Vulnerabilities / Threats

08:45 PM
Connect Directly

'Alice' Malware Loots ATMs

Trend Micro has an alert about a new bare-bones ATM malware family it recently uncovered.

Malware samples these days often pack a bewildering array of functions and have an almost Swiss army knife-like quality about them. One exception is Alice, a new ATM malware family that security vendor Trend Micro discovered recently.

The malware, according to Trend Micro, is about as bare-bones as it gets and appears designed for the sole purpose of emptying an ATM of its cash. Based on when its executable was compiled, Alice appears to have been in the wild since at least October 2014.

Unlike other ATM malware samples that Trend Micro has analyzed, the only function that Alice has is one that it uses to connect to the currency dispenser peripheral in the ATM. Alice makes no attempt to connect to other ATM hardware such as the machine’s PIN pad, so it's not controlled by commands issued via the PIN pad. It also has no elaborate install or uninstall process, and works simply by running the executable in the target environment.

Alice's design suggests that in order to use it, a criminal would need to physically open up an ATM and infect the system using a CD-ROM or an USB. They would then need to connect a keyboard to the machine’s motherboard to operate the malware, the researchers said.

Alice works with ATMs from different manufacturers such as NCR, Wincor-Nixdorf, and others, says Trend Micro senior threat researcher Numaan Huq.

"The malware, based on the PE header timestamp, has been around since late-2014, but wasn’t detected by AV vendors," Huq says. "Even when we were investigating it in November 2016, there were no detections for the files in Virus Total. So the premise is Alice has been around 'in-the-wild' for quite some time, but unfortunately we don’t know how extensive the victim list is."

To get an infected machine to dispense cash, the attacker needs to enter a specific four digit PIN using the keyboard connected to the motherboard. If the correct PIN is entered, the malware pops up a sort of operator panel on the ATM display listing all the cassettes containing money in the machine.

By entering each cassette number in the operator panel, the attacker can get an ATM to dispense all of its cash. Most ATMs have a 40-currency note limit when dispensing cash. To address this, Alice dynamically keeps updating the stored cash levels in each cassette and displays it in the operator panel so the attacker knows when they are closing to emptying the cassette, the Trend Micro alert said.

Ordinarily, the only way to access the cash stored in an ATM’s cassette in an unauthorized fashion would be to blow them up, Hassan says. "The money is stored in a secure safe place that can only be opened by the bank of an armored transport company," he says. "You’d have to blow up the safe with explosives to access the cash cartridges inside and steal the money."

A tool like Alice offers a way around the need for such drastic measures: all an attacker needs is access to an ATM's internals. And that can be accomplished easily by purchasing a key to the ATM’s housing from publicly available sources, Huq says. "That allows you to access the ATM’s internals, infect the ATM with malware, and get it to dispense all the stored cash,” he said. “[It] saves blowing up the poor ATM."

It's possible that Alice can also be operated remotely over RDP without having to open up each machine, Huq says. But because Trend Micro hasn’t been able to corroborate that capability it remains just a theory for the moment, he says.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
Christian Bryant,
User Rank: Ninja
12/22/2016 | 3:23:53 AM
A Redesign is in Order
It's a beautiful piece of work, Alice.  However the beauty isn't solely in the simplicity of the malware, but also in it revealing the shortsightedness of the ATM design, from the outer ATM casing down to the computing.  Seriously, I don't know if anyone reading this article has read the Payment Card Industry Data Security Standards for ATM security (a favorite of mine is PCI PIN Transaction Security Point of Interaction Security Requirements (PCI PTS POI)).  I can tell you, though, that some ATM manufacturers and implementation teams are not reading them closely enough.  There is clearly a disconnect between the masters of the ATM hardware and the keepers of ATM software, because someone thinks designing an ATM that can be opened with a key from the front to give access to computing hardware (that these standards clearly illuminate as vulnerable if not well protected) is OK.  Yeah, sure.  And lets also start designing safes that may hold several million dollars in cash and gold with wall protrusions accessible to the public, opened with just a single key, and code-protected via software on hardware exposed once that panel door is opened, whether legally or otherwise.  Sure, ATMs don't hold millions of dollars, but because of the sad stae of their design model, much much more money that that is vanishing from ATMs.  (Not all bank ATMs have the same flawed access design.)

A redesign is seriously in order.  Check out the International Journal of Software Science and Computational Intelligence, 2(1), 102-131, January-March 2010, "The Formal Design Model of an Automatic Teller Machine (ATM)". This paper demonstrates that "the ATM system, including its architecture, static behaviors, and  dynamic  behaviors,  can  be  essentially  and  sufficiently  described  by  RTPA. The  experimental  case  study  has  shown  that  the  formal  specification  and  modeling  of  the ATM  system are helpful for improving safety operations and quality services of the system."  Moving in this direction on the software side, then partnering more rigidly designed secure software with a better ATM hardware model will benefit everyone in the long run, rendering Alice and her cousins inoperable.  Here's a couple ideas:

1) For stand-alone ATMs, design the lower cabinet where the safe is located to house the CPU.  If someone actually does get the front of the lower cabinet opened, they're met with a steel cube that would cost more to get opened than is actually inside, protecting the money and the CPU.  And don't make the frickin casing key-based. For wall-embedded ATMs, again, bury the CPU in a steel safe where the money is held.  Ditto on the key thing.

2) Use some formal modeling methods like RTPA outlined in the ATM paper noted above to write better ATM software that will not be compatible with most malware attempts if somehow a person got past all the nifty newly redesigned ATM hardware (in other words, friendly fire - inside jobs).  Make ATM logic less predictable, separate each state with more secure transitions, etc.  

Just don't make it so easy.  Insecure design is a calling card - an invitation - to reveal it.
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.