Vulnerabilities / Threats

12/21/2016
08:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

'Alice' Malware Loots ATMs

Trend Micro has an alert about a new bare-bones ATM malware family it recently uncovered.

Malware samples these days often pack a bewildering array of functions and have an almost Swiss army knife-like quality about them. One exception is Alice, a new ATM malware family that security vendor Trend Micro discovered recently.

The malware, according to Trend Micro, is about as bare-bones as it gets and appears designed for the sole purpose of emptying an ATM of its cash. Based on when its executable was compiled, Alice appears to have been in the wild since at least October 2014.

Unlike other ATM malware samples that Trend Micro has analyzed, the only function that Alice has is one that it uses to connect to the currency dispenser peripheral in the ATM. Alice makes no attempt to connect to other ATM hardware such as the machine’s PIN pad, so it's not controlled by commands issued via the PIN pad. It also has no elaborate install or uninstall process, and works simply by running the executable in the target environment.

Alice's design suggests that in order to use it, a criminal would need to physically open up an ATM and infect the system using a CD-ROM or an USB. They would then need to connect a keyboard to the machine’s motherboard to operate the malware, the researchers said.

Alice works with ATMs from different manufacturers such as NCR, Wincor-Nixdorf, and others, says Trend Micro senior threat researcher Numaan Huq.

"The malware, based on the PE header timestamp, has been around since late-2014, but wasn’t detected by AV vendors," Huq says. "Even when we were investigating it in November 2016, there were no detections for the files in Virus Total. So the premise is Alice has been around 'in-the-wild' for quite some time, but unfortunately we don’t know how extensive the victim list is."

To get an infected machine to dispense cash, the attacker needs to enter a specific four digit PIN using the keyboard connected to the motherboard. If the correct PIN is entered, the malware pops up a sort of operator panel on the ATM display listing all the cassettes containing money in the machine.

By entering each cassette number in the operator panel, the attacker can get an ATM to dispense all of its cash. Most ATMs have a 40-currency note limit when dispensing cash. To address this, Alice dynamically keeps updating the stored cash levels in each cassette and displays it in the operator panel so the attacker knows when they are closing to emptying the cassette, the Trend Micro alert said.

Ordinarily, the only way to access the cash stored in an ATM’s cassette in an unauthorized fashion would be to blow them up, Hassan says. "The money is stored in a secure safe place that can only be opened by the bank of an armored transport company," he says. "You’d have to blow up the safe with explosives to access the cash cartridges inside and steal the money."

A tool like Alice offers a way around the need for such drastic measures: all an attacker needs is access to an ATM's internals. And that can be accomplished easily by purchasing a key to the ATM’s housing from publicly available sources, Huq says. "That allows you to access the ATM’s internals, infect the ATM with malware, and get it to dispense all the stored cash,” he said. “[It] saves blowing up the poor ATM."

It's possible that Alice can also be operated remotely over RDP without having to open up each machine, Huq says. But because Trend Micro hasn’t been able to corroborate that capability it remains just a theory for the moment, he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
12/22/2016 | 3:23:53 AM
A Redesign is in Order
It's a beautiful piece of work, Alice.  However the beauty isn't solely in the simplicity of the malware, but also in it revealing the shortsightedness of the ATM design, from the outer ATM casing down to the computing.  Seriously, I don't know if anyone reading this article has read the Payment Card Industry Data Security Standards for ATM security (a favorite of mine is PCI PIN Transaction Security Point of Interaction Security Requirements (PCI PTS POI)).  I can tell you, though, that some ATM manufacturers and implementation teams are not reading them closely enough.  There is clearly a disconnect between the masters of the ATM hardware and the keepers of ATM software, because someone thinks designing an ATM that can be opened with a key from the front to give access to computing hardware (that these standards clearly illuminate as vulnerable if not well protected) is OK.  Yeah, sure.  And lets also start designing safes that may hold several million dollars in cash and gold with wall protrusions accessible to the public, opened with just a single key, and code-protected via software on hardware exposed once that panel door is opened, whether legally or otherwise.  Sure, ATMs don't hold millions of dollars, but because of the sad stae of their design model, much much more money that that is vanishing from ATMs.  (Not all bank ATMs have the same flawed access design.)

A redesign is seriously in order.  Check out the International Journal of Software Science and Computational Intelligence, 2(1), 102-131, January-March 2010, "The Formal Design Model of an Automatic Teller Machine (ATM)". This paper demonstrates that "the ATM system, including its architecture, static behaviors, and  dynamic  behaviors,  can  be  essentially  and  sufficiently  described  by  RTPA. The  experimental  case  study  has  shown  that  the  formal  specification  and  modeling  of  the ATM  system are helpful for improving safety operations and quality services of the system."  Moving in this direction on the software side, then partnering more rigidly designed secure software with a better ATM hardware model will benefit everyone in the long run, rendering Alice and her cousins inoperable.  Here's a couple ideas:

1) For stand-alone ATMs, design the lower cabinet where the safe is located to house the CPU.  If someone actually does get the front of the lower cabinet opened, they're met with a steel cube that would cost more to get opened than is actually inside, protecting the money and the CPU.  And don't make the frickin casing key-based. For wall-embedded ATMs, again, bury the CPU in a steel safe where the money is held.  Ditto on the key thing.

2) Use some formal modeling methods like RTPA outlined in the ATM paper noted above to write better ATM software that will not be compatible with most malware attempts if somehow a person got past all the nifty newly redesigned ATM hardware (in other words, friendly fire - inside jobs).  Make ATM logic less predictable, separate each state with more secure transitions, etc.  

Just don't make it so easy.  Insecure design is a calling card - an invitation - to reveal it.
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11505
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
CVE-2018-6409
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
CVE-2018-6410
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
CVE-2018-6411
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.
CVE-2018-11500
PUBLISHED: 2018-05-26
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.