0:38:52.82,0:38:57.98,Default,,0000,0000,0000,,which didn't really stop us from reverse engineering their software
Dialogue: 0,0:39:04.20,0:39:08.26,Default,,0000,0000,0000,,this screen is like what we showed on the second slide
Dialogue: 0,0:39:08.26,0:39:12.22,Default,,0000,0000,0000,,which basically says "this terminal is out of order, go to the next one"
Dialogue: 0,0:39:12.22,0:39:14.30,Default,,0000,0000,0000,,and when you see this
Dialogue: 0,0:39:14.30,0:39:15.86,Default,,0000,0000,0000,,I mean, two purposes:
Dialogue: 0,0:39:15.86,0:39:22.54,Default,,0000,0000,0000,,one: others who want to dispense money from the ATM, if they see this, they would not touch it
Dialogue: 0,0:39:22.54,0:39:24.60,Default,,0000,0000,0000,,and go to another one
Dialogue: 0,0:39:24.60,0:39:27.82,Default,,0000,0000,0000,,but this also tells you that now you can enter another code
Dialogue: 0,0:39:27.82,0:39:32.66,Default,,0000,0000,0000,,which turns out to be the same 12 digit sequence that we already know
Dialogue: 0,0:39:32.66,0:39:34.98,Default,,0000,0000,0000,,to enter the second hidden menu
Dialogue: 0,0:39:34.98,0:39:41.46,Default,,0000,0000,0000,,and there we go
Dialogue: 0,0:39:41.46,0:39:45.18,Default,,0000,0000,0000,,this is now the real menu that you can use to control the ATM
Dialogue: 0,0:39:45.18,0:39:49.66,Default,,0000,0000,0000,,again, you see the first four lines show you how much money for the different bills
Dialogue: 0,0:39:49.66,0:39:51.82,Default,,0000,0000,0000,,or different notes is in there
Dialogue: 0,0:39:51.82,0:39:53.98,Default,,0000,0000,0000,,but now you can actually, you know, cash out
Dialogue: 0,0:39:53.98,0:39:55.90,Default,,0000,0000,0000,,you can dispense that money from the machine
Dialogue: 0,0:39:55.90,0:40:07.90,Default,,0000,0000,0000,,so for example if I press "1", hopefully I can get the 300 R-Dollars
Dialogue: 0,0:40:07.90,0:40:11.86,Default,,0000,0000,0000,,or if I press "4", I can get the 50s
Dialogue: 0,0:40:11.86,0:40:18.30,Default,,0000,0000,0000,,so let me do that now and you can pay attention to the purple line at the bottom
Dialogue: 0,0:40:18.30,0:40:20.70,Default,,0000,0000,0000,,so I press "4" now
Dialogue: 0,0:40:20.70,0:40:24.74,Default,,0000,0000,0000,,and it said "wait" or "waiting" or something like that
Dialogue: 0,0:40:24.74,0:40:27.14,Default,,0000,0000,0000,,and now it says "command has failed"
Dialogue: 0,0:40:27.14,0:40:30.46,Default,,0000,0000,0000,,which is too bad because I wanted money, but my VM...
Dialogue: 0,0:40:30.46,0:40:32.22,Default,,0000,0000,0000,,the emulation is not that good
Dialogue: 0,0:40:32.22,0:40:36.60,Default,,0000,0000,0000,,sb: still didn't get to manage to really cash out some money from that machine here
Dialogue: 0,0:40:36.60,0:40:38.10,Default,,0000,0000,0000,,tw: that would be nice
Dialogue: 0,0:40:38.10,0:40:40.20,Default,,0000,0000,0000,,so I could now try to cash out 1, 2, 3, 4
Dialogue: 0,0:40:40.20,0:40:41.90,Default,,0000,0000,0000,,and always I get this failure message
Dialogue: 0,0:40:41.90,0:40:47.50,Default,,0000,0000,0000,,but this is where the malware actually interacts with the cash client
Dialogue: 0,0:40:47.50,0:40:54.82,Default,,0000,0000,0000,,it loads, or resolves the libraries that belong to this cash client and then calls the API functions
Dialogue: 0,0:40:54.82,0:40:58.22,Default,,0000,0000,0000,,to trigger the dispense functionality
Dialogue: 0,0:40:58.22,0:41:02.34,Default,,0000,0000,0000,,but the other options at the bottom of the screen are also interesting
Dialogue: 0,0:41:02.34,0:41:04.54,Default,,0000,0000,0000,,let me show you "7" and "8" first
Dialogue: 0,0:41:04.54,0:41:07.42,Default,,0000,0000,0000,,and that's why I have this little window open here
Dialogue: 0,0:41:07.42,0:41:08.46,Default,,0000,0000,0000,,I hope you can see that
Dialogue: 0,0:41:08.46,0:41:10.70,Default,,0000,0000,0000,,so this is my network connection
Dialogue: 0,0:41:10.70,0:41:13.14,Default,,0000,0000,0000,,the network devices that are installed
Dialogue: 0,0:41:13.14,0:41:19.60,Default,,0000,0000,0000,,and as she said, every ATM has a persistentnetwork connection to the bank
Dialogue: 0,0:41:19.60,0:41:22.30,Default,,0000,0000,0000,,so they can control what's going on and monitor and so on
Dialogue: 0,0:41:22.30,0:41:27.98,Default,,0000,0000,0000,,so probably before you wanna cash out, you wanna disable the network entirely
Dialogue: 0,0:41:27.98,0:41:30.20,Default,,0000,0000,0000,,and they can use "7" and "8" to do that
Dialogue: 0,0:41:30.20,0:41:37.30,Default,,0000,0000,0000,,so let me press "7", you take a look at that window on the right hand side
Dialogue: 0,0:41:37.30,0:41:39.66,Default,,0000,0000,0000,,you can see, the adapters are disabled now
Dialogue: 0,0:41:39.66,0:41:42.54,Default,,0000,0000,0000,,and now I'm going to press "8" again
Dialogue: 0,0:41:42.54,0:41:43.90,Default,,0000,0000,0000,,and now they're enabled again
Dialogue: 0,0:41:43.90,0:41:45.86,Default,,0000,0000,0000,,that's convenient, right
Dialogue: 0,0:41:45.86,0:41:49.82,Default,,0000,0000,0000,,so you can disable and enable the network adapters entirely
Dialogue: 0,0:41:49.82,0:41:54.38,Default,,0000,0000,0000,,if you press "6" you're going back to this mode
Dialogue: 0,0:41:57.70,0:42:01.90,Default,,0000,0000,0000,,and finally you can also format the system
Dialogue: 0,0:42:04.18,0:42:07.34,Default,,0000,0000,0000,,I mean obviously because you wanna remove all the traces
Dialogue: 0,0:42:07.34,0:42:11.78,Default,,0000,0000,0000,,so if I press "5", you see that little screen, that we already know
Dialogue: 0,0:42:11.78,0:42:14.86,Default,,0000,0000,0000,,from the slide
Dialogue: 0,0:42:14.86,0:42:16.62,Default,,0000,0000,0000,,they're somewhat cautious here
Dialogue: 0,0:42:16.62,0:42:19.50,Default,,0000,0000,0000,,again, if you do that, you can either press "0"
Dialogue: 0,0:42:19.50,0:42:21.78,Default,,0000,0000,0000,,then you get back to the previous menu
Dialogue: 0,0:42:21.78,0:42:25.70,Default,,0000,0000,0000,,or you can press "9" and confirm that you actually wanna format the system
Dialogue: 0,0:42:25.70,0:42:27.34,Default,,0000,0000,0000,,and doing that' now
Dialogue: 0,0:42:27.34,0:42:32.66,Default,,0000,0000,0000,,and again it presents you with a challenge and you have to enter a 6 digit response code
Dialogue: 0,0:42:32.66,0:42:38.34,Default,,0000,0000,0000,,the algorighm that's used to calculate this here is different from the previous one
Dialogue: 0,0:42:38.34,0:42:41.62,Default,,0000,0000,0000,,and I mean we figured it out somewhat
Dialogue: 0,0:42:41.62,0:42:46.50,Default,,0000,0000,0000,,but the funny thing is, that it doesn't actually format the system
Dialogue: 0,0:42:46.50,0:42:49.46,Default,,0000,0000,0000,,it just uninstalles the malware
Dialogue: 0,0:42:49.46,0:42:53.86,Default,,0000,0000,0000,,I don't know what the right answer to this is now
Dialogue: 0,0:42:53.86,0:42:56.98,Default,,0000,0000,0000,,if you enter the wrong one, it keeps asking
Dialogue: 0,0:42:56.98,0:43:00.82,Default,,0000,0000,0000,,and interestingly you cannot get out of this state anymore
Dialogue: 0,0:43:00.82,0:43:04.58,Default,,0000,0000,0000,,so if you don't know the right answer, you're trapped in this
Dialogue: 0,0:43:04.58,0:43:08.82,Default,,0000,0000,0000,,and after three minutes the "out of order" thing is displayed again
Dialogue: 0,0:43:08.82,0:43:13.20,Default,,0000,0000,0000,,but if you enter the sectet code, you don't have access to the main menu again
Dialogue: 0,0:43:13.20,0:43:15.46,Default,,0000,0000,0000,,you will always end up in this screen
Dialogue: 0,0:43:15.46,0:43:22.94,Default,,0000,0000,0000,,so unless you enter the right code here, well, you locked yourself out
Dialogue: 0,0:43:26.88,0:43:27.60,Default,,0000,0000,0000,,alright
Dialogue: 0,0:43:27.60,0:43:34.22,Default,,0000,0000,0000,,we wanna conclude with some speculation about the people behind this maybe
Dialogue: 0,0:43:34.22,0:43:36.66,Default,,0000,0000,0000,,we obviously don't really know who it is
Dialogue: 0,0:43:36.66,0:43:39.74,Default,,0000,0000,0000,,but, you know, there are some interesting facts
Dialogue: 0,0:43:39.74,0:43:46.20,Default,,0000,0000,0000,,and after that we'll open it up for questions and, you know, a little Q&A
Dialogue: 0,0:43:46.20,0:43:48.94,Default,,0000,0000,0000,,sb: what we really can tell for sure
Dialogue: 0,0:43:48.94,0:43:51.26,Default,,0000,0000,0000,,that they want to make serious money with that
Dialogue: 0,0:43:51.26,0:43:54.34,Default,,0000,0000,0000,,they put a lot of effort in implementing and investigating
Dialogue: 0,0:43:54.34,0:43:57.18,Default,,0000,0000,0000,,in coding actually
Dialogue: 0,0:43:57.18,0:44:04.42,Default,,0000,0000,0000,,they build up quite a big team to do that and they have apparently different roles
Dialogue: 0,0:44:04.42,0:44:06.46,Default,,0000,0000,0000,,that are strictly assigned
Dialogue: 0,0:44:06.46,0:44:11.42,Default,,0000,0000,0000,,so every role has his part and is able to do his part
Dialogue: 0,0:44:11.42,0:44:13.66,Default,,0000,0000,0000,,so it's quite separated
Dialogue: 0,0:44:13.66,0:44:18.86,Default,,0000,0000,0000,,for sure they have to have profound knowledge about the ATMs
Dialogue: 0,0:44:18.86,0:44:21.62,Default,,0000,0000,0000,,so most likely they really had one
Dialogue: 0,0:44:21.62,0:44:28.62,Default,,0000,0000,0000,,to test all these features and to really check whether the coding is correct
Dialogue: 0,0:44:28.62,0:44:30.38,Default,,0000,0000,0000,,whether they get any error messages
Dialogue: 0,0:44:30.38,0:44:32.10,Default,,0000,0000,0000,,something like that
Dialogue: 0,0:44:32.10,0:44:39.30,Default,,0000,0000,0000,,so either they probably robbed one and reverse engineered the original cash client
Dialogue: 0,0:44:39.30,0:44:41.18,Default,,0000,0000,0000,,to derive the malware from it
Dialogue: 0,0:44:41.18,0:44:45.42,Default,,0000,0000,0000,,or they most likely had someone in the inside
Dialogue: 0,0:44:45.42,0:44:48.22,Default,,0000,0000,0000,,which was just to...
Dialogue: 0,0:44:48.22,0:44:50.46,Default,,0000,0000,0000,,which had to develop the original cash client
Dialogue: 0,0:44:50.46,0:44:54.46,Default,,0000,0000,0000,,and therefore really knows exactly how this works
Dialogue: 0,0:44:54.46,0:45:00.38,Default,,0000,0000,0000,,how it's possible just to trigger a cash out
Dialogue: 0,0:45:00.38,0:45:04.50,Default,,0000,0000,0000,,without entering a valid card, the PIN code
Dialogue: 0,0:45:04.50,0:45:10.60,Default,,0000,0000,0000,,circumvent all the security measures that are implemented here
Dialogue: 0,0:45:10.60,0:45:15.70,Default,,0000,0000,0000,,they have quite good development skills
Dialogue: 0,0:45:15.70,0:45:19.50,Default,,0000,0000,0000,,so the code is quite sorted
Dialogue: 0,0:45:19.50,0:45:23.34,Default,,0000,0000,0000,,you see the development cycles
Dialogue: 0,0:45:23.34,0:45:36.82,Default,,0000,0000,0000,,they implement new features just like the AppInit DLL key stuff and so on
Dialogue: 0,0:45:36.82,0:45:46.86,Default,,0000,0000,0000,,at least they are capable of protecting the code against people like him
Dialogue: 0,0:45:46.86,0:45:49.90,Default,,0000,0000,0000,,they're just trying to reverse engineer malware
Dialogue: 0,0:45:49.90,0:45:53.60,Default,,0000,0000,0000,,and they really try to cover their tracks for forensic investigations
Dialogue: 0,0:45:53.60,0:45:58.82,Default,,0000,0000,0000,,so they made it really hard to get the pieces together
Dialogue: 0,0:45:58.82,0:46:06.58,Default,,0000,0000,0000,,to just have a full image of how that finally works together
Dialogue: 0,0:46:06.58,0:46:07.98,Default,,0000,0000,0000,,tw: alright
Dialogue: 0,0:46:07.98,0:46:11.54,Default,,0000,0000,0000,,that was almost the last slide
Dialogue: 0,0:46:11.54,0:46:13.58,Default,,0000,0000,0000,,you guys remember the 12 digits
Dialogue: 0,0:46:13.58,0:46:15.22,Default,,0000,0000,0000,,from the first slide
Dialogue: 0,0:46:15.22,0:46:18.30,Default,,0000,0000,0000,,so next time, before you dispense the money from an ATM, enter the 12 digits first
Dialogue: 0,0:46:18.30,0:46:20.74,Default,,0000,0000,0000,,to make sure that it's not hacked
Dialogue: 0,0:46:20.74,0:46:22.82,Default,,0000,0000,0000,,right, and if it is hacked
Dialogue: 0,0:46:22.82,0:46:29.60,Default,,0000,0000,0000,,then you enter this here
Dialogue: 0,0:46:29.60,0:46:31.14,Default,,0000,0000,0000,,because that uninstalls the malware
Dialogue: 0,0:46:31.14,0:46:41.07,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:46:48.54,0:46:54.42,Default,,0000,0000,0000,,well then we do a short Q&A, if it's okay for you
Dialogue: 0,0:46:54.42,0:46:57.18,Default,,0000,0000,0000,,please, everybody that has a question
Dialogue: 0,0:46:57.18,0:47:00.98,Default,,0000,0000,0000,,please line up on the microphones
Dialogue: 0,0:47:00.98,0:47:04.22,Default,,0000,0000,0000,,signed with the numbers
Dialogue: 0,0:47:04.22,0:47:20.54,Default,,0000,0000,0000,,and then we will do a short Q&A from approximately 8 to 10 minutes
Dialogue: 0,0:47:20.54,0:47:22.86,Default,,0000,0000,0000,,alright, let's start with you
Dialogue: 0,0:47:22.86,0:47:25.10,Default,,0000,0000,0000,,hi, I have two questions
Dialogue: 0,0:47:25.10,0:47:30.62,Default,,0000,0000,0000,,the first question is whether they were gathering PIN codes and no strips
Dialogue: 0,0:47:30.62,0:47:32.66,Default,,0000,0000,0000,,to be able to use them later on
Dialogue: 0,0:47:32.66,0:47:37.70,Default,,0000,0000,0000,,and the second question is whether the ATM is connected to the Internet through the network connection
Dialogue: 0,0:47:37.70,0:47:40.60,Default,,0000,0000,0000,,I didn't get all of that
Dialogue: 0,0:47:40.60,0:47:42.38,Default,,0000,0000,0000,,can the others be a little quiet
Dialogue: 0,0:47:42.38,0:47:45.18,Default,,0000,0000,0000,,so we have the chance to understand the questions
Dialogue: 0,0:47:45.18,0:47:46.90,Default,,0000,0000,0000,,sorry, can you please repeat?
Dialogue: 0,0:47:46.90,0:47:52.54,Default,,0000,0000,0000,,so my first question is whether the PIN codes and this magnetic strip
Dialogue: 0,0:47:52.54,0:47:57.66,Default,,0000,0000,0000,,or any other information linked to the credit card number is gathered by this malware
Dialogue: 0,0:47:57.66,0:48:02.98,Default,,0000,0000,0000,,and the second question is wether net network connection gives Internet access to the ATM
Dialogue: 0,0:48:02.98,0:48:06.98,Default,,0000,0000,0000,,let me answer the first one, and for the second one, I'll refer to her
Dialogue: 0,0:48:06.98,0:48:13.46,Default,,0000,0000,0000,,so this one could gather information like credit card stuff and so on
Dialogue: 0,0:48:13.46,0:48:14.66,Default,,0000,0000,0000,,but it doesn't
Dialogue: 0,0:48:14.66,0:48:16.20,Default,,0000,0000,0000,,not this one
Dialogue: 0,0:48:16.20,0:48:17.98,Default,,0000,0000,0000,,I didn't get the second question
Dialogue: 0,0:48:17.98,0:48:23.14,Default,,0000,0000,0000,,second question was: can you access the ATMs over the Internet? is there internet connection?
Dialogue: 0,0:48:23.14,0:48:27.58,Default,,0000,0000,0000,,no, actually they do not have an Internet connection
Dialogue: 0,0:48:27.58,0:48:30.94,Default,,0000,0000,0000,,but it is possible to build, so far
Dialogue: 0,0:48:30.94,0:48:35.22,Default,,0000,0000,0000,,we did that in a test, where we tested an ATM
Dialogue: 0,0:48:35.22,0:48:40.30,Default,,0000,0000,0000,,you can use this USB connection where they plugged in the bootable device
Dialogue: 0,0:48:40.30,0:48:45.90,Default,,0000,0000,0000,,and just put an UTMS stick there and then you have an Internet connection
Dialogue: 0,0:48:45.90,0:48:48.35,Default,,0000,0000,0000,,but by default there is none
Dialogue: 0,0:48:48.35,0:48:51.00,Default,,0000,0000,0000,,but we did that, yeah
Dialogue: 0,0:48:51.00,0:48:55.70,Default,,0000,0000,0000,,okay, then let's take number 1
Dialogue: 0,0:48:55.70,0:48:58.46,Default,,0000,0000,0000,,thank you for your talk
Dialogue: 0,0:48:58.46,0:48:59.90,Default,,0000,0000,0000,,I have two short questions
Dialogue: 0,0:48:59.90,0:49:03.20,Default,,0000,0000,0000,,what was the time span between the infection and the cash out?
Dialogue: 0,0:49:03.20,0:49:08.60,Default,,0000,0000,0000,,and did the attackers try to intercept card data?
Dialogue: 0,0:49:09.30,0:49:11.26,Default,,0000,0000,0000,,so, the second question is the same as the previous one
Dialogue: 0,0:49:11.26,0:49:14.18,Default,,0000,0000,0000,,they don't intercept any card data
Dialogue: 0,0:49:14.18,0:49:16.82,Default,,0000,0000,0000,,they don't gather like credit card information and stuff like that
Dialogue: 0,0:49:16.82,0:49:22.26,Default,,0000,0000,0000,,they only like jackpot - as Barnaby Jack called it - the ATMs
Dialogue: 0,0:49:22.26,0:49:24.58,Default,,0000,0000,0000,,they only dispense money from the ATM
Dialogue: 0,0:49:24.58,0:49:27.62,Default,,0000,0000,0000,,for the first question, what was the first question again?
Dialogue: 0,0:49:27.62,0:49:30.82,Default,,0000,0000,0000,,what was the time span between the infection and the cash out?
Dialogue: 0,0:49:30.82,0:49:34.58,Default,,0000,0000,0000,,how much time is between the infection and the actual cash out
Dialogue: 0,0:49:34.58,0:49:40.14,Default,,0000,0000,0000,,we discovered that were only two to three days
Dialogue: 0,0:49:40.14,0:49:47.18,Default,,0000,0000,0000,,so they could have any time between that, but they really try to make it short
Dialogue: 0,0:49:47.18,0:49:51.78,Default,,0000,0000,0000,,and of course they waited for the right time, so right after the recharging
Dialogue: 0,0:49:51.78,0:49:56.54,Default,,0000,0000,0000,,because thats the point of the most money
Dialogue: 0,0:49:56.54,0:49:59.14,Default,,0000,0000,0000,,okay, then number 3 please
Dialogue: 0,0:49:59.14,0:50:01.60,Default,,0000,0000,0000,,hi, thank you for your talk
Dialogue: 0,0:50:01.60,0:50:04.18,Default,,0000,0000,0000,,question about banking security
Dialogue: 0,0:50:04.18,0:50:08.86,Default,,0000,0000,0000,,this beeing Windows XP, I missed the part of code signing
Dialogue: 0,0:50:08.86,0:50:12.26,Default,,0000,0000,0000,,and verified publishers and such
Dialogue: 0,0:50:12.26,0:50:17.07,Default,,0000,0000,0000,,do banks employ these security measures or not?
Dialogue: 0,0:50:17.90,0:50:19.86,Default,,0000,0000,0000,,they do have security measures
Dialogue: 0,0:50:19.86,0:50:25.47,Default,,0000,0000,0000,,but they're only implemented when the XP is running
Dialogue: 0,0:50:25.47,0:50:28.89,Default,,0000,0000,0000,,so they have whitelisting for applications
Dialogue: 0,0:50:28.89,0:50:31.11,Default,,0000,0000,0000,,they have monitoring for the process
Dialogue: 0,0:50:31.11,0:50:33.30,Default,,0000,0000,0000,,and they have an anti-virus
Dialogue: 0,0:50:33.30,0:50:34.54,Default,,0000,0000,0000,,and of course something like that
Dialogue: 0,0:50:34.54,0:50:37.87,Default,,0000,0000,0000,,but in essence everyone can dump their own software on it and run it
Dialogue: 0,0:50:37.87,0:50:43.22,Default,,0000,0000,0000,,there is no whitelist for signatures or publishers, right?
Dialogue: 0,0:50:43.22,0:50:44.58,Default,,0000,0000,0000,,there is a whitelist
Dialogue: 0,0:50:44.58,0:50:49.94,Default,,0000,0000,0000,,actually there is, but that was the point why they did that
Dialogue: 0,0:50:49.94,0:50:52.50,Default,,0000,0000,0000,,via bootable USB stick
Dialogue: 0,0:50:52.50,0:50:58.60,Default,,0000,0000,0000,,because they wrote this DLL just within the system folder
Dialogue: 0,0:50:58.60,0:51:02.14,Default,,0000,0000,0000,,and they have a whitelist for applications, but not for the DLLs
Dialogue: 0,0:51:02.14,0:51:05.10,Default,,0000,0000,0000,,which these applications are using
Dialogue: 0,0:51:05.10,0:51:10.82,Default,,0000,0000,0000,,I mean, it goes without saying that you can take measures to make the ATMs more secure
Dialogue: 0,0:51:10.82,0:51:12.66,Default,,0000,0000,0000,,because this is kind of a trivial attack
Dialogue: 0,0:51:12.66,0:51:14.70,Default,,0000,0000,0000,,and as you said, everybody could do that
Dialogue: 0,0:51:14.70,0:51:16.82,Default,,0000,0000,0000,,and that's kind of the reason why we're giving this talk
Dialogue: 0,0:51:16.82,0:51:21.35,Default,,0000,0000,0000,,it's no use in keeping vulnerabilites secret
Dialogue: 0,0:51:21.35,0:51:24.22,Default,,0000,0000,0000,,they should be like talked about openly
Dialogue: 0,0:51:24.22,0:51:27.26,Default,,0000,0000,0000,,and then people can go and fix their problems, right
Dialogue: 0,0:51:27.26,0:51:28.30,Default,,0000,0000,0000,,thank you
Dialogue: 0,0:51:30.09,0:51:36.22,Default,,0000,0000,0000,,do we have a question from IRC or the community out there?
Dialogue: 0,0:51:37.01,0:51:39.66,Default,,0000,0000,0000,,yes there was one question coming from IRC
Dialogue: 0,0:51:39.66,0:51:46.20,Default,,0000,0000,0000,,which was: how to get on the USB printer port to reverse that machine?
Dialogue: 0,0:51:48.10,0:51:50.20,Default,,0000,0000,0000,,can you repeat the question please?
Dialogue: 0,0:51:50.20,0:51:54.54,Default,,0000,0000,0000,,how to get on the USB port or printer port to reverse that machine?
Dialogue: 0,0:51:57.70,0:52:01.82,Default,,0000,0000,0000,,this was just via cutting a hole into the chassis
Dialogue: 0,0:52:01.82,0:52:03.62,Default,,0000,0000,0000,,so this is just a...
Dialogue: 0,0:52:03.62,0:52:05.70,Default,,0000,0000,0000,,this is no metal, this is not a safe
Dialogue: 0,0:52:05.70,0:52:08.18,Default,,0000,0000,0000,,so this is just a plastic
Dialogue: 0,0:52:08.18,0:52:10.20,Default,,0000,0000,0000,,and there you can just cut a hole in it
Dialogue: 0,0:52:10.20,0:52:13.58,Default,,0000,0000,0000,,and then you can actually access the USB port
Dialogue: 0,0:52:13.58,0:52:18.30,Default,,0000,0000,0000,,I mean, they physically damaged the ATM to be able to access the USB port
Dialogue: 0,0:52:18.30,0:52:21.86,Default,,0000,0000,0000,,and then they had to cut the network connection
Dialogue: 0,0:52:21.86,0:52:23.66,Default,,0000,0000,0000,,and that triggered a reboot
Dialogue: 0,0:52:23.66,0:52:25.98,Default,,0000,0000,0000,,so it's really a trivial attack
Dialogue: 0,0:52:25.98,0:52:27.30,Default,,0000,0000,0000,,not that hard
Dialogue: 0,0:52:28.88,0:52:30.26,Default,,0000,0000,0000,,okay number 4 please
Dialogue: 0,0:52:30.88,0:52:32.34,Default,,0000,0000,0000,,yes
Dialogue: 0,0:52:32.34,0:52:33.90,Default,,0000,0000,0000,,two part question
Dialogue: 0,0:52:33.90,0:52:38.86,Default,,0000,0000,0000,,you would think that banking and money would be a high priority thing to secure
Dialogue: 0,0:52:38.86,0:52:41.26,Default,,0000,0000,0000,,why are they using Windows XP?
Dialogue: 0,0:52:41.26,0:52:43.18,Default,,0000,0000,0000,,and the second one is
Dialogue: 0,0:52:43.18,0:52:46.66,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:52:46.66,0:52:48.30,Default,,0000,0000,0000,,second one is
Dialogue: 0,0:52:48.30,0:52:51.86,Default,,0000,0000,0000,,if there was a time-frame of I think it was three days between the two attacks
Dialogue: 0,0:52:51.86,0:52:55.20,Default,,0000,0000,0000,,why don't they realize, there is hole cut into their ATM and just...
Dialogue: 0,0:52:55.20,0:52:56.66,Default,,0000,0000,0000,,change it out?
Dialogue: 0,0:52:56.66,0:52:59.54,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:52:59.54,0:53:01.42,Default,,0000,0000,0000,,there is a...
Dialogue: 0,0:53:01.42,0:53:04.70,Default,,0000,0000,0000,,that depends on the USB port that they used
Dialogue: 0,0:53:04.70,0:53:06.38,Default,,0000,0000,0000,,there is one on the back, so you don't see it
Dialogue: 0,0:53:06.38,0:53:08.10,Default,,0000,0000,0000,,and the other is just...
Dialogue: 0,0:53:08.10,0:53:17.10,Default,,0000,0000,0000,,you can cut that very exact and then they just repaired it afterwards
Dialogue: 0,0:53:17.10,0:53:22.85,Default,,0000,0000,0000,,they just fixed it
Dialogue: 0,0:53:22.85,0:53:24.70,Default,,0000,0000,0000,,and for the first question
Dialogue: 0,0:53:24.70,0:53:30.70,Default,,0000,0000,0000,,the problem in the main cases is that there are hundreds of thousands of teller machines
Dialogue: 0,0:53:30.70,0:53:33.54,Default,,0000,0000,0000,,for each bank
Dialogue: 0,0:53:33.54,0:53:36.14,Default,,0000,0000,0000,,and that's just the problem
Dialogue: 0,0:53:36.14,0:53:38.30,Default,,0000,0000,0000,,they are of course starting to renew that
Dialogue: 0,0:53:38.30,0:53:43.18,Default,,0000,0000,0000,,but when they are at the end doing that
Dialogue: 0,0:53:43.18,0:53:48.66,Default,,0000,0000,0000,,Windows has already realeased two newer versions of operating systems
Dialogue: 0,0:53:48.66,0:53:51.86,Default,,0000,0000,0000,,and that's one part of it
Dialogue: 0,0:53:51.86,0:53:58.20,Default,,0000,0000,0000,,and the other thing, if we had Windows 7 here it wouldn't change a thing
Dialogue: 0,0:53:58.20,0:54:02.73,Default,,0000,0000,0000,,I mean, that's probably a question for the banks that we can't really answer
Dialogue: 0,0:54:02.73,0:54:06.60,Default,,0000,0000,0000,,but as long as they're convered by insurances
Dialogue: 0,0:54:06.60,0:54:08.14,Default,,0000,0000,0000,,they don't really have to care
Dialogue: 0,0:54:08.14,0:54:09.94,Default,,0000,0000,0000,,which is of course kind of short sighted
Dialogue: 0,0:54:09.94,0:54:14.37,Default,,0000,0000,0000,,but maybe thats how it works
Dialogue: 0,0:54:15.10,0:54:20.30,Default,,0000,0000,0000,,okay and now the last question from number 1
Dialogue: 0,0:54:20.30,0:54:25.50,Default,,0000,0000,0000,,hi there, I was just curious about this particular ATM model
Dialogue: 0,0:54:25.50,0:54:32.38,Default,,0000,0000,0000,,if we're framing this picture of this is let's say the state of security and ATM technology
Dialogue: 0,0:54:32.38,0:54:37.90,Default,,0000,0000,0000,,or if it's just let's say an example for how to not build an ATM
Dialogue: 0,0:54:37.90,0:54:40.74,Default,,0000,0000,0000,,I mean are these bad guys simply the first who found out
Dialogue: 0,0:54:40.74,0:54:43.46,Default,,0000,0000,0000,,well it's basically that simple
Dialogue: 0,0:54:43.46,0:54:48.22,Default,,0000,0000,0000,,or is it just let's say a really bad model, they have exploiting?
Dialogue: 0,0:54:50.65,0:54:54.20,Default,,0000,0000,0000,,that all depends on the original cash client
Dialogue: 0,0:54:54.20,0:55:00.34,Default,,0000,0000,0000,,so the teller machines are all the same, but every bank has an own cash client
Dialogue: 0,0:55:00.34,0:55:07.26,Default,,0000,0000,0000,,it's an own software which is really doing the cashing out
Dialogue: 0,0:55:07.26,0:55:09.18,Default,,0000,0000,0000,,and they're all different
Dialogue: 0,0:55:09.18,0:55:12.62,Default,,0000,0000,0000,,and you have to develop the malware exactly for just one cash client
Dialogue: 0,0:55:12.62,0:55:16.38,Default,,0000,0000,0000,,because it won't work on others
Dialogue: 0,0:55:16.38,0:55:18.14,Default,,0000,0000,0000,,I mean, sorry
Dialogue: 0,0:55:18.94,0:55:21.74,Default,,0000,0000,0000,,I mean also speaking about this physical security
Dialogue: 0,0:55:21.74,0:55:24.10,Default,,0000,0000,0000,,I mean, having an easy accessible USB port
Dialogue: 0,0:55:24.10,0:55:29.86,Default,,0000,0000,0000,,and booting USB images without any additional security measure
Dialogue: 0,0:55:29.86,0:55:32.14,Default,,0000,0000,0000,,I mean, is this state of the art?
Dialogue: 0,0:55:33.41,0:55:34.78,Default,,0000,0000,0000,,no, it's not
Dialogue: 0,0:55:34.78,0:55:36.58,Default,,0000,0000,0000,,actually this has been fixed
Dialogue: 0,0:55:36.58,0:55:38.90,Default,,0000,0000,0000,,because there is an whole disk encryption in place now
Dialogue: 0,0:55:38.90,0:55:42.46,Default,,0000,0000,0000,,that just prevents this way of attack
Dialogue: 0,0:55:42.46,0:55:49.98,Default,,0000,0000,0000,,but yeah, it's not at all teller machine currently implemented
Dialogue: 0,0:55:49.98,0:55:52.94,Default,,0000,0000,0000,,so yes, it's kind of state of the art
Dialogue: 0,0:55:52.94,0:55:56.10,Default,,0000,0000,0000,,yeah, great, thank you
Dialogue: 0,0:55:56.10,0:55:58.26,Default,,0000,0000,0000,,okay then now
Dialogue: 0,0:55:58.26,0:56:04.26,Default,,0000,0000,0000,,thank you to our security researchers
Dialogue: 0,0:56:04.26,0:56:07.10,Default,,0000,0000,0000,,give them a great and warm applause, please
Dialogue: 0,0:56:07.10,0:56:10.16,Default,,0000,0000,0000,,thanks for coming, thank you
Dialogue: 0,0:56:10.16,0:56:18.76,Default,,0000,0000,0000,,subtitles created by c3subtitles.de