What got this in the news last week is the criminal(s) managed to develop Ploutus into something accessible with their cellphones. That, and the fact Microsoft is discontinuing support for Windows XP within a couple of weeks, XP being the common OS for ATMs.
There are two versions of the malware: Ploutus and Ploutus.B, both developed for the NCR systems.
The story goes that criminals opened up ATMs, accessed their CD-ROM drives and inserted the Ploutus malware from a boot disc. This installed ploutusservice.exe, which on execution loads a few DLLs and starts a service called ‘NCRDRVP‘. Among other things (like rendering a GUI), this sets up a listener on a socket for incoming commands.
It seems that the malware gained system privileges by booting from the CD, rather than using any software vulnerabilities normally associated with malware, and I get the impression it was using native Windows XP and NCR engineering functions after gaining system privileges.
According to the timestamp of the execuable that SpiderLabs uploaded to VirusTotal, it was created or finished in late-August 2013 – or perhaps that was the date SpiderLabs performed their own installation. Several anti-malware systems identified it as a Trojan or backdoor under various names.
Symantec got hold of Ploutus on 4th September 2013, quite a short time after the malware was apparently created, and classified it as a low-level threat with minimal impact (important point here). Less than 49 ATMs were known to be compromised then, which, together with the absence of available samples, suggested the malware was, and still is, in the hands of a small group operating offline. This idea is also supported by the fact Ploutus was developed in .NET, which is relatively easy to reverse engineer, and suggests the creators didn’t intend to trade it with others.
Perhaps after field testing Ploutus as proof-of-concept in Mexico, the criminals decided to use a modified version in the United States with a feature that enabled communication with the backdoor through SMS messaging.
This successor, Ploutus.B, is apparently more ‘modular’ than the previous version, but neither Symantec or SpiderLabs say how exactly. At worst it could potentially be modified to dump any recorded card details and their PINs instead of cash.
What the analysts term ‘Network Packet Monitor’ was added to the malware as a module to listen for incoming commands from the USB port connecting the cellphone to the ATM system. One of the numbers being sent could actually be a series of machine code instructions in denary format.
The Physical Element
When someone mentions ‘ATMs’, the first thing that comes to mind are the cash machines installed around banks, which are physically very secure and strategically placed so that tampering with them would draw attention.
However, in this case the targets are stand-alone systems installed in shops, shopping centres, car parks, alleyways, etc. With cash being the critical asset, usually it’s only the compartment storing it that’s secure. The upper part, where the disc drive and ports are found, are typically protected by a door with a standard tumbler lock, and anyone impersonating a service engineer while using a lock-picking kit has a reasonable chance of access. Maybe not even that – I looked up an old YouTube vid of Barnaby Jack’s research, where he said at least one ATM manufacturer supplies master keys that’ll also open any of its units.
Now, if the people behind Plutus somehow acquired their own ATM at some point, it would mean they had a master key, and it would explain how they managed to develop working malware in the first place.
So what picture forms when the details are put together? A lot of security firms (and governments) like to throw the words ‘cyber’ and ‘sophisticated’ around a little too much, whether that’s to hype ‘threats’ or as an excuse when someone screws up.
Here but the story is essentially about someone running their own software on a Windows XP machine, having exploited weaknesses in physical security. It’s impressive because machines that were held to be secure were completely owned by a simple (but very clever) hack, and that should be seen in the context of past ATM skimming efforts and suchlike.
Another thing to note is it’s a computer-related crime, but it’s not Internet-based. Since only the larger firms have the malware samples, and it’s only spread from Mexico to the United States over the last six months, we can safely assume the culprits were (and still are) keeping it to themselves as a profitable tool, and we could assume it’s quite a small operation. I’m guessing they’re highly skilled, intelligent and methodical programmers, but they’re not yet experienced criminals with the means to sell malware anonymously.