< Return to Video

Electronic Bank Robberies

  • 0:09 - 0:15
    everyone, I think, knows ATMs, used ATMs
  • 0:15 - 0:20
    and our security researchers there
  • 0:20 - 0:29
    have something very interesting to tell us about electronic bank robberies
  • 0:29 - 0:40
    and because them, please welcome our two security researchers with a very warm applause
  • 0:47 - 0:48
    tw: are we on?
  • 0:48 - 0:49
    okay, well
  • 0:49 - 0:52
    welcome to our little talk here
  • 0:52 - 0:54
    and thanks for the introduction
  • 0:54 - 0:58
    as the angel said, I guess everybody knows what an ATM is
  • 0:58 - 1:03
    it's basically used by people to dispense money from their accounts
  • 1:03 - 1:06
    either because they live in countries like this one
  • 1:06 - 1:09
    where you really don't use credit cards to pay
  • 1:09 - 1:14
    or because you don't wanna be tracked, right?
  • 1:14 - 1:20
    we're gonna tell a little war story here
  • 1:20 - 1:22
    and that's a case of ATM hacking
  • 1:22 - 1:27
    a real world incident that occured this year
  • 1:27 - 1:30
    and you wanna remember this number here
  • 1:30 - 1:35
    because that's how you enable the hacked system
  • 1:35 - 1:37
    in case it's infected
  • 1:37 - 1:41
    and I'm gonna hand over to my co-speaker here
  • 1:41 - 1:45
    to tell you about the first few things here
  • 1:45 - 1:49
    sb: yeah, okay, so let's just have a quick look
  • 1:49 - 1:52
    what do we have in a cash machine
  • 1:52 - 1:54
    so of course we have a safe
  • 1:54 - 1:56
    that's where we want to get in
  • 1:56 - 1:58
    there's the money, we want to spend
  • 1:58 - 2:01
    so of course we have a normal computer
  • 2:01 - 2:03
    it's like a desktop computer
  • 2:03 - 2:06
    mostly it's running a normal operating system
  • 2:06 - 2:09
    most likely it's Windows XP
  • 2:09 - 2:17
    and with just a few different manufacturers that build the teller machines
  • 2:17 - 2:19
    and, yes
  • 2:19 - 2:22
    we as user, we use a common user interface
  • 2:22 - 2:26
    it's just a screen - most likely it's a touchscreen
  • 2:26 - 2:28
    or we have then the EPP number pads
  • 2:28 - 2:32
    where we put the PIN number for our card
  • 2:32 - 2:34
    tw: one thing I would like to add to this slide
  • 2:34 - 2:37
    you see the picture on the right hand side
  • 2:37 - 2:42
    that's a photo we took yesterday when we arived here at Hamburg main station
  • 2:42 - 2:47
    and it's interesting, because this is the state hacked ATMs are usually in
  • 2:47 - 2:50
    befor the bad guys go there and cash out
  • 2:50 - 2:56
    I don't know - maybe this one is infected, too
  • 2:56 - 3:00
    sb: this is not the first ATM hacking, of course
  • 3:00 - 3:08
    the most famous one was from Barnaby at the Black Hat in 2010
  • 3:08 - 3:12
    you see in the screenshot here
  • 3:12 - 3:15
    this was the user interface of his malware
  • 3:15 - 3:21
    so from the functionality it's quite alike
  • 3:21 - 3:24
    but not as nice
  • 3:24 - 3:32
    tw: has anybody in the room looked at this Ploutus thing by any chance?
  • 3:32 - 3:35
    no...
  • 3:35 - 3:42
    sb: okay, so of course we have a lot of POS malware
  • 3:42 - 3:44
    from mobile terminals
  • 3:44 - 3:47
    to steal just sensitive information
  • 3:47 - 3:50
    like the credit card data or paymant data or something
  • 3:50 - 3:54
    and the most famous ones this year even was the Ploutus malware
  • 3:54 - 3:57
    probably you've heard about it - quite famous
  • 3:57 - 4:01
    we had a quick look at Ploutus, too
  • 4:01 - 4:03
    it was written in .NET
  • 4:03 - 4:06
    from the functionality it's similar or the same
  • 4:06 - 4:15
    but not as advanced
  • 4:15 - 4:19
    why are we standing here and talking about this case?
  • 4:19 - 4:22
    we had an incident
  • 4:22 - 4:27
    a bank, they discovered, they had a lot of
  • 4:27 - 4:31
    empty teller machines and they started to
  • 4:31 - 4:35
    work in investigation for themselves
  • 4:35 - 4:40
    just a little bit of forensics and it was just limited success
  • 4:40 - 4:46
    but yeah, they had to do something about it and they tapped up surveillance
  • 4:46 - 4:50
    and improved monitoring
  • 4:50 - 5:05
    and they started to discover that the infection was conducted via an USB stick
  • 5:05 - 5:11
    they get to mange to arrest the guy and to secure this USB stick
  • 5:11 - 5:17
    and on the USB stick we found actually that malware and started to examine that
  • 5:17 - 5:19
    tw: yeah so to re-address that, before we go on
  • 5:19 - 5:24
    what they did was: they figured "okay there's something going on with our ATMs"
  • 5:24 - 5:28
    and they improved their surveillance technology, if you will
  • 5:28 - 5:32
    and then saw that guy trying to cash out from one of the hacked machines
  • 5:32 - 5:35
    and then they went there, arrested the guy
  • 5:35 - 5:39
    and confiscated the USB thumb drive that he was carrying
  • 5:39 - 5:44
    and that's where we started our analysis
  • 5:44 - 5:50
    right
  • 5:50 - 5:54
    sb: they plugged in a USB stick
  • 5:54 - 5:59
    they broke a small part of the chassis
  • 5:59 - 6:03
    it's just PVC, so it's not hard to break that
  • 6:03 - 6:08
    and they plugged in a USB device and forced the ATM to reboot
  • 6:08 - 6:10
    so you can do that by cutting the power off
  • 6:10 - 6:15
    or putting down the LAN interface or plug it out
  • 6:15 - 6:22
    they forced the ATM to reboot and therefore to reboot from the USB device
  • 6:22 - 6:28
    and what we found on the USB device was just a simple image of a Hiren boot CD
  • 6:28 - 6:31
    everyone can just download that
  • 6:31 - 6:35
    and within that Hiren boot CD it's just a mini XP running
  • 6:35 - 6:42
    and you have a folder where you can just put customer executables
  • 6:42 - 6:48
    that will automatically be started when the XP is booted
  • 6:48 - 6:54
    within this customer section we just found our malware
  • 6:54 - 7:00
    it was a batch that was called hack.bat
  • 7:00 - 7:02
    just very nice
  • 7:02 - 7:08
    so actually we thought that this is probably a fake
  • 7:08 - 7:11
    because they just wanted us to examine the wrong file
  • 7:11 - 7:13
    to save some time
  • 7:13 - 7:15
    because it was just that obvious
  • 7:15 - 7:19
    you will have a look at bat script afterwards
  • 7:19 - 7:21
    so you can see what I mean
  • 7:21 - 7:23
    so yes, it's just a mini-XP
  • 7:23 - 7:26
    you have the hack.bat
  • 7:26 - 7:31
    and this will actually start the real malware
  • 7:31 - 7:34
    the so-called atm.exe
  • 7:34 - 7:43
    and yeah... what we found then besides the bootable device on the stick were some very interesting files
  • 7:43 - 7:48
    they were obviously copied from the infected ATM teller machines
  • 7:48 - 7:52
    we can tell that, because there were three different ones that we found there
  • 7:52 - 7:58
    and it was very interesting what kind of data were copied from the ATMs
  • 7:58 - 8:03
    we found data like system data
  • 8:03 - 8:09
    like for example the software hive key
  • 8:09 - 8:18
    a lot of files that have cache data, credit card data, payment data, someting like that
  • 8:18 - 8:22
    from each of the infected teller machines
  • 8:22 - 8:27
    and of course we have our atm.exe
  • 8:27 - 8:29
    that was really interesting
  • 8:29 - 8:36
    and we take a quick look at the hack.bat script
  • 8:36 - 8:39
    so you see, it's very user friendly
  • 8:39 - 8:44
    because they implemented a lot of very interesting switches
  • 8:44 - 8:55
    we see, right at the top, that he begins to copy the software hive key of the infected machines
  • 8:55 - 9:02
    and at first he's checking if the system is already hacked or if he has to do it
  • 9:02 - 9:05
    the switches you can see here
  • 9:05 - 9:09
    they are all implemented
  • 9:09 - 9:13
    the most used one is of course "-hack"
  • 9:13 - 9:17
    we see otherwise, that you have some functionality like clear log files
  • 9:17 - 9:18
    or get the log files
  • 9:18 - 9:25
    this is the part where he copies really interesting data from the teller machines
  • 9:25 - 9:28
    of course the question is: why does he do that?
  • 9:28 - 9:32
    we answer that later
  • 9:32 - 9:40
    it also has got a functionality on it that he can cover his tracks
  • 9:40 - 9:49
    you can clear all files of the malware and remove it also
  • 9:49 - 9:55
    a little bit more about the installer of the atm.exe
  • 9:55 - 9:56
    tw: yeah, thanks
  • 9:56 - 9:58
    I mean of course we were curious
  • 9:58 - 10:01
    now that we know how the system gets infected
  • 10:01 - 10:06
    insert the USB drive, force a reboot and then the batch script runs
  • 10:06 - 10:10
    we were curious: how does the actual cash out process work?
  • 10:10 - 10:12
    how do you get money out of the thing?
  • 10:12 - 10:14
    what we did was
  • 10:14 - 10:16
    we took this atm.exe file - the executable
  • 10:16 - 10:19
    and reverse engineered that to recover the funtionality
  • 10:19 - 10:25
    and the next couple of slides talk about what we found in this executable
  • 10:25 - 10:27
    first of all
  • 10:27 - 10:31
    the atm.exe is a UPX packed thing
  • 10:31 - 10:33
    UPX is one of the standard packers
  • 10:33 - 10:38
    you can easily unpack the original code again
  • 10:38 - 10:42
    and then we came across an interesting fact
  • 10:42 - 10:45
    so we unpacked it and loaded it up into our analysis tools
  • 10:45 - 10:47
    what you can see on the right hand side
  • 10:47 - 10:50
    it's a little bit blurred, but we hope you can still read it
  • 10:50 - 10:53
    is IDA Pro, that probably many of you are familiar with
  • 10:53 - 10:57
    one of the state-of-the-art disassemblers
  • 10:57 - 11:00
    so we loaded that file up into IDA Pro, took a look at the code
  • 11:00 - 11:03
    and then we discovered something interesting
  • 11:03 - 11:07
    we discovered that the original executable contains a resource
  • 11:07 - 11:10
    if you are a little bit familiar with the PE format
  • 11:10 - 11:13
    the executable file format on Windows systems
  • 11:13 - 11:17
    you might know that there are containers that you can use to store additional data
  • 11:17 - 11:19
    or attatch data to a binary
  • 11:19 - 11:20
    they are called resources
  • 11:20 - 11:24
    so this binary had a resource and there was some encrypted data in there
  • 11:24 - 11:31
    which turned out to be a DLL that contains the actual malicious functionality
  • 11:31 - 11:35
    and the interesting thing is that this resource is XOR-encrypted
  • 11:35 - 11:39
    now XOR is not a particularly strong encryption scheme
  • 11:39 - 11:42
    but never the less, if the key is long enough
  • 11:42 - 11:43
    like 4 bytes in this case
  • 11:43 - 11:45
    I mean you can still probably brute-force it
  • 11:45 - 11:47
    but well, you know
  • 11:47 - 11:55
    we figured that every executable that's deployed onto an ATM has the resource
  • 11:55 - 12:02
    encrypted with a key that is derived from the volume serial
  • 12:02 - 12:05
    which is an ID that is assigned to a hard drive when it's formatted
  • 12:05 - 12:06
    by the operating system
  • 12:06 - 12:13
    that means that every executable that's deployed onto an ATM is taylored specifically for this ATM
  • 12:13 - 12:18
    so it's not mass-malware that you can install on any ATM
  • 12:18 - 12:22
    each executable only runs one one very specific ATM
  • 12:22 - 12:24
    and that's interesting
  • 12:24 - 12:30
    I mean of course that raises the question: How do they get this ID in the first place?
  • 12:30 - 12:32
    How do they create this binary with the encrypted resource?
  • 12:32 - 12:35
    Where do they get the volume serials from?
  • 12:35 - 12:37
    and there are basically two options
  • 12:37 - 12:38
    I mean we don't have the answers to these questions
  • 12:38 - 12:40
    but there are only two options
  • 12:40 - 12:47
    one is: they go to the ATMs the first time, run their stuff
  • 12:47 - 12:50
    and extract the volume serial ID from the system
  • 12:50 - 12:53
    then go home, prepare the malware and then come back to infect the system
  • 12:53 - 12:56
    which seems kind of risky, because
  • 12:56 - 13:00
    if you get caught while doing this... well then
  • 13:00 - 13:01
    you'll lose something
  • 13:01 - 13:04
    the other option is...
  • 13:04 - 13:08
    we'll leave that to your imagination
  • 13:15 - 13:16
    so what we did
  • 13:16 - 13:26
    what you see here on the right hand side is some code that is executed after the XOR-decryption of the resource
  • 13:26 - 13:29
    and if you look closely enought you can see in the first basic block up there
  • 13:29 - 13:33
    it checks if the first byte of the decrypted data is an "M"
  • 13:33 - 13:37
    and then the next one checks if the next byte - the second byte - is a "Z"
  • 13:37 - 13:41
    which is part of the PE file header - MZ header
  • 13:41 - 13:45
    so we figured: okay, this is probably an executable
  • 13:45 - 13:48
    and that's how we recovered the original code
  • 13:48 - 13:50
    we assumed that this is an executable and then
  • 13:50 - 13:52
    you can call it a known plaintext attack or something like that
  • 13:52 - 13:58
    we reverted the XOR-encryption and recovered the DLL
  • 13:58 - 14:02
    and after this happened, of course
  • 14:02 - 14:06
    the dropper runs some checksumming code
  • 14:06 - 14:16
    to verify that the extracted and decrypted code is actually the DLL it wants to run
  • 14:22 - 14:24
    so after we recovered this malicious DLL
  • 14:24 - 14:26
    we took a closer look at that one
  • 14:26 - 14:33
    and it's dropped into this path up there under the system directory
  • 14:33 - 14:38
    and the value in the squared brackets over there is again derived from the volume ID
  • 14:38 - 14:41
    so if you come across one of these DLLs
  • 14:41 - 14:43
    you can take a look at the file name
  • 14:43 - 14:46
    and that's linked to the ATM it's supposed to run on
  • 14:46 - 14:48
    because of the naming scheme here
  • 14:48 - 14:53
    so that's how - and of course I mean you can see all of that in the code
  • 14:53 - 14:57
    that the second value there is hard-coded
  • 14:57 - 15:03
    that's how we figured: okay this sample was supposed to run on an ATM with this volueme ID
  • 15:03 - 15:06
    and then we came across something else
  • 15:06 - 15:08
    something that's as interesting
  • 15:08 - 15:13
    this DLL, or the malware in general writes a log file
  • 15:13 - 15:17
    and stores this on the USB drive that's used for the infection process
  • 15:17 - 15:19
    and that's pretty verbose
  • 15:19 - 15:21
    if you look at this
  • 15:21 - 15:23
    again we have to apologize that's it a little blurry
  • 15:23 - 15:26
    but there you can see
  • 15:26 - 15:29
    it's basically what is executed when the batch script runs, right?
  • 15:29 - 15:32
    there is a file name up there
  • 15:32 - 15:36
    if you can see that 978-blablabla DLL and some others
  • 15:36 - 15:44
    and suprisingly this log file contained information about three other infections that took place
  • 15:44 - 15:49
    so we switch to the next slide
  • 15:49 - 15:51
    with that information we can say
  • 15:51 - 15:55
    we have information that these guys infected at least four ATMs
  • 15:55 - 15:57
    the ones where we had that DLL for
  • 15:57 - 15:59
    and then these other three
  • 15:59 - 16:02
    that we recover from the log file
  • 16:02 - 16:05
    log file - again - is XOR-encrypted, but the key is hard-coded
  • 16:05 - 16:09
    so we could recover it from the code and then decrypt the log file and read it
  • 16:09 - 16:12
    this is an abbreviated version
  • 16:12 - 16:14
    the most interesting lines from the log
  • 16:14 - 16:18
    you can see that these ATMs run in fact Windows XP
  • 16:18 - 16:20
    yeah...
  • 16:22 - 16:30
    sb: what probably is quite intersting here is that we have information about three different teller machines
  • 16:30 - 16:32
    that were infected with this USB device
  • 16:32 - 16:37
    in clear text and we have it additionally in this somehow encrypted log file
  • 16:37 - 16:42
    so the question is: Why do we have that twice?
  • 16:42 - 16:43
    Why do we have this log file?
  • 16:43 - 16:45
    And why didn't they remove that files?
  • 16:45 - 16:51
    actually for every new infection they have to build up a new exe device
  • 16:51 - 16:56
    which is encrypted with the volume serial ID from this machine
  • 16:56 - 16:58
    and they would have enough time to clear that up
  • 16:58 - 17:00
    but they didn't do it
  • 17:00 - 17:04
    so furthermore the question broke: Why didn't they?
  • 17:09 - 17:13
    tw: okay, now in this part we wanna talk a little bit more about the actual payload
  • 17:13 - 17:18
    the malicious code that's executed on the compromised ATM
  • 17:18 - 17:20
    you know, the interesting bit
  • 17:21 - 17:25
    what you can see here is a list of some facts that we discovered
  • 17:25 - 17:30
    again this file contains some encrypted resources
  • 17:30 - 17:33
    this time they're encrypted with the static key that you see up there
  • 17:33 - 17:38
    so by looking at the code we obtained this key and could easily recover the resources
  • 17:38 - 17:43
    and they contained images like the one you see on the right hand side, up there
  • 17:43 - 17:49
    obviously stuff they wanted to display on the ATM screen, right?
  • 17:49 - 17:53
    we changed the coloring scheme and some other stuff here a little bit
  • 17:53 - 17:56
    because we don't wanna disclose the target here
  • 17:56 - 18:00
    yeah that's what they store in these resources
  • 18:00 - 18:04
    another thing that was in there, is this sdelete tool from Sysinternals
  • 18:04 - 18:08
    maybe some of you are familiar with that
  • 18:08 - 18:11
    a publicly available tool for secure file deletion
  • 18:11 - 18:16
    so you know, you override the file with specific byte patterns before you remove it
  • 18:16 - 18:19
    and they used that to remove forensic artefacts
  • 18:19 - 18:21
    forensic traces from the system
  • 18:21 - 18:23
    for example when they're uninstalling the malware
  • 18:23 - 18:26
    because you can also uninstall it from an ATM
  • 18:26 - 18:31
    but in case this fails for whatever reason, they have some backup code in the malware
  • 18:31 - 18:35
    some backup secure undelete code that does basically the same stuff
  • 18:35 - 18:38
    it overwrites the data first and then it deletes the file
  • 18:38 - 18:40
    so it's kinda interesting that it put a lot of effort into
  • 18:40 - 18:42
    covering up their, you know
  • 18:42 - 18:46
    hiding their traces on the system
  • 18:46 - 18:47
    and by the way
  • 18:47 - 18:49
    we will give you a demo in a few minutes
  • 18:49 - 18:52
    and show you the whole process
  • 18:52 - 18:54
    how you interact with an infected ATM
  • 18:54 - 18:58
    you will see the other screens as well
  • 19:02 - 19:07
    then of course for most malware it's important to become persistent on the infected system
  • 19:07 - 19:14
    because when it reboots for whatever reason, you want the malware to automatically load again
  • 19:14 - 19:27
    and these guys do that by writing the drop DLL into the AppInit DLLs value in the windows registry
  • 19:27 - 19:29
    for those of you, who are not familiar with the value
  • 19:29 - 19:35
    you can specify libraries in there that are loaded into every process that starts up
  • 19:35 - 19:40
    so by this you make sure that the malicious DLL is loaded into every proess that starts
  • 19:40 - 19:43
    within the current logon session at least
  • 19:44 - 19:48
    what you see down there is some decompiled source code
  • 19:48 - 19:52
    basically the main function of the malware
  • 19:52 - 19:53
    of the DLL
  • 19:53 - 19:55
    and what you can see there
  • 19:55 - 19:58
    there are several checks running in cash client one
  • 19:58 - 20:01
    cash client is the term for the software that controlles the ATM
  • 20:01 - 20:03
    that is running on the ATM
  • 20:03 - 20:05
    and controls the dispenser and so on
  • 20:05 - 20:09
    so it does this check and if this returns true, it starts some routine
  • 20:09 - 20:14
    and if some other checks succeed, then it calls some other functions and so on
  • 20:14 - 20:20
    basically what's happening here is that the DLL checks the name of the process it's running in
  • 20:20 - 20:24
    and then depending on this name it invokes certain functionality
  • 20:24 - 20:30
    and we believe that by doing this they implement support for different cash clients
  • 20:30 - 20:37
    this line down here, running in lsass.exe is also interesting
  • 20:37 - 20:41
    because the DLL is also obviously loaded into
  • 20:41 - 20:42
    what's lsass again? local system...
  • 20:42 - 20:45
    some windows process
  • 20:45 - 20:47
    is also loaded into that one of course
  • 20:47 - 20:50
    because of the AppInit thing
  • 20:50 - 20:54
    if it's running in this, it doesn't interact with the cash client ATM software at all
  • 20:54 - 21:01
    the DLL that's running in there is an event processor
  • 21:01 - 21:03
    for example, if you wanna uninstall the software
  • 21:03 - 21:05
    you basically create an uninstall event
  • 21:05 - 21:08
    and then the instance running in this process here
  • 21:08 - 21:11
    handles the event and removes the file and so on
  • 21:11 - 21:13
    and cleans up all traces
  • 21:13 - 21:16
    sb: what's also quite interesting here
  • 21:16 - 21:19
    you can see that later on, when we discover the malware itself
  • 21:19 - 21:22
    they have really somthing like a development cycle
  • 21:22 - 21:24
    it's really professional made up
  • 21:24 - 21:32
    because within the first infections we could find this malicious DLL within this AppInit hive key
  • 21:32 - 21:38
    there was an incident where the forensic team could discover it there
  • 21:38 - 21:40
    because it's quite obvious, you know
  • 21:40 - 21:45
    the AppInit DLL key is very famous for any malware
  • 21:45 - 21:48
    that should start at startup
  • 21:48 - 21:49
    and they improved it
  • 21:49 - 21:55
    so later on, they just added this malicious DLL to the DLLs which are started
  • 21:55 - 21:57
    just when the cash client is started
  • 21:57 - 22:01
    so it's also started from the startup, but it's not as loud
  • 22:01 - 22:05
    so you have to have to search quite deeper to find it
  • 22:08 - 22:10
    tw: Where are we? Are we on time? How are we doing?
  • 22:10 - 22:13
    How much time do we have left?
  • 22:18 - 22:19
    okay, plenty of time
  • 22:19 - 22:20
    great
  • 22:20 - 22:28
    so we know, how the malware becomes persistent
  • 22:28 - 22:32
    we know how it makes sure that it runs on the system
  • 22:32 - 22:37
    so it injects this DLL into all these processes
  • 22:37 - 22:40
    now of course we wanna know how to interact with it
  • 22:40 - 22:42
    because there must be a way of interacting with the malware
  • 22:42 - 22:51
    and what we found out by reverse engineering code is that the DLL that's running in the cash client
  • 22:51 - 22:54
    installs a hook for keyboard events
  • 22:54 - 22:58
    so whenever you press a key on the keyboard which in this case is the num pad
  • 22:58 - 23:03
    this is trapped by the malware and processed
  • 23:03 - 23:06
    and what they do is, they process only number keys
  • 23:06 - 23:07
    for obvious reasons
  • 23:07 - 23:09
    because that's the only kind of keys that you can enter
  • 23:09 - 23:12
    and if you enter the code that you've seen on the first slide
  • 23:12 - 23:20
    you activate a hidden menu that allows you to choose the several options
  • 23:20 - 23:24
    that you can use to control the ATM
  • 23:28 - 23:30
    but they have implemented an additional measure
  • 23:30 - 23:34
    because, you know, it's possible that somebody by accident enters the right 12 digits
  • 23:34 - 23:37
    and then suprise this thing pops up
  • 23:37 - 23:40
    and you can dispense all the money from the ATM
  • 23:40 - 23:42
    of course they don't want that to happen
  • 23:42 - 23:44
    so they have implemented a challenge-response scheme
  • 23:44 - 23:48
    so when you enter the 12 digit code, the first menu allowes you to say
  • 23:48 - 23:50
    present me with a challenge
  • 23:50 - 23:55
    and then the malware generates a random or like a secret code
  • 23:55 - 23:57
    where the scheme to generate it is secret
  • 23:57 - 24:00
    and you have to enter a response
  • 24:00 - 24:02
    that's not easy to crack
  • 24:02 - 24:04
    what they do in this case
  • 24:04 - 24:10
    because of the poor guy who goes to the ATM to cash out is not the brain behind the whole operation
  • 24:10 - 24:14
    they're likely to get arrested
  • 24:14 - 24:18
    so they probably don't want to transfer the knowledge
  • 24:18 - 24:21
    how to generate the response for the challenge to these people
  • 24:21 - 24:26
    can you tell the story about the phone calls?
  • 24:26 - 24:33
    sb: yeah, actually they had a surveillance video where they could monitor just one of their cash guys
  • 24:33 - 24:37
    which just currently had entered the secret 12 digits
  • 24:37 - 24:43
    and you can see on this video that he has already one part of this hack view
  • 24:43 - 24:48
    and after that he just took a cell phone
  • 24:48 - 24:53
    and called somebody and you can see that within that call
  • 24:53 - 25:00
    he types another number and right after that, he starts cashing out the teller machines
  • 25:00 - 25:06
    that's exactly that challenge-response check, he was talking about
  • 25:06 - 25:10
    so this proves that they don't want anything to chance
  • 25:10 - 25:18
    they wanna control which teller machine is cached out and exactly when and who does the cash out
  • 25:18 - 25:25
    so this may implicate that they don't trust their own people, do they?
  • 25:25 - 25:31
    tw: so, I mean we tried to bring you this video where the guy makes the phone call
  • 25:31 - 25:34
    but obviously the bank that was targeted here
  • 25:34 - 25:39
    they're a little concerned about their identity beeing disclosed
  • 25:39 - 25:41
    so unfortunately we couldn't get it
  • 25:41 - 25:44
    but, well, you have to trust us on that
  • 25:44 - 25:46
    that's how they probably do it
  • 25:46 - 25:53
    another thing is that these guys already anticipated that somebody would get a copy of the malware
  • 25:53 - 25:55
    and then probably start to reverse engineer it
  • 25:55 - 25:58
    and understand how it works
  • 25:58 - 26:00
    and of course the worst thing that can happen is
  • 26:00 - 26:04
    if somebody recovers the challenge-response functionality in that code
  • 26:04 - 26:09
    and then goes to all the hacked ATMs and, you know, jackpots them
  • 26:09 - 26:11
    insted of these guys
  • 26:11 - 26:15
    so they figured: okay, we need a means to protect that really important code
  • 26:15 - 26:18
    and that's not the only part, that's protected
  • 26:18 - 26:22
    there are several pieces that are, you know, critical
  • 26:22 - 26:24
    so to speak
  • 26:24 - 26:27
    so this challenge-response thing is one of them
  • 26:27 - 26:32
    and the other parts that are protected is everything that interacts wih the cash client
  • 26:32 - 26:38
    so by looking at the code you would never see a direct API call or DLL function call
  • 26:38 - 26:40
    into the cash clients libraries
  • 26:40 - 26:42
    all of this stuff is protected
  • 26:42 - 26:46
    and I'm gonna talk a little bit more about how they do that
  • 26:48 - 26:52
    it's a little bit hard to put that...
  • 26:52 - 26:54
    to find the right words for it
  • 26:54 - 26:57
    we have a picture of that in our mind, but...
  • 26:57 - 27:00
    we call that a state machine
  • 27:00 - 27:04
    so their obfuscation method is basically control flow obfuscation
  • 27:04 - 27:09
    when you look at some code statially, you can see this function is calling that function
  • 27:09 - 27:11
    and then this is calling that under this condition and so on
  • 27:11 - 27:13
    that's the control flow in the code
  • 27:13 - 27:17
    but if you don't wanna disclose that function A is calling function B
  • 27:17 - 27:19
    you have to put something in between
  • 27:19 - 27:21
    that obfuscates this relationship
  • 27:21 - 27:25
    they implemented a state-machine
  • 27:25 - 27:27
    that's what we call it
  • 27:27 - 27:29
    and this state machine consumes a buffer
  • 27:29 - 27:31
    a static buffer that's somewhere in the binary
  • 27:31 - 27:34
    and performs some computation on the bytes
  • 27:34 - 27:37
    and the result is the address of the function to call
  • 27:37 - 27:42
    at some point you say: state machine, here is a buffer
  • 27:42 - 27:43
    do your thing
  • 27:43 - 27:46
    and then the state machine starts computing the address to call
  • 27:46 - 27:48
    or that's only one scenario
  • 27:48 - 27:51
    the other scenario is that you wanna compute a certain value
  • 27:51 - 27:55
    for example, you enter the response for a particular challenge
  • 27:55 - 28:02
    and then the state machine with its functions computes some other value
  • 28:02 - 28:05
    that it compares to a challange or something
  • 28:05 - 28:09
    and this computation as well is protected by the state machine
  • 28:09 - 28:13
    and you can see a little snippet of that on the right hand side
  • 28:13 - 28:17
    again, if you can read it, you can see there's a lot of junk code in there
  • 28:17 - 28:22
    those of you who are familiar with polymorphism
  • 28:22 - 28:24
    polymorphic malware or other stuff like that
  • 28:24 - 28:28
    you will immediately see that some of the functions in there are total garbage
  • 28:28 - 28:32
    like for example, the SUB AL e1
  • 28:32 - 28:36
    and then, you know, some values are subtracted from a register first and then added again
  • 28:36 - 28:39
    so it's basically doing nothing
  • 28:39 - 28:45
    this junk code stuff is one method of obfuscation
  • 28:45 - 28:48
    and the other is, what's usally called "spaghetti code"
  • 28:48 - 28:50
    you know, it's jumping back and forth
  • 28:50 - 28:52
    and calling subroutines all over the place
  • 28:52 - 28:57
    and I think it's really hard or next to impossible to reverse engineer that
  • 28:57 - 28:59
    at least we spent several days
  • 28:59 - 29:01
    weeks even
  • 29:01 - 29:03
    and we couldn't really figure out how the state machine works
  • 29:03 - 29:04
    and that's really the purpose
  • 29:04 - 29:08
    but fortunately for us there was a solution for this
  • 29:08 - 29:13
    and that is what the little colored bar at the bottom of the slide shows you
  • 29:13 - 29:18
    again, this is something that IDA Pro generates for you, this disassembler tool
  • 29:18 - 29:20
    you can see the blue stuff at the front
  • 29:20 - 29:25
    that's the real code of the malware
  • 29:25 - 29:27
    all of that lives in the code section
  • 29:27 - 29:29
    and is at the beginning
  • 29:29 - 29:32
    and the green stuff here is library functions
  • 29:32 - 29:34
    here we have some data
  • 29:34 - 29:37
    and at the end there is some code again
  • 29:37 - 29:39
    and suprisingly this is the state machine
  • 29:39 - 29:43
    and it's pretty convenient for us that this is somewhere else in the memory layout
  • 29:43 - 29:44
    so what you can do is
  • 29:44 - 29:47
    you can put a memory break point a the section here
  • 29:47 - 29:52
    and by doing this trap every attempt to execute the state machine code
  • 29:52 - 29:54
    and then when you're in the state machine
  • 29:54 - 29:58
    you put a break point on the original, on the real code, up there
  • 29:58 - 30:02
    and you get the exit point of the state machine
  • 30:02 - 30:06
    by doing this you can basically treat the state machine as a black box
  • 30:06 - 30:08
    you don't care about the calculations at all
  • 30:08 - 30:12
    you can still reconstruct the relationship between the calling function and the callee
  • 30:12 - 30:15
    okay
  • 30:15 - 30:24
    unfortunately we couldn't use this break point method to understand how these value calculations are performed
  • 30:24 - 30:29
    but, well, you still can inspect memory and somehow understand a little bit of that somehow at least
  • 30:33 - 30:38
    okay now we wanna demo to you how this thing looks like
  • 30:38 - 30:42
    unfortunately we don't own an ATM that we can infect
  • 30:42 - 30:47
    but we have a virtual machine here that's running the malware
  • 30:48 - 30:50
    and we've patched the malware a little bit here
  • 30:50 - 30:52
    I think we didn't tell you
  • 30:52 - 30:54
    so what's happening is these screens when you enter the secret code
  • 30:54 - 30:57
    these screens that you saw on the slide
  • 30:57 - 31:01
    they're displayed on a second desktop
  • 31:01 - 31:04
    on Windows you can have as many desktops
  • 31:04 - 31:06
    like virtual desktops as you want
  • 31:06 - 31:08
    and then switch back and forth between these desktops
  • 31:08 - 31:09
    so what's happening is
  • 31:09 - 31:11
    these screens are displayed on a second desktop
  • 31:11 - 31:15
    and then execution switches over
  • 31:15 - 31:18
    the displays which is over to this desktop
  • 31:18 - 31:22
    so you leave the original ATM display and it's process alone
  • 31:22 - 31:24
    you just switch over to your secret menu desktop
  • 31:24 - 31:27
    and when you're done, you can switch back
  • 31:28 - 31:31
    that's a little difficult to debug
  • 31:31 - 31:35
    because when you do that, when you're running in a debugger and using break points and stuff
  • 31:35 - 31:39
    and the malware all of a sudden switches to a second desktop
  • 31:39 - 31:42
    you can't control the debugger anymore, because it's running on the first desktop
  • 31:42 - 31:48
    so we had to patch a few things to make it more convenient for us to demonstrate this
  • 31:48 - 31:51
    and that's what we're gonna do now
  • 31:56 - 31:58
    can you...?
  • 31:58 - 32:02
    so we have this little Windows XP VM
  • 32:02 - 32:04
    because we want to be accurate, right?
  • 32:04 - 32:08
    and I'm gonna start two processes here
  • 32:08 - 32:12
    one is: I have some little batch scripts
  • 32:12 - 32:18
    one is the one that simulates the malware running in the lsass process
  • 32:18 - 32:24
    and the other one simulates the malware running in the cash client
  • 32:24 - 32:25
    this one here
  • 32:25 - 32:32
    and let's just presume that this is showing the stardard ATM screen here
  • 32:32 - 32:35
    so "Enter your PIN" and stuff like that, okay
  • 32:35 - 32:37
    so what we're gonna do now is
  • 32:37 - 32:41
    we're gonna enter the 12 digit secret code that we saw on the first slide
  • 32:41 - 32:44
    you remember that, right?
  • 32:48 - 32:52
    and if you do that, you're presented with this menu here
  • 32:59 - 33:02
    do you wanna talk about those values? how that's calculated?
  • 33:02 - 33:03
    sb: yeah probably
  • 33:03 - 33:08
    so the only thing which is hard coded are the three lines at the bottom here
  • 33:08 - 33:16
    and all of the rest is just generated with the actual amounts they find on this ATM
  • 33:16 - 33:21
    so the ATMs, they have a lot of loo files which they create
  • 33:21 - 33:24
    and they're just saved on the hard drive
  • 33:24 - 33:26
    and within that files
  • 33:26 - 33:31
    every payment transaction is noted
  • 33:31 - 33:34
    what the malware does is
  • 33:34 - 33:37
    it requests the newest of that files
  • 33:37 - 33:42
    and just pulls the values into that screen
  • 33:42 - 33:48
    and so the attacker is presented with the actual value of the amount of money
  • 33:48 - 33:53
    and there he can just choose which one he wants to cash out
  • 33:53 - 33:58
    so just the 100 bills, or all of them
  • 33:58 - 34:00
    this is quite interesting
  • 34:00 - 34:06
    we took this screen from an ATM which was already attacked
  • 34:06 - 34:14
    there you can see that especially, or only the $100 cash cassette was cashed out
  • 34:14 - 34:24
    because, you know how long it takes if you're just cashing out 100 or 200 Dollars or Euros
  • 34:24 - 34:31
    and if you can imagine if you have a whole cassette full of money
  • 34:31 - 34:33
    that takes a lot of time
  • 34:33 - 34:43
    so this is why they most likely just cashed out this cassette with the most valuable input
  • 34:43 - 34:48
    tw: so what I can do now is
  • 34:48 - 34:51
    I can either press "0" and then I leave that again
  • 34:51 - 34:55
    and, you know, ATM shows its standard screen again
  • 34:55 - 34:57
    or I press "1"
  • 34:57 - 35:01
    I'm gonna do that now, just to show you what's happening
  • 35:01 - 35:05
    and now it's challenging me with this code here
  • 35:05 - 35:09
    and I have to enter the response
  • 35:09 - 35:13
    and yeah, I mean, it's a 6 digit number
  • 35:13 - 35:14
    the problem is
  • 35:14 - 35:18
    because we're not running on a real ATM, we cannot simulate this here
  • 35:18 - 35:20
    so I mean, I can enter a number here
  • 35:20 - 35:25
    but even if it would be the right one and it would accept this
  • 35:25 - 35:30
    we wouldn't be able to go any further, because some pieces are missing here
  • 35:30 - 35:34
    unfortunately... let me restart this
  • 35:45 - 35:47
    there we go again
  • 35:50 - 35:52
    usually what happens is
  • 35:52 - 35:54
    you press "1"
  • 35:54 - 35:57
    you get the challenge code
  • 35:57 - 35:59
    you call your HQ
  • 35:59 - 36:01
    you get the response code
  • 36:01 - 36:02
    you enter your response code
  • 36:02 - 36:06
    and then you have access to this second level menu, so to speak
  • 36:06 - 36:09
    that allows you to actually cash out
  • 36:09 - 36:13
    well, as I said, we cannot really do that here
  • 36:13 - 36:17
    so we have to simulate the fact that we're authenticated
  • 36:17 - 36:20
    we entered the right response code
  • 36:20 - 36:24
    for that we patched a little bit in this DLL
  • 36:24 - 36:27
    unfortunately we have to wait for three minutes now
  • 36:27 - 36:29
    because there is a timeout
  • 36:29 - 36:34
    they implemented a timeout as a measure to not leave this screen open
  • 36:34 - 36:36
    when, you know, something happens
  • 36:36 - 36:38
    the guy has to run off or something
  • 36:38 - 36:40
    because police is coming or something
  • 36:40 - 36:41
    and then you don't want to leave this on the scren
  • 36:41 - 36:45
    so they implemented a timer that fires after three minutes
  • 36:45 - 36:48
    and then after three minutes this window is closed
  • 36:48 - 36:54
    we patched this timer, that after three minutes the second layer menu is opened instead
  • 36:54 - 36:58
    we have to talk a little bit more, until that happens now
  • 36:58 - 37:02
    sb: probably about the version number
  • 37:02 - 37:06
    cause there you can see, they named their software
  • 37:06 - 37:11
    typical software style of course
  • 37:11 - 37:13
    with a four digit value number
  • 37:13 - 37:15
    so they have really a development cycle
  • 37:15 - 37:17
    for this malware
  • 37:17 - 37:23
    and they really are improving that with nearly every attack they are doing
  • 37:23 - 37:27
    they collect all facts they have, they improve antiforensics
  • 37:27 - 37:32
    and build in a little more functionality
  • 37:32 - 37:37
    you can really track these changes, they made
  • 37:37 - 37:40
    this developement improves
  • 37:43 - 37:49
    tw: another thing we can tell you meanwhile is that this challenge code is generated from two things
  • 37:49 - 37:52
    again, we don't know how it's generated, we don't know the algorithm
  • 37:52 - 37:54
    but we do know the input
  • 37:54 - 37:57
    and the two things that are the input to this algorithm
  • 37:57 - 38:02
    are an ID that's unique to the ATM
  • 38:02 - 38:05
    or the station, whatever you wanna call it
  • 38:05 - 38:06
    and a random value
  • 38:06 - 38:07
    so there's some randomness in there
  • 38:07 - 38:12
    by this you make sure that even if the same random value is chosen
  • 38:12 - 38:14
    the codes are different for two different ATMs
  • 38:14 - 38:18
    so the guy has to in fact call you and ask for the code
  • 38:18 - 38:24
    he cannot, you know, just by accident enter the right thing and take the money for himself
  • 38:24 - 38:31
    alright now would be a good time for the timer to fire
  • 38:33 - 38:35
    let's see
  • 38:35 - 38:38
    okay, I have another story
  • 38:38 - 38:40
    the dropper executable
  • 38:40 - 38:46
    when something goes wrong, they calculate an error message, an error code
  • 38:46 - 38:47
    oh, there we go
  • 38:47 - 38:50
    and this error code is derived from the value 1337
  • 38:50 - 38:53
    so apparently they think they are leet
  • 38:53 - 38:58
    which didn't really stop us from reverse engineering their software
  • 39:04 - 39:08
    this screen is like what we showed on the second slide
  • 39:08 - 39:12
    which basically says "this terminal is out of order, go to the next one"
  • 39:12 - 39:14
    and when you see this
  • 39:14 - 39:16
    I mean, two purposes:
  • 39:16 - 39:23
    one: others who want to dispense money from the ATM, if they see this, they would not touch it
  • 39:23 - 39:25
    and go to another one
  • 39:25 - 39:28
    but this also tells you that now you can enter another code
  • 39:28 - 39:33
    which turns out to be the same 12 digit sequence that we already know
  • 39:33 - 39:35
    to enter the second hidden menu
  • 39:35 - 39:41
    and there we go
  • 39:41 - 39:45
    this is now the real menu that you can use to control the ATM
  • 39:45 - 39:50
    again, you see the first four lines show you how much money for the different bills
  • 39:50 - 39:52
    or different notes is in there
  • 39:52 - 39:54
    but now you can actually, you know, cash out
  • 39:54 - 39:56
    you can dispense that money from the machine
  • 39:56 - 40:08
    so for example if I press "1", hopefully I can get the 300 R-Dollars
  • 40:08 - 40:12
    or if I press "4", I can get the 50s
  • 40:12 - 40:18
    so let me do that now and you can pay attention to the purple line at the bottom
  • 40:18 - 40:21
    so I press "4" now
  • 40:21 - 40:25
    and it said "wait" or "waiting" or something like that
  • 40:25 - 40:27
    and now it says "command has failed"
  • 40:27 - 40:30
    which is too bad because I wanted money, but my VM...
  • 40:30 - 40:32
    the emulation is not that good
  • 40:32 - 40:37
    sb: still didn't get to manage to really cash out some money from that machine here
  • 40:37 - 40:38
    tw: that would be nice
  • 40:38 - 40:40
    so I could now try to cash out 1, 2, 3, 4
  • 40:40 - 40:42
    and always I get this failure message
  • 40:42 - 40:48
    but this is where the malware actually interacts with the cash client
  • 40:48 - 40:55
    it loads, or resolves the libraries that belong to this cash client and then calls the API functions
  • 40:55 - 40:58
    to trigger the dispense functionality
  • 40:58 - 41:02
    but the other options at the bottom of the screen are also interesting
  • 41:02 - 41:05
    let me show you "7" and "8" first
  • 41:05 - 41:07
    and that's why I have this little window open here
  • 41:07 - 41:08
    I hope you can see that
  • 41:08 - 41:11
    so this is my network connection
  • 41:11 - 41:13
    the network devices that are installed
  • 41:13 - 41:20
    and as she said, every ATM has a persistentnetwork connection to the bank
  • 41:20 - 41:22
    so they can control what's going on and monitor and so on
  • 41:22 - 41:28
    so probably before you wanna cash out, you wanna disable the network entirely
  • 41:28 - 41:30
    and they can use "7" and "8" to do that
  • 41:30 - 41:37
    so let me press "7", you take a look at that window on the right hand side
  • 41:37 - 41:40
    you can see, the adapters are disabled now
  • 41:40 - 41:43
    and now I'm going to press "8" again
  • 41:43 - 41:44
    and now they're enabled again
  • 41:44 - 41:46
    that's convenient, right
  • 41:46 - 41:50
    so you can disable and enable the network adapters entirely
  • 41:50 - 41:54
    if you press "6" you're going back to this mode
  • 41:58 - 42:02
    and finally you can also format the system
  • 42:04 - 42:07
    I mean obviously because you wanna remove all the traces
  • 42:07 - 42:12
    so if I press "5", you see that little screen, that we already know
  • 42:12 - 42:15
    from the slide
  • 42:15 - 42:17
    they're somewhat cautious here
  • 42:17 - 42:20
    again, if you do that, you can either press "0"
  • 42:20 - 42:22
    then you get back to the previous menu
  • 42:22 - 42:26
    or you can press "9" and confirm that you actually wanna format the system
  • 42:26 - 42:27
    and doing that' now
  • 42:27 - 42:33
    and again it presents you with a challenge and you have to enter a 6 digit response code
  • 42:33 - 42:38
    the algorighm that's used to calculate this here is different from the previous one
  • 42:38 - 42:42
    and I mean we figured it out somewhat
  • 42:42 - 42:46
    but the funny thing is, that it doesn't actually format the system
  • 42:46 - 42:49
    it just uninstalles the malware
  • 42:49 - 42:54
    I don't know what the right answer to this is now
  • 42:54 - 42:57
    if you enter the wrong one, it keeps asking
  • 42:57 - 43:01
    and interestingly you cannot get out of this state anymore
  • 43:01 - 43:05
    so if you don't know the right answer, you're trapped in this
  • 43:05 - 43:09
    and after three minutes the "out of order" thing is displayed again
  • 43:09 - 43:13
    but if you enter the sectet code, you don't have access to the main menu again
  • 43:13 - 43:15
    you will always end up in this screen
  • 43:15 - 43:23
    so unless you enter the right code here, well, you locked yourself out
  • 43:27 - 43:28
    alright
  • 43:28 - 43:34
    we wanna conclude with some speculation about the people behind this maybe
  • 43:34 - 43:37
    we obviously don't really know who it is
  • 43:37 - 43:40
    but, you know, there are some interesting facts
  • 43:40 - 43:46
    and after that we'll open it up for questions and, you know, a little Q&A
  • 43:46 - 43:49
    sb: what we really can tell for sure
  • 43:49 - 43:51
    that they want to make serious money with that
  • 43:51 - 43:54
    they put a lot of effort in implementing and investigating
  • 43:54 - 43:57
    in coding actually
  • 43:57 - 44:04
    they build up quite a big team to do that and they have apparently different roles
  • 44:04 - 44:06
    that are strictly assigned
  • 44:06 - 44:11
    so every role has his part and is able to do his part
  • 44:11 - 44:14
    so it's quite separated
  • 44:14 - 44:19
    for sure they have to have profound knowledge about the ATMs
  • 44:19 - 44:22
    so most likely they really had one
  • 44:22 - 44:29
    to test all these features and to really check whether the coding is correct
  • 44:29 - 44:30
    whether they get any error messages
  • 44:30 - 44:32
    something like that
  • 44:32 - 44:39
    so either they probably robbed one and reverse engineered the original cash client
  • 44:39 - 44:41
    to derive the malware from it
  • 44:41 - 44:45
    or they most likely had someone in the inside
  • 44:45 - 44:48
    which was just to...
  • 44:48 - 44:50
    which had to develop the original cash client
  • 44:50 - 44:54
    and therefore really knows exactly how this works
  • 44:54 - 45:00
    how it's possible just to trigger a cash out
  • 45:00 - 45:04
    without entering a valid card, the PIN code
  • 45:04 - 45:11
    circumvent all the security measures that are implemented here
  • 45:11 - 45:16
    they have quite good development skills
  • 45:16 - 45:20
    so the code is quite sorted
  • 45:20 - 45:23
    you see the development cycles
  • 45:23 - 45:37
    they implement new features just like the AppInit DLL key stuff and so on
  • 45:37 - 45:47
    at least they are capable of protecting the code against people like him
  • 45:47 - 45:50
    they're just trying to reverse engineer malware
  • 45:50 - 45:54
    and they really try to cover their tracks for forensic investigations
  • 45:54 - 45:59
    so they made it really hard to get the pieces together
  • 45:59 - 46:07
    to just have a full image of how that finally works together
  • 46:07 - 46:08
    tw: alright
  • 46:08 - 46:12
    that was almost the last slide
  • 46:12 - 46:14
    you guys remember the 12 digits
  • 46:14 - 46:15
    from the first slide
  • 46:15 - 46:18
    so next time, before you dispense the money from an ATM, enter the 12 digits first
  • 46:18 - 46:21
    to make sure that it's not hacked
  • 46:21 - 46:23
    right, and if it is hacked
  • 46:23 - 46:30
    then you enter this here
  • 46:30 - 46:31
    because that uninstalls the malware
  • 46:31 - 46:41
    applause
  • 46:49 - 46:54
    well then we do a short Q&A, if it's okay for you
  • 46:54 - 46:57
    please, everybody that has a question
  • 46:57 - 47:01
    please line up on the microphones
  • 47:01 - 47:04
    signed with the numbers
  • 47:04 - 47:21
    and then we will do a short Q&A from approximately 8 to 10 minutes
  • 47:21 - 47:23
    alright, let's start with you
  • 47:23 - 47:25
    hi, I have two questions
  • 47:25 - 47:31
    the first question is whether they were gathering PIN codes and no strips
  • 47:31 - 47:33
    to be able to use them later on
  • 47:33 - 47:38
    and the second question is whether the ATM is connected to the Internet through the network connection
  • 47:38 - 47:41
    I didn't get all of that
  • 47:41 - 47:42
    can the others be a little quiet
  • 47:42 - 47:45
    so we have the chance to understand the questions
  • 47:45 - 47:47
    sorry, can you please repeat?
  • 47:47 - 47:53
    so my first question is whether the PIN codes and this magnetic strip
  • 47:53 - 47:58
    or any other information linked to the credit card number is gathered by this malware
  • 47:58 - 48:03
    and the second question is wether net network connection gives Internet access to the ATM
  • 48:03 - 48:07
    let me answer the first one, and for the second one, I'll refer to her
  • 48:07 - 48:13
    so this one could gather information like credit card stuff and so on
  • 48:13 - 48:15
    but it doesn't
  • 48:15 - 48:16
    not this one
  • 48:16 - 48:18
    I didn't get the second question
  • 48:18 - 48:23
    second question was: can you access the ATMs over the Internet? is there internet connection?
  • 48:23 - 48:28
    no, actually they do not have an Internet connection
  • 48:28 - 48:31
    but it is possible to build, so far
  • 48:31 - 48:35
    we did that in a test, where we tested an ATM
  • 48:35 - 48:40
    you can use this USB connection where they plugged in the bootable device
  • 48:40 - 48:46
    and just put an UTMS stick there and then you have an Internet connection
  • 48:46 - 48:48
    but by default there is none
  • 48:48 - 48:51
    but we did that, yeah
  • 48:51 - 48:56
    okay, then let's take number 1
  • 48:56 - 48:58
    thank you for your talk
  • 48:58 - 49:00
    I have two short questions
  • 49:00 - 49:03
    what was the time span between the infection and the cash out?
  • 49:03 - 49:09
    and did the attackers try to intercept card data?
  • 49:09 - 49:11
    so, the second question is the same as the previous one
  • 49:11 - 49:14
    they don't intercept any card data
  • 49:14 - 49:17
    they don't gather like credit card information and stuff like that
  • 49:17 - 49:22
    they only like jackpot - as Barnaby Jack called it - the ATMs
  • 49:22 - 49:25
    they only dispense money from the ATM
  • 49:25 - 49:28
    for the first question, what was the first question again?
  • 49:28 - 49:31
    what was the time span between the infection and the cash out?
  • 49:31 - 49:35
    how much time is between the infection and the actual cash out
  • 49:35 - 49:40
    we discovered that were only two to three days
  • 49:40 - 49:47
    so they could have any time between that, but they really try to make it short
  • 49:47 - 49:52
    and of course they waited for the right time, so right after the recharging
  • 49:52 - 49:57
    because thats the point of the most money
  • 49:57 - 49:59
    okay, then number 3 please
  • 49:59 - 50:02
    hi, thank you for your talk
  • 50:02 - 50:04
    question about banking security
  • 50:04 - 50:09
    this beeing Windows XP, I missed the part of code signing
  • 50:09 - 50:12
    and verified publishers and such
  • 50:12 - 50:17
    do banks employ these security measures or not?
  • 50:18 - 50:20
    they do have security measures
  • 50:20 - 50:25
    but they're only implemented when the XP is running
  • 50:25 - 50:29
    so they have whitelisting for applications
  • 50:29 - 50:31
    they have monitoring for the process
  • 50:31 - 50:33
    and they have an anti-virus
  • 50:33 - 50:35
    and of course something like that
  • 50:35 - 50:38
    but in essence everyone can dump their own software on it and run it
  • 50:38 - 50:43
    there is no whitelist for signatures or publishers, right?
  • 50:43 - 50:45
    there is a whitelist
  • 50:45 - 50:50
    actually there is, but that was the point why they did that
  • 50:50 - 50:52
    via bootable USB stick
  • 50:52 - 50:59
    because they wrote this DLL just within the system folder
  • 50:59 - 51:02
    and they have a whitelist for applications, but not for the DLLs
  • 51:02 - 51:05
    which these applications are using
  • 51:05 - 51:11
    I mean, it goes without saying that you can take measures to make the ATMs more secure
  • 51:11 - 51:13
    because this is kind of a trivial attack
  • 51:13 - 51:15
    and as you said, everybody could do that
  • 51:15 - 51:17
    and that's kind of the reason why we're giving this talk
  • 51:17 - 51:21
    it's no use in keeping vulnerabilites secret
  • 51:21 - 51:24
    they should be like talked about openly
  • 51:24 - 51:27
    and then people can go and fix their problems, right
  • 51:27 - 51:28
    thank you
  • 51:30 - 51:36
    do we have a question from IRC or the community out there?
  • 51:37 - 51:40
    yes there was one question coming from IRC
  • 51:40 - 51:46
    which was: how to get on the USB printer port to reverse that machine?
  • 51:48 - 51:50
    can you repeat the question please?
  • 51:50 - 51:55
    how to get on the USB port or printer port to reverse that machine?
  • 51:58 - 52:02
    this was just via cutting a hole into the chassis
  • 52:02 - 52:04
    so this is just a...
  • 52:04 - 52:06
    this is no metal, this is not a safe
  • 52:06 - 52:08
    so this is just a plastic
  • 52:08 - 52:10
    and there you can just cut a hole in it
  • 52:10 - 52:14
    and then you can actually access the USB port
  • 52:14 - 52:18
    I mean, they physically damaged the ATM to be able to access the USB port
  • 52:18 - 52:22
    and then they had to cut the network connection
  • 52:22 - 52:24
    and that triggered a reboot
  • 52:24 - 52:26
    so it's really a trivial attack
  • 52:26 - 52:27
    not that hard
  • 52:29 - 52:30
    okay number 4 please
  • 52:31 - 52:32
    yes
  • 52:32 - 52:34
    two part question
  • 52:34 - 52:39
    you would think that banking and money would be a high priority thing to secure
  • 52:39 - 52:41
    why are they using Windows XP?
  • 52:41 - 52:43
    and the second one is
  • 52:43 - 52:47
    applause
  • 52:47 - 52:48
    second one is
  • 52:48 - 52:52
    if there was a time-frame of I think it was three days between the two attacks
  • 52:52 - 52:55
    why don't they realize, there is hole cut into their ATM and just...
  • 52:55 - 52:57
    change it out?
  • 52:57 - 53:00
    applause
  • 53:00 - 53:01
    there is a...
  • 53:01 - 53:05
    that depends on the USB port that they used
  • 53:05 - 53:06
    there is one on the back, so you don't see it
  • 53:06 - 53:08
    and the other is just...
  • 53:08 - 53:17
    you can cut that very exact and then they just repaired it afterwards
  • 53:17 - 53:23
    they just fixed it
  • 53:23 - 53:25
    and for the first question
  • 53:25 - 53:31
    the problem in the main cases is that there are hundreds of thousands of teller machines
  • 53:31 - 53:34
    for each bank
  • 53:34 - 53:36
    and that's just the problem
  • 53:36 - 53:38
    they are of course starting to renew that
  • 53:38 - 53:43
    but when they are at the end doing that
  • 53:43 - 53:49
    Windows has already realeased two newer versions of operating systems
  • 53:49 - 53:52
    and that's one part of it
  • 53:52 - 53:58
    and the other thing, if we had Windows 7 here it wouldn't change a thing
  • 53:58 - 54:03
    I mean, that's probably a question for the banks that we can't really answer
  • 54:03 - 54:07
    but as long as they're convered by insurances
  • 54:07 - 54:08
    they don't really have to care
  • 54:08 - 54:10
    which is of course kind of short sighted
  • 54:10 - 54:14
    but maybe thats how it works
  • 54:15 - 54:20
    okay and now the last question from number 1
  • 54:20 - 54:26
    hi there, I was just curious about this particular ATM model
  • 54:26 - 54:32
    if we're framing this picture of this is let's say the state of security and ATM technology
  • 54:32 - 54:38
    or if it's just let's say an example for how to not build an ATM
  • 54:38 - 54:41
    I mean are these bad guys simply the first who found out
  • 54:41 - 54:43
    well it's basically that simple
  • 54:43 - 54:48
    or is it just let's say a really bad model, they have exploiting?
  • 54:51 - 54:54
    that all depends on the original cash client
  • 54:54 - 55:00
    so the teller machines are all the same, but every bank has an own cash client
  • 55:00 - 55:07
    it's an own software which is really doing the cashing out
  • 55:07 - 55:09
    and they're all different
  • 55:09 - 55:13
    and you have to develop the malware exactly for just one cash client
  • 55:13 - 55:16
    because it won't work on others
  • 55:16 - 55:18
    I mean, sorry
  • 55:19 - 55:22
    I mean also speaking about this physical security
  • 55:22 - 55:24
    I mean, having an easy accessible USB port
  • 55:24 - 55:30
    and booting USB images without any additional security measure
  • 55:30 - 55:32
    I mean, is this state of the art?
  • 55:33 - 55:35
    no, it's not
  • 55:35 - 55:37
    actually this has been fixed
  • 55:37 - 55:39
    because there is an whole disk encryption in place now
  • 55:39 - 55:42
    that just prevents this way of attack
  • 55:42 - 55:50
    but yeah, it's not at all teller machine currently implemented
  • 55:50 - 55:53
    so yes, it's kind of state of the art
  • 55:53 - 55:56
    yeah, great, thank you
  • 55:56 - 55:58
    okay then now
  • 55:58 - 56:04
    thank you to our security researchers
  • 56:04 - 56:07
    give them a great and warm applause, please
  • 56:07 - 56:10
    thanks for coming, thank you
  • 56:10 - 56:19
    subtitles created by c3subtitles.de
Title:
Electronic Bank Robberies
Video Language:
English
Duration:
56:19

English subtitles

Revisions