Vulnerabilities / Threats
12/21/2016
08:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

'Alice' Malware Loots ATMs

Trend Micro has an alert about a new bare-bones ATM malware family it recently uncovered.

Malware samples these days often pack a bewildering array of functions and have an almost Swiss army knife-like quality about them. One exception is Alice, a new ATM malware family that security vendor Trend Micro discovered recently.

The malware, according to Trend Micro, is about as bare-bones as it gets and appears designed for the sole purpose of emptying an ATM of its cash. Based on when its executable was compiled, Alice appears to have been in the wild since at least October 2014.

Unlike other ATM malware samples that Trend Micro has analyzed, the only function that Alice has is one that it uses to connect to the currency dispenser peripheral in the ATM. Alice makes no attempt to connect to other ATM hardware such as the machine’s PIN pad, so it's not controlled by commands issued via the PIN pad. It also has no elaborate install or uninstall process, and works simply by running the executable in the target environment.

Alice's design suggests that in order to use it, a criminal would need to physically open up an ATM and infect the system using a CD-ROM or an USB. They would then need to connect a keyboard to the machine’s motherboard to operate the malware, the researchers said.

Alice works with ATMs from different manufacturers such as NCR, Wincor-Nixdorf, and others, says Trend Micro senior threat researcher Numaan Huq.

"The malware, based on the PE header timestamp, has been around since late-2014, but wasn’t detected by AV vendors," Huq says. "Even when we were investigating it in November 2016, there were no detections for the files in Virus Total. So the premise is Alice has been around 'in-the-wild' for quite some time, but unfortunately we don’t know how extensive the victim list is."

To get an infected machine to dispense cash, the attacker needs to enter a specific four digit PIN using the keyboard connected to the motherboard. If the correct PIN is entered, the malware pops up a sort of operator panel on the ATM display listing all the cassettes containing money in the machine.

By entering each cassette number in the operator panel, the attacker can get an ATM to dispense all of its cash. Most ATMs have a 40-currency note limit when dispensing cash. To address this, Alice dynamically keeps updating the stored cash levels in each cassette and displays it in the operator panel so the attacker knows when they are closing to emptying the cassette, the Trend Micro alert said.

Ordinarily, the only way to access the cash stored in an ATM’s cassette in an unauthorized fashion would be to blow them up, Hassan says. "The money is stored in a secure safe place that can only be opened by the bank of an armored transport company," he says. "You’d have to blow up the safe with explosives to access the cash cartridges inside and steal the money."

A tool like Alice offers a way around the need for such drastic measures: all an attacker needs is access to an ATM's internals. And that can be accomplished easily by purchasing a key to the ATM’s housing from publicly available sources, Huq says. "That allows you to access the ATM’s internals, infect the ATM with malware, and get it to dispense all the stored cash,” he said. “[It] saves blowing up the poor ATM."

It's possible that Alice can also be operated remotely over RDP without having to open up each machine, Huq says. But because Trend Micro hasn’t been able to corroborate that capability it remains just a theory for the moment, he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
12/22/2016 | 3:23:53 AM
A Redesign is in Order
It's a beautiful piece of work, Alice.  However the beauty isn't solely in the simplicity of the malware, but also in it revealing the shortsightedness of the ATM design, from the outer ATM casing down to the computing.  Seriously, I don't know if anyone reading this article has read the Payment Card Industry Data Security Standards for ATM security (a favorite of mine is PCI PIN Transaction Security Point of Interaction Security Requirements (PCI PTS POI)).  I can tell you, though, that some ATM manufacturers and implementation teams are not reading them closely enough.  There is clearly a disconnect between the masters of the ATM hardware and the keepers of ATM software, because someone thinks designing an ATM that can be opened with a key from the front to give access to computing hardware (that these standards clearly illuminate as vulnerable if not well protected) is OK.  Yeah, sure.  And lets also start designing safes that may hold several million dollars in cash and gold with wall protrusions accessible to the public, opened with just a single key, and code-protected via software on hardware exposed once that panel door is opened, whether legally or otherwise.  Sure, ATMs don't hold millions of dollars, but because of the sad stae of their design model, much much more money that that is vanishing from ATMs.  (Not all bank ATMs have the same flawed access design.)

A redesign is seriously in order.  Check out the International Journal of Software Science and Computational Intelligence, 2(1), 102-131, January-March 2010, "The Formal Design Model of an Automatic Teller Machine (ATM)". This paper demonstrates that "the ATM system, including its architecture, static behaviors, and  dynamic  behaviors,  can  be  essentially  and  sufficiently  described  by  RTPA. The  experimental  case  study  has  shown  that  the  formal  specification  and  modeling  of  the ATM  system are helpful for improving safety operations and quality services of the system."  Moving in this direction on the software side, then partnering more rigidly designed secure software with a better ATM hardware model will benefit everyone in the long run, rendering Alice and her cousins inoperable.  Here's a couple ideas:

1) For stand-alone ATMs, design the lower cabinet where the safe is located to house the CPU.  If someone actually does get the front of the lower cabinet opened, they're met with a steel cube that would cost more to get opened than is actually inside, protecting the money and the CPU.  And don't make the frickin casing key-based. For wall-embedded ATMs, again, bury the CPU in a steel safe where the money is held.  Ditto on the key thing.

2) Use some formal modeling methods like RTPA outlined in the ATM paper noted above to write better ATM software that will not be compatible with most malware attempts if somehow a person got past all the nifty newly redesigned ATM hardware (in other words, friendly fire - inside jobs).  Make ATM logic less predictable, separate each state with more secure transitions, etc.  

Just don't make it so easy.  Insecure design is a calling card - an invitation - to reveal it.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.