A backdoor program allowing cash dispersal has been detected on
automated teller machines in multiple countries, although mostly in
Russia. Kaspersky Lab reports that
the program, designated Backdoor.MSIL.Tyupkin, requires physical access
to the ATM system and booting it off of a CD to install the malware.
The malware is now widely detected by security software. It is a 32-bit Windows .NET assembly and affects devices from "a major ATM manufacturer."
Once installed, the malware waits for a user to enter a specific key
sequence on the keypad. The sequence is freshly-generated for each
session so that the ATM user needs to receive it from the gang that
installed the malware and knows the algorithm. Once the initial key
sequence is entered, the user at the ATM calls the gang and receives
another code specific to the session. All this allows the gang to
control the cash obtained precisely.
Once the second key is entered, the malware displays the amount of
money in each cash "cassette," and releases 40 notes at a time from the
specified cassette.
The malware only accepts commands to dispense cash at specific times
on Sunday and Monday nights. Kaspersky says this is to make the scam
harder to spot, but it also allows the ringleaders to be on duty to
provide codes when the attacks are being performed.
The Kaspersky report does not say how attackers gain physical access
to the systems, but clearly it involves a breakdown of physical
security. Other software security measures, such as hard disk encryption
and BIOS passwords, might have blocked the attack.
Kaspersky reports that
they have received 20 reports of Backdoor.MSIL.Tyupkin from Russia,
four from France, two each from Israel and China and one each from
India, the U.S. and Malaysia.
0 comments:
Post a Comment