Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:45 PM
Connect Directly

'Alice' Malware Loots ATMs

Trend Micro has an alert about a new bare-bones ATM malware family it recently uncovered.

Malware samples these days often pack a bewildering array of functions and have an almost Swiss army knife-like quality about them. One exception is Alice, a new ATM malware family that security vendor Trend Micro discovered recently.

The malware, according to Trend Micro, is about as bare-bones as it gets and appears designed for the sole purpose of emptying an ATM of its cash. Based on when its executable was compiled, Alice appears to have been in the wild since at least October 2014.

Unlike other ATM malware samples that Trend Micro has analyzed, the only function that Alice has is one that it uses to connect to the currency dispenser peripheral in the ATM. Alice makes no attempt to connect to other ATM hardware such as the machine’s PIN pad, so it's not controlled by commands issued via the PIN pad. It also has no elaborate install or uninstall process, and works simply by running the executable in the target environment.

Alice's design suggests that in order to use it, a criminal would need to physically open up an ATM and infect the system using a CD-ROM or an USB. They would then need to connect a keyboard to the machine’s motherboard to operate the malware, the researchers said.

Alice works with ATMs from different manufacturers such as NCR, Wincor-Nixdorf, and others, says Trend Micro senior threat researcher Numaan Huq.

"The malware, based on the PE header timestamp, has been around since late-2014, but wasn’t detected by AV vendors," Huq says. "Even when we were investigating it in November 2016, there were no detections for the files in Virus Total. So the premise is Alice has been around 'in-the-wild' for quite some time, but unfortunately we don’t know how extensive the victim list is."

To get an infected machine to dispense cash, the attacker needs to enter a specific four digit PIN using the keyboard connected to the motherboard. If the correct PIN is entered, the malware pops up a sort of operator panel on the ATM display listing all the cassettes containing money in the machine.

By entering each cassette number in the operator panel, the attacker can get an ATM to dispense all of its cash. Most ATMs have a 40-currency note limit when dispensing cash. To address this, Alice dynamically keeps updating the stored cash levels in each cassette and displays it in the operator panel so the attacker knows when they are closing to emptying the cassette, the Trend Micro alert said.

Ordinarily, the only way to access the cash stored in an ATM’s cassette in an unauthorized fashion would be to blow them up, Hassan says. "The money is stored in a secure safe place that can only be opened by the bank of an armored transport company," he says. "You’d have to blow up the safe with explosives to access the cash cartridges inside and steal the money."

A tool like Alice offers a way around the need for such drastic measures: all an attacker needs is access to an ATM's internals. And that can be accomplished easily by purchasing a key to the ATM’s housing from publicly available sources, Huq says. "That allows you to access the ATM’s internals, infect the ATM with malware, and get it to dispense all the stored cash,” he said. “[It] saves blowing up the poor ATM."

It's possible that Alice can also be operated remotely over RDP without having to open up each machine, Huq says. But because Trend Micro hasn’t been able to corroborate that capability it remains just a theory for the moment, he says.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
12/22/2016 | 3:23:53 AM
A Redesign is in Order
It's a beautiful piece of work, Alice.  However the beauty isn't solely in the simplicity of the malware, but also in it revealing the shortsightedness of the ATM design, from the outer ATM casing down to the computing.  Seriously, I don't know if anyone reading this article has read the Payment Card Industry Data Security Standards for ATM security (a favorite of mine is PCI PIN Transaction Security Point of Interaction Security Requirements (PCI PTS POI)).  I can tell you, though, that some ATM manufacturers and implementation teams are not reading them closely enough.  There is clearly a disconnect between the masters of the ATM hardware and the keepers of ATM software, because someone thinks designing an ATM that can be opened with a key from the front to give access to computing hardware (that these standards clearly illuminate as vulnerable if not well protected) is OK.  Yeah, sure.  And lets also start designing safes that may hold several million dollars in cash and gold with wall protrusions accessible to the public, opened with just a single key, and code-protected via software on hardware exposed once that panel door is opened, whether legally or otherwise.  Sure, ATMs don't hold millions of dollars, but because of the sad stae of their design model, much much more money that that is vanishing from ATMs.  (Not all bank ATMs have the same flawed access design.)

A redesign is seriously in order.  Check out the International Journal of Software Science and Computational Intelligence, 2(1), 102-131, January-March 2010, "The Formal Design Model of an Automatic Teller Machine (ATM)". This paper demonstrates that "the ATM system, including its architecture, static behaviors, and  dynamic  behaviors,  can  be  essentially  and  sufficiently  described  by  RTPA. The  experimental  case  study  has  shown  that  the  formal  specification  and  modeling  of  the ATM  system are helpful for improving safety operations and quality services of the system."  Moving in this direction on the software side, then partnering more rigidly designed secure software with a better ATM hardware model will benefit everyone in the long run, rendering Alice and her cousins inoperable.  Here's a couple ideas:

1) For stand-alone ATMs, design the lower cabinet where the safe is located to house the CPU.  If someone actually does get the front of the lower cabinet opened, they're met with a steel cube that would cost more to get opened than is actually inside, protecting the money and the CPU.  And don't make the frickin casing key-based. For wall-embedded ATMs, again, bury the CPU in a steel safe where the money is held.  Ditto on the key thing.

2) Use some formal modeling methods like RTPA outlined in the ATM paper noted above to write better ATM software that will not be compatible with most malware attempts if somehow a person got past all the nifty newly redesigned ATM hardware (in other words, friendly fire - inside jobs).  Make ATM logic less predictable, separate each state with more secure transitions, etc.  

Just don't make it so easy.  Insecure design is a calling card - an invitation - to reveal it.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...