1
00:00:09,460 --> 00:00:15,340
everyone, I think, knows ATMs, used ATMs

2
00:00:15,340 --> 00:00:20,180
and our security researchers there

3
00:00:20,180 --> 00:00:28,700
have something very interesting to tell us about electronic bank robberies

4
00:00:28,700 --> 00:00:39,634
and because them, please welcome our two security researchers with a very warm applause

5
00:00:46,820 --> 00:00:48,100
tw: are we on?

6
00:00:48,100 --> 00:00:49,099
okay, well

7
00:00:49,114 --> 00:00:51,540
welcome to our little talk here

8
00:00:51,540 --> 00:00:54,100
and thanks for the introduction

9
00:00:54,100 --> 00:00:58,140
as the angel said, I guess everybody knows what an ATM is

10
00:00:58,140 --> 00:01:02,600
it's basically used by people to dispense money from their accounts

11
00:01:02,600 --> 00:01:06,180
either because they live in countries like this one

12
00:01:06,180 --> 00:01:09,260
where you really don't use credit cards to pay

13
00:01:09,260 --> 00:01:13,940
or because you don't wanna be tracked, right?

14
00:01:13,940 --> 00:01:19,600
we're gonna tell a little war story here

15
00:01:19,600 --> 00:01:22,459
and that's a case of ATM hacking

16
00:01:22,459 --> 00:01:26,980
a real world incident that occured this year

17
00:01:26,980 --> 00:01:29,620
and you wanna remember this number here

18
00:01:29,620 --> 00:01:35,420
because that's how you enable the hacked system

19
00:01:35,420 --> 00:01:37,460
in case it's infected

20
00:01:37,460 --> 00:01:41,380
and I'm gonna hand over to my co-speaker here

21
00:01:41,380 --> 00:01:44,740
to tell you about the first few things here

22
00:01:44,740 --> 00:01:48,700
sb: yeah, okay, so let's just have a quick look

23
00:01:48,700 --> 00:01:51,500
what do we have in a cash machine

24
00:01:51,500 --> 00:01:54,100
so of course we have a safe

25
00:01:54,100 --> 00:01:55,939
that's where we want to get in

26
00:01:55,939 --> 00:01:57,980
there's the money, we want to spend

27
00:01:57,980 --> 00:02:00,980
so of course we have a normal computer

28
00:02:00,980 --> 00:02:02,900
it's like a desktop computer

29
00:02:02,900 --> 00:02:06,380
mostly it's running a normal operating system

30
00:02:06,380 --> 00:02:08,779
most likely it's Windows XP

31
00:02:08,779 --> 00:02:16,504
and with just a few different manufacturers that build the teller machines

32
00:02:16,504 --> 00:02:19,214
and, yes

33
00:02:19,214 --> 00:02:22,420
we as user, we use a common user interface

34
00:02:22,420 --> 00:02:25,700
it's just a screen - most likely it's a touchscreen

35
00:02:25,700 --> 00:02:28,300
or we have then the EPP number pads

36
00:02:28,300 --> 00:02:32,140
where we put the PIN number for our card

37
00:02:32,140 --> 00:02:34,220
tw: one thing I would like to add to this slide

38
00:02:34,220 --> 00:02:37,140
you see the picture on the right hand side

39
00:02:37,140 --> 00:02:41,780
that's a photo we took yesterday when we arived here at Hamburg main station

40
00:02:41,780 --> 00:02:46,780
and it's interesting, because this is the state hacked ATMs are usually in

41
00:02:46,780 --> 00:02:49,620
befor the bad guys go there and cash out

42
00:02:49,620 --> 00:02:55,500
I don't know - maybe this one is infected, too

43
00:02:55,500 --> 00:03:00,260
sb: this is not the first ATM hacking, of course

44
00:03:00,260 --> 00:03:08,420
the most famous one was from Barnaby at the Black Hat in 2010

45
00:03:08,420 --> 00:03:12,340
you see in the screenshot here

46
00:03:12,340 --> 00:03:15,340
this was the user interface of his malware

47
00:03:15,340 --> 00:03:20,740
so from the functionality it's quite alike

48
00:03:20,740 --> 00:03:24,500
but not as nice

49
00:03:24,500 --> 00:03:32,420
tw: has anybody in the room looked at this Ploutus thing by any chance?

50
00:03:32,420 --> 00:03:34,860
no...

51
00:03:34,860 --> 00:03:41,500
sb: okay, so of course we have a lot of POS malware

52
00:03:41,500 --> 00:03:43,620
from mobile terminals

53
00:03:43,620 --> 00:03:46,540
to steal just sensitive information

54
00:03:46,540 --> 00:03:49,820
like the credit card data or paymant data or something

55
00:03:49,820 --> 00:03:54,220
and the most famous ones this year even was the Ploutus malware

56
00:03:54,220 --> 00:03:57,260
probably you've heard about it - quite famous

57
00:03:57,260 --> 00:04:01,180
we had a quick look at Ploutus, too

58
00:04:01,180 --> 00:04:03,140
it was written in .NET

59
00:04:03,140 --> 00:04:06,500
from the functionality it's similar or the same

60
00:04:06,500 --> 00:04:14,660
but not as advanced

61
00:04:14,660 --> 00:04:19,380
why are we standing here and talking about this case?

62
00:04:19,380 --> 00:04:22,460
we had an incident

63
00:04:22,460 --> 00:04:27,200
a bank, they discovered, they had a lot of

64
00:04:27,200 --> 00:04:30,740
empty teller machines and they started to

65
00:04:30,740 --> 00:04:35,100
work in investigation for themselves

66
00:04:35,100 --> 00:04:40,420
just a little bit of forensics and it was just limited success

67
00:04:40,420 --> 00:04:45,820
but yeah, they had to do something about it and they tapped up surveillance

68
00:04:45,820 --> 00:04:50,180
and improved monitoring

69
00:04:50,180 --> 00:05:04,820
and they started to discover that the infection was conducted via an USB stick

70
00:05:04,820 --> 00:05:11,420
they get to mange to arrest the guy and to secure this USB stick

71
00:05:11,420 --> 00:05:16,980
and on the USB stick we found actually that malware and started to examine that

72
00:05:16,980 --> 00:05:19,260
tw: yeah so to re-address that, before we go on

73
00:05:19,260 --> 00:05:23,980
what they did was: they figured "okay there's something going on with our ATMs"

74
00:05:23,980 --> 00:05:28,180
and they improved their surveillance technology, if you will

75
00:05:28,180 --> 00:05:32,420
and then saw that guy trying to cash out from one of the hacked machines

76
00:05:32,420 --> 00:05:34,620
and then they went there, arrested the guy

77
00:05:34,620 --> 00:05:38,540
and confiscated the USB thumb drive that he was carrying

78
00:05:38,540 --> 00:05:43,600
and that's where we started our analysis

79
00:05:43,600 --> 00:05:49,940
right

80
00:05:49,940 --> 00:05:54,220
sb: they plugged in a USB stick

81
00:05:54,220 --> 00:05:59,140
they broke a small part of the chassis

82
00:05:59,140 --> 00:06:03,460
it's just PVC, so it's not hard to break that

83
00:06:03,460 --> 00:06:07,580
and they plugged in a USB device and forced the ATM to reboot

84
00:06:07,580 --> 00:06:10,260
so you can do that by cutting the power off

85
00:06:10,260 --> 00:06:15,260
or putting down the LAN interface or plug it out

86
00:06:15,260 --> 00:06:22,340
they forced the ATM to reboot and therefore to reboot from the USB device

87
00:06:22,340 --> 00:06:28,380
and what we found on the USB device was just a simple image of a Hiren boot CD

88
00:06:28,380 --> 00:06:30,540
everyone can just download that

89
00:06:30,540 --> 00:06:35,180
and within that Hiren boot CD it's just a mini XP running

90
00:06:35,180 --> 00:06:41,900
and you have a folder where you can just put customer executables

91
00:06:41,900 --> 00:06:48,460
that will automatically be started when the XP is booted

92
00:06:48,460 --> 00:06:53,820
within this customer section we just found our malware

93
00:06:53,820 --> 00:07:00,460
it was a batch that was called hack.bat

94
00:07:00,460 --> 00:07:02,380
just very nice

95
00:07:02,380 --> 00:07:07,620
so actually we thought that this is probably a fake

96
00:07:07,620 --> 00:07:11,460
because they just wanted us to examine the wrong file

97
00:07:11,460 --> 00:07:13,180
to save some time

98
00:07:13,180 --> 00:07:14,940
because it was just that obvious

99
00:07:14,940 --> 00:07:18,540
you will have a look at bat script afterwards

100
00:07:18,540 --> 00:07:21,100
so you can see what I mean

101
00:07:21,100 --> 00:07:23,260
so yes, it's just a mini-XP

102
00:07:23,260 --> 00:07:26,200
you have the hack.bat

103
00:07:26,200 --> 00:07:31,180
and this will actually start the real malware

104
00:07:31,180 --> 00:07:33,780
the so-called atm.exe

105
00:07:33,780 --> 00:07:43,380
and yeah... what we found then besides the bootable device on the stick were some very interesting files

106
00:07:43,380 --> 00:07:48,180
they were obviously copied from the infected ATM teller machines

107
00:07:48,180 --> 00:07:52,180
we can tell that, because there were three different ones that we found there

108
00:07:52,180 --> 00:07:58,500
and it was very interesting what kind of data were copied from the ATMs

109
00:07:58,500 --> 00:08:03,220
we found data like system data

110
00:08:03,220 --> 00:08:09,420
like for example the software hive key

111
00:08:09,420 --> 00:08:17,500
a lot of files that have cache data, credit card data, payment data, someting like that

112
00:08:17,500 --> 00:08:22,260
from each of the infected teller machines

113
00:08:22,260 --> 00:08:26,820
and of course we have our atm.exe

114
00:08:26,820 --> 00:08:28,860
that was really interesting

115
00:08:28,860 --> 00:08:36,300
and we take a quick look at the hack.bat script

116
00:08:36,300 --> 00:08:38,660
so you see, it's very user friendly

117
00:08:38,660 --> 00:08:44,460
because they implemented a lot of very interesting switches

118
00:08:44,460 --> 00:08:54,540
we see, right at the top, that he begins to copy the software hive key of the infected machines

119
00:08:54,540 --> 00:09:01,940
and at first he's checking if the system is already hacked or if he has to do it

120
00:09:01,940 --> 00:09:04,620
the switches you can see here

121
00:09:04,620 --> 00:09:09,140
they are all implemented

122
00:09:09,140 --> 00:09:12,600
the most used one is of course "-hack"

123
00:09:12,600 --> 00:09:16,620
we see otherwise, that you have some functionality like clear log files

124
00:09:16,620 --> 00:09:18,340
or get the log files

125
00:09:18,340 --> 00:09:24,540
this is the part where he copies really interesting data from the teller machines

126
00:09:24,540 --> 00:09:28,300
of course the question is: why does he do that?

127
00:09:28,300 --> 00:09:32,420
we answer that later

128
00:09:32,420 --> 00:09:39,980
it also has got a functionality on it that he can cover his tracks

129
00:09:39,980 --> 00:09:49,340
you can clear all files of the malware and remove it also

130
00:09:49,340 --> 00:09:54,700
a little bit more about the installer of the atm.exe

131
00:09:54,700 --> 00:09:55,940
tw: yeah, thanks

132
00:09:55,940 --> 00:09:57,780
I mean of course we were curious

133
00:09:57,780 --> 00:10:00,540
now that we know how the system gets infected

134
00:10:00,540 --> 00:10:05,600
insert the USB drive, force a reboot and then the batch script runs

135
00:10:05,600 --> 00:10:09,820
we were curious: how does the actual cash out process work?

136
00:10:09,820 --> 00:10:11,980
how do you get money out of the thing?

137
00:10:11,980 --> 00:10:13,740
what we did was

138
00:10:13,740 --> 00:10:16,499
we took this atm.exe file - the executable

139
00:10:16,499 --> 00:10:19,260
and reverse engineered that to recover the funtionality

140
00:10:19,260 --> 00:10:24,739
and the next couple of slides talk about what we found in this executable

141
00:10:24,739 --> 00:10:27,200
first of all

142
00:10:27,200 --> 00:10:30,780
the atm.exe is a UPX packed thing

143
00:10:30,780 --> 00:10:33,420
UPX is one of the standard packers

144
00:10:33,420 --> 00:10:38,140
you can easily unpack the original code again

145
00:10:38,140 --> 00:10:41,580
and then we came across an interesting fact

146
00:10:41,580 --> 00:10:44,900
so we unpacked it and loaded it up into our analysis tools

147
00:10:44,900 --> 00:10:46,940
what you can see on the right hand side

148
00:10:46,940 --> 00:10:49,660
it's a little bit blurred, but we hope you can still read it

149
00:10:49,660 --> 00:10:53,300
is IDA Pro, that probably many of you are familiar with

150
00:10:53,300 --> 00:10:56,820
one of the state-of-the-art disassemblers

151
00:10:56,820 --> 00:10:59,580
so we loaded that file up into IDA Pro, took a look at the code

152
00:10:59,580 --> 00:11:02,600
and then we discovered something interesting

153
00:11:02,600 --> 00:11:07,460
we discovered that the original executable contains a resource

154
00:11:07,460 --> 00:11:10,140
if you are a little bit familiar with the PE format

155
00:11:10,140 --> 00:11:12,780
the executable file format on Windows systems

156
00:11:12,780 --> 00:11:17,380
you might know that there are containers that you can use to store additional data

157
00:11:17,380 --> 00:11:19,200
or attatch data to a binary

158
00:11:19,200 --> 00:11:20,418
they are called resources

159
00:11:20,418 --> 00:11:24,460
so this binary had a resource and there was some encrypted data in there

160
00:11:24,460 --> 00:11:30,860
which turned out to be a DLL that contains the actual malicious functionality

161
00:11:30,860 --> 00:11:35,220
and the interesting thing is that this resource is XOR-encrypted

162
00:11:35,220 --> 00:11:38,700
now XOR is not a particularly strong encryption scheme

163
00:11:38,700 --> 00:11:41,780
but never the less, if the key is long enough

164
00:11:41,780 --> 00:11:43,180
like 4 bytes in this case

165
00:11:43,180 --> 00:11:45,180
I mean you can still probably brute-force it

166
00:11:45,180 --> 00:11:47,260
but well, you know

167
00:11:47,260 --> 00:11:54,620
we figured that every executable that's deployed onto an ATM has the resource

168
00:11:54,620 --> 00:12:01,580
encrypted with a key that is derived from the volume serial

169
00:12:01,580 --> 00:12:04,780
which is an ID that is assigned to a hard drive when it's formatted

170
00:12:04,780 --> 00:12:06,420
by the operating system

171
00:12:06,420 --> 00:12:13,460
that means that every executable that's deployed onto an ATM is taylored specifically for this ATM

172
00:12:13,460 --> 00:12:17,620
so it's not mass-malware that you can install on any ATM

173
00:12:17,620 --> 00:12:21,830
each executable only runs one one very specific ATM

174
00:12:21,830 --> 00:12:23,580
and that's interesting

175
00:12:23,580 --> 00:12:29,500
I mean of course that raises the question: How do they get this ID in the first place?

176
00:12:29,500 --> 00:12:32,460
How do they create this binary with the encrypted resource?

177
00:12:32,460 --> 00:12:35,140
Where do they get the volume serials from?

178
00:12:35,140 --> 00:12:36,740
and there are basically two options

179
00:12:36,740 --> 00:12:38,340
I mean we don't have the answers to these questions

180
00:12:38,340 --> 00:12:40,100
but there are only two options

181
00:12:40,100 --> 00:12:46,900
one is: they go to the ATMs the first time, run their stuff

182
00:12:46,900 --> 00:12:50,200
and extract the volume serial ID from the system

183
00:12:50,200 --> 00:12:53,420
then go home, prepare the malware and then come back to infect the system

184
00:12:53,420 --> 00:12:56,410
which seems kind of risky, because

185
00:12:56,410 --> 00:12:59,530
if you get caught while doing this... well then

186
00:12:59,530 --> 00:13:01,010
you'll lose something

187
00:13:01,010 --> 00:13:04,380
the other option is...

188
00:13:04,380 --> 00:13:08,330
we'll leave that to your imagination

189
00:13:14,590 --> 00:13:16,200
so what we did

190
00:13:16,200 --> 00:13:25,580
what you see here on the right hand side is some code that is executed after the XOR-decryption of the resource

191
00:13:25,580 --> 00:13:29,300
and if you look closely enought you can see in the first basic block up there

192
00:13:29,300 --> 00:13:33,200
it checks if the first byte of the decrypted data is an "M"

193
00:13:33,200 --> 00:13:36,580
and then the next one checks if the next byte - the second byte - is a "Z"

194
00:13:36,580 --> 00:13:40,580
which is part of the PE file header - MZ header

195
00:13:40,580 --> 00:13:45,380
so we figured: okay, this is probably an executable

196
00:13:45,380 --> 00:13:47,700
and that's how we recovered the original code

197
00:13:47,700 --> 00:13:50,340
we assumed that this is an executable and then

198
00:13:50,340 --> 00:13:52,420
you can call it a known plaintext attack or something like that

199
00:13:52,420 --> 00:13:57,860
we reverted the XOR-encryption and recovered the DLL

200
00:13:57,860 --> 00:14:01,900
and after this happened, of course

201
00:14:01,900 --> 00:14:06,220
the dropper runs some checksumming code

202
00:14:06,220 --> 00:14:16,500
to verify that the extracted and decrypted code is actually the DLL it wants to run

203
00:14:21,740 --> 00:14:24,300
so after we recovered this malicious DLL

204
00:14:24,300 --> 00:14:26,380
we took a closer look at that one

205
00:14:26,380 --> 00:14:33,260
and it's dropped into this path up there under the system directory

206
00:14:33,260 --> 00:14:38,180
and the value in the squared brackets over there is again derived from the volume ID

207
00:14:38,180 --> 00:14:40,820
so if you come across one of these DLLs

208
00:14:40,820 --> 00:14:42,820
you can take a look at the file name

209
00:14:42,820 --> 00:14:45,900
and that's linked to the ATM it's supposed to run on

210
00:14:45,900 --> 00:14:48,140
because of the naming scheme here

211
00:14:48,140 --> 00:14:53,200
so that's how - and of course I mean you can see all of that in the code

212
00:14:53,200 --> 00:14:56,600
that the second value there is hard-coded

213
00:14:56,600 --> 00:15:03,460
that's how we figured: okay this sample was supposed to run on an ATM with this volueme ID

214
00:15:03,460 --> 00:15:06,260
and then we came across something else

215
00:15:06,260 --> 00:15:08,460
something that's as interesting

216
00:15:08,460 --> 00:15:13,460
this DLL, or the malware in general writes a log file

217
00:15:13,460 --> 00:15:17,180
and stores this on the USB drive that's used for the infection process

218
00:15:17,180 --> 00:15:19,073
and that's pretty verbose

219
00:15:19,073 --> 00:15:20,966
if you look at this

220
00:15:20,966 --> 00:15:22,860
again we have to apologize that's it a little blurry

221
00:15:22,860 --> 00:15:25,700
but there you can see

222
00:15:25,700 --> 00:15:28,540
it's basically what is executed when the batch script runs, right?

223
00:15:28,540 --> 00:15:31,660
there is a file name up there

224
00:15:31,660 --> 00:15:35,980
if you can see that 978-blablabla DLL and some others

225
00:15:35,980 --> 00:15:44,380
and suprisingly this log file contained information about three other infections that took place

226
00:15:44,380 --> 00:15:48,820
so we switch to the next slide

227
00:15:48,820 --> 00:15:50,820
with that information we can say

228
00:15:50,820 --> 00:15:54,900
we have information that these guys infected at least four ATMs

229
00:15:54,900 --> 00:15:57,200
the ones where we had that DLL for

230
00:15:57,200 --> 00:15:58,780
and then these other three

231
00:15:58,780 --> 00:16:01,860
that we recover from the log file

232
00:16:01,860 --> 00:16:04,780
log file - again - is XOR-encrypted, but the key is hard-coded

233
00:16:04,780 --> 00:16:08,700
so we could recover it from the code and then decrypt the log file and read it

234
00:16:08,700 --> 00:16:11,900
this is an abbreviated version

235
00:16:11,900 --> 00:16:13,900
the most interesting lines from the log

236
00:16:13,900 --> 00:16:18,340
you can see that these ATMs run in fact Windows XP

237
00:16:18,340 --> 00:16:19,520
yeah...

238
00:16:21,940 --> 00:16:29,540
sb: what probably is quite intersting here is that we have information about three different teller machines

239
00:16:29,540 --> 00:16:31,940
that were infected with this USB device

240
00:16:31,940 --> 00:16:37,340
in clear text and we have it additionally in this somehow encrypted log file

241
00:16:37,340 --> 00:16:41,740
so the question is: Why do we have that twice?

242
00:16:41,740 --> 00:16:43,380
Why do we have this log file?

243
00:16:43,380 --> 00:16:45,260
And why didn't they remove that files?

244
00:16:45,260 --> 00:16:50,860
actually for every new infection they have to build up a new exe device

245
00:16:50,860 --> 00:16:55,600
which is encrypted with the volume serial ID from this machine

246
00:16:55,600 --> 00:16:58,200
and they would have enough time to clear that up

247
00:16:58,200 --> 00:16:59,580
but they didn't do it

248
00:16:59,580 --> 00:17:04,490
so furthermore the question broke: Why didn't they?

249
00:17:09,220 --> 00:17:12,860
tw: okay, now in this part we wanna talk a little bit more about the actual payload

250
00:17:12,860 --> 00:17:17,500
the malicious code that's executed on the compromised ATM

251
00:17:17,500 --> 00:17:20,030
you know, the interesting bit

252
00:17:21,140 --> 00:17:25,260
what you can see here is a list of some facts that we discovered

253
00:17:25,260 --> 00:17:29,500
again this file contains some encrypted resources

254
00:17:29,500 --> 00:17:33,260
this time they're encrypted with the static key that you see up there

255
00:17:33,260 --> 00:17:37,700
so by looking at the code we obtained this key and could easily recover the resources

256
00:17:37,700 --> 00:17:43,138
and they contained images like the one you see on the right hand side, up there

257
00:17:43,138 --> 00:17:48,940
obviously stuff they wanted to display on the ATM screen, right?

258
00:17:48,940 --> 00:17:52,820
we changed the coloring scheme and some other stuff here a little bit

259
00:17:52,820 --> 00:17:55,580
because we don't wanna disclose the target here

260
00:17:55,580 --> 00:18:00,260
yeah that's what they store in these resources

261
00:18:00,260 --> 00:18:04,260
another thing that was in there, is this sdelete tool from Sysinternals

262
00:18:04,260 --> 00:18:08,180
maybe some of you are familiar with that

263
00:18:08,180 --> 00:18:10,980
a publicly available tool for secure file deletion

264
00:18:10,980 --> 00:18:16,200
so you know, you override the file with specific byte patterns before you remove it

265
00:18:16,200 --> 00:18:19,380
and they used that to remove forensic artefacts

266
00:18:19,380 --> 00:18:21,300
forensic traces from the system

267
00:18:21,300 --> 00:18:23,300
for example when they're uninstalling the malware

268
00:18:23,300 --> 00:18:25,860
because you can also uninstall it from an ATM

269
00:18:25,860 --> 00:18:30,940
but in case this fails for whatever reason, they have some backup code in the malware

270
00:18:30,940 --> 00:18:34,780
some backup secure undelete code that does basically the same stuff

271
00:18:34,780 --> 00:18:37,540
it overwrites the data first and then it deletes the file

272
00:18:37,540 --> 00:18:40,420
so it's kinda interesting that it put a lot of effort into

273
00:18:40,420 --> 00:18:42,420
covering up their, you know

274
00:18:42,420 --> 00:18:45,540
hiding their traces on the system

275
00:18:45,540 --> 00:18:47,100
and by the way

276
00:18:47,100 --> 00:18:49,200
we will give you a demo in a few minutes

277
00:18:49,200 --> 00:18:51,900
and show you the whole process

278
00:18:51,900 --> 00:18:54,260
how you interact with an infected ATM

279
00:18:54,260 --> 00:18:57,500
you will see the other screens as well

280
00:19:01,860 --> 00:19:07,380
then of course for most malware it's important to become persistent on the infected system

281
00:19:07,380 --> 00:19:13,780
because when it reboots for whatever reason, you want the malware to automatically load again

282
00:19:13,780 --> 00:19:27,030
and these guys do that by writing the drop DLL into the AppInit DLLs value in the windows registry

283
00:19:27,030 --> 00:19:29,340
for those of you, who are not familiar with the value

284
00:19:29,340 --> 00:19:34,860
you can specify libraries in there that are loaded into every process that starts up

285
00:19:34,860 --> 00:19:39,700
so by this you make sure that the malicious DLL is loaded into every proess that starts

286
00:19:39,700 --> 00:19:42,910
within the current logon session at least

287
00:19:43,980 --> 00:19:48,180
what you see down there is some decompiled source code

288
00:19:48,180 --> 00:19:51,580
basically the main function of the malware

289
00:19:51,580 --> 00:19:53,140
of the DLL

290
00:19:53,140 --> 00:19:54,980
and what you can see there

291
00:19:54,980 --> 00:19:58,100
there are several checks running in cash client one

292
00:19:58,100 --> 00:20:01,140
cash client is the term for the software that controlles the ATM

293
00:20:01,140 --> 00:20:02,660
that is running on the ATM

294
00:20:02,660 --> 00:20:04,900
and controls the dispenser and so on

295
00:20:04,900 --> 00:20:09,140
so it does this check and if this returns true, it starts some routine

296
00:20:09,140 --> 00:20:14,260
and if some other checks succeed, then it calls some other functions and so on

297
00:20:14,260 --> 00:20:20,460
basically what's happening here is that the DLL checks the name of the process it's running in

298
00:20:20,460 --> 00:20:24,340
and then depending on this name it invokes certain functionality

299
00:20:24,340 --> 00:20:29,940
and we believe that by doing this they implement support for different cash clients

300
00:20:29,940 --> 00:20:36,580
this line down here, running in lsass.exe is also interesting

301
00:20:36,580 --> 00:20:40,540
because the DLL is also obviously loaded into

302
00:20:40,540 --> 00:20:42,340
what's lsass again? local system...

303
00:20:42,340 --> 00:20:44,860
some windows process

304
00:20:44,860 --> 00:20:47,300
is also loaded into that one of course

305
00:20:47,300 --> 00:20:49,660
because of the AppInit thing

306
00:20:49,660 --> 00:20:54,260
if it's running in this, it doesn't interact with the cash client ATM software at all

307
00:20:54,260 --> 00:21:00,600
the DLL that's running in there is an event processor

308
00:21:00,600 --> 00:21:02,860
for example, if you wanna uninstall the software

309
00:21:02,860 --> 00:21:05,460
you basically create an uninstall event

310
00:21:05,460 --> 00:21:07,940
and then the instance running in this process here

311
00:21:07,940 --> 00:21:11,140
handles the event and removes the file and so on

312
00:21:11,140 --> 00:21:13,140
and cleans up all traces

313
00:21:13,140 --> 00:21:15,620
sb: what's also quite interesting here

314
00:21:15,620 --> 00:21:19,100
you can see that later on, when we discover the malware itself

315
00:21:19,100 --> 00:21:22,100
they have really somthing like a development cycle

316
00:21:22,100 --> 00:21:24,260
it's really professional made up

317
00:21:24,260 --> 00:21:31,900
because within the first infections we could find this malicious DLL within this AppInit hive key

318
00:21:31,900 --> 00:21:37,780
there was an incident where the forensic team could discover it there

319
00:21:37,780 --> 00:21:39,900
because it's quite obvious, you know

320
00:21:39,900 --> 00:21:45,420
the AppInit DLL key is very famous for any malware

321
00:21:45,420 --> 00:21:47,580
that should start at startup

322
00:21:47,580 --> 00:21:48,900
and they improved it

323
00:21:48,900 --> 00:21:55,220
so later on, they just added this malicious DLL to the DLLs which are started

324
00:21:55,220 --> 00:21:56,940
just when the cash client is started

325
00:21:56,940 --> 00:22:00,580
so it's also started from the startup, but it's not as loud

326
00:22:00,580 --> 00:22:05,220
so you have to have to search quite deeper to find it

327
00:22:07,620 --> 00:22:10,260
tw: Where are we? Are we on time? How are we doing?

328
00:22:10,260 --> 00:22:12,620
How much time do we have left?

329
00:22:18,420 --> 00:22:19,250
okay, plenty of time

330
00:22:19,250 --> 00:22:20,420
great

331
00:22:20,420 --> 00:22:28,180
so we know, how the malware becomes persistent

332
00:22:28,180 --> 00:22:31,620
we know how it makes sure that it runs on the system

333
00:22:31,620 --> 00:22:36,900
so it injects this DLL into all these processes

334
00:22:36,900 --> 00:22:39,700
now of course we wanna know how to interact with it

335
00:22:39,700 --> 00:22:41,819
because there must be a way of interacting with the malware

336
00:22:41,819 --> 00:22:50,540
and what we found out by reverse engineering code is that the DLL that's running in the cash client

337
00:22:50,540 --> 00:22:53,500
installs a hook for keyboard events

338
00:22:53,500 --> 00:22:57,620
so whenever you press a key on the keyboard which in this case is the num pad

339
00:22:57,620 --> 00:23:02,940
this is trapped by the malware and processed

340
00:23:02,940 --> 00:23:05,900
and what they do is, they process only number keys

341
00:23:05,900 --> 00:23:07,180
for obvious reasons

342
00:23:07,180 --> 00:23:08,980
because that's the only kind of keys that you can enter

343
00:23:08,980 --> 00:23:11,780
and if you enter the code that you've seen on the first slide

344
00:23:11,780 --> 00:23:19,620
you activate a hidden menu that allows you to choose the several options

345
00:23:19,620 --> 00:23:24,200
that you can use to control the ATM

346
00:23:27,870 --> 00:23:29,540
but they have implemented an additional measure

347
00:23:29,540 --> 00:23:34,220
because, you know, it's possible that somebody by accident enters the right 12 digits

348
00:23:34,220 --> 00:23:37,100
and then *suprise* this thing pops up

349
00:23:37,100 --> 00:23:39,500
and you can dispense all the money from the ATM

350
00:23:39,500 --> 00:23:41,700
of course they don't want that to happen

351
00:23:41,700 --> 00:23:44,260
so they have implemented a challenge-response scheme

352
00:23:44,260 --> 00:23:48,300
so when you enter the 12 digit code, the first menu allowes you to say

353
00:23:48,300 --> 00:23:50,300
present me with a challenge

354
00:23:50,300 --> 00:23:54,700
and then the malware generates a random or like a secret code

355
00:23:54,700 --> 00:23:57,460
where the scheme to generate it is secret

356
00:23:57,460 --> 00:23:59,900
and you have to enter a response

357
00:23:59,900 --> 00:24:02,140
that's not easy to crack

358
00:24:02,140 --> 00:24:03,980
what they do in this case

359
00:24:03,980 --> 00:24:10,100
because of the poor guy who goes to the ATM to cash out is not the brain behind the whole operation

360
00:24:10,100 --> 00:24:13,660
they're likely to get arrested

361
00:24:13,660 --> 00:24:17,540
so they probably don't want to transfer the knowledge

362
00:24:17,540 --> 00:24:21,100
how to generate the response for the challenge to these people

363
00:24:21,100 --> 00:24:26,140
can you tell the story about the phone calls?

364
00:24:26,140 --> 00:24:32,660
sb: yeah, actually they had a surveillance video where they could monitor just one of their cash guys

365
00:24:32,660 --> 00:24:37,380
which just currently had entered the secret 12 digits

366
00:24:37,380 --> 00:24:43,460
and you can see on this video that he has already one part of this hack view

367
00:24:43,460 --> 00:24:47,780
and after that he just took a cell phone

368
00:24:47,780 --> 00:24:52,620
and called somebody and you can see that within that call

369
00:24:52,620 --> 00:24:59,820
he types another number and right after that, he starts cashing out the teller machines

370
00:24:59,820 --> 00:25:05,700
that's exactly that challenge-response check, he was talking about

371
00:25:05,700 --> 00:25:10,300
so this proves that they don't want anything to chance

372
00:25:10,300 --> 00:25:18,500
they wanna control which teller machine is cached out and exactly when and who does the cash out

373
00:25:18,500 --> 00:25:24,619
so this may implicate that they don't trust their own people, do they?

374
00:25:24,619 --> 00:25:30,740
tw: so, I mean we tried to bring you this video where the guy makes the phone call

375
00:25:30,740 --> 00:25:34,140
but obviously the bank that was targeted here

376
00:25:34,140 --> 00:25:38,620
they're a little concerned about their identity beeing disclosed

377
00:25:38,620 --> 00:25:40,620
so unfortunately we couldn't get it

378
00:25:40,620 --> 00:25:43,620
but, well, you have to trust us on that

379
00:25:43,620 --> 00:25:46,140
that's how they probably do it

380
00:25:46,140 --> 00:25:52,660
another thing is that these guys already anticipated that somebody would get a copy of the malware

381
00:25:52,660 --> 00:25:55,300
and then probably start to reverse engineer it

382
00:25:55,300 --> 00:25:58,100
and understand how it works

383
00:25:58,100 --> 00:25:59,780
and of course the worst thing that can happen is

384
00:25:59,780 --> 00:26:03,700
if somebody recovers the challenge-response functionality in that code

385
00:26:03,700 --> 00:26:09,260
and then goes to all the hacked ATMs and, you know, jackpots them

386
00:26:09,260 --> 00:26:11,180
insted of these guys

387
00:26:11,180 --> 00:26:15,220
so they figured: okay, we need a means to protect that really important code

388
00:26:15,220 --> 00:26:18,260
and that's not the only part, that's protected

389
00:26:18,260 --> 00:26:22,500
there are several pieces that are, you know, critical

390
00:26:22,500 --> 00:26:24,260
so to speak

391
00:26:24,260 --> 00:26:26,900
so this challenge-response thing is one of them

392
00:26:26,900 --> 00:26:31,740
and the other parts that are protected is everything that interacts wih the cash client

393
00:26:31,740 --> 00:26:37,940
so by looking at the code you would never see a direct API call or DLL function call

394
00:26:37,940 --> 00:26:40,260
into the cash clients libraries

395
00:26:40,260 --> 00:26:41,860
all of this stuff is protected

396
00:26:41,860 --> 00:26:46,220
and I'm gonna talk a little bit more about how they do that

397
00:26:48,230 --> 00:26:51,620
it's a little bit hard to put that...

398
00:26:51,620 --> 00:26:53,700
to find the right words for it

399
00:26:53,700 --> 00:26:57,340
we have a picture of that in our mind, but...

400
00:26:57,340 --> 00:26:59,500
we call that a state machine

401
00:26:59,500 --> 00:27:04,140
so their obfuscation method is basically control flow obfuscation

402
00:27:04,140 --> 00:27:08,540
when you look at some code statially, you can see this function is calling that function

403
00:27:08,540 --> 00:27:11,180
and then this is calling that under this condition and so on

404
00:27:11,180 --> 00:27:13,300
that's the control flow in the code

405
00:27:13,300 --> 00:27:16,900
but if you don't wanna disclose that function A is calling function B

406
00:27:16,900 --> 00:27:19,380
you have to put something in between

407
00:27:19,380 --> 00:27:21,300
that obfuscates this relationship

408
00:27:21,300 --> 00:27:25,220
they implemented a state-machine

409
00:27:25,220 --> 00:27:26,980
that's what we call it

410
00:27:26,980 --> 00:27:28,580
and this state machine consumes a buffer

411
00:27:28,580 --> 00:27:31,180
a static buffer that's somewhere in the binary

412
00:27:31,180 --> 00:27:34,140
and performs some computation on the bytes

413
00:27:34,140 --> 00:27:37,220
and the result is the address of the function to call

414
00:27:37,220 --> 00:27:41,980
at some point you say: state machine, here is a buffer

415
00:27:41,980 --> 00:27:43,460
do your thing

416
00:27:43,460 --> 00:27:46,300
and then the state machine starts computing the address to call

417
00:27:46,300 --> 00:27:48,380
or that's only one scenario

418
00:27:48,380 --> 00:27:51,200
the other scenario is that you wanna compute a certain value

419
00:27:51,200 --> 00:27:54,600
for example, you enter the response for a particular challenge

420
00:27:54,600 --> 00:28:01,580
and then the state machine with its functions computes some other value

421
00:28:01,580 --> 00:28:04,860
that it compares to a challange or something

422
00:28:04,860 --> 00:28:08,940
and this computation as well is protected by the state machine

423
00:28:08,940 --> 00:28:13,178
and you can see a little snippet of that on the right hand side

424
00:28:13,178 --> 00:28:17,380
again, if you can read it, you can see there's a lot of junk code in there

425
00:28:17,380 --> 00:28:21,600
those of you who are familiar with polymorphism

426
00:28:21,600 --> 00:28:23,540
polymorphic malware or other stuff like that

427
00:28:23,540 --> 00:28:28,140
you will immediately see that some of the functions in there are total garbage

428
00:28:28,140 --> 00:28:31,500
like for example, the SUB AL e1

429
00:28:31,500 --> 00:28:36,500
and then, you know, some values are subtracted from a register first and then added again

430
00:28:36,500 --> 00:28:38,740
so it's basically doing nothing

431
00:28:38,740 --> 00:28:44,700
this junk code stuff is one method of obfuscation

432
00:28:44,700 --> 00:28:47,740
and the other is, what's usally called "spaghetti code"

433
00:28:47,740 --> 00:28:49,620
you know, it's jumping back and forth

434
00:28:49,620 --> 00:28:52,500
and calling subroutines all over the place

435
00:28:52,500 --> 00:28:56,980
and I think it's really hard or next to impossible to reverse engineer that

436
00:28:56,980 --> 00:28:59,460
at least we spent several days

437
00:28:59,460 --> 00:29:00,740
weeks even

438
00:29:00,740 --> 00:29:02,900
and we couldn't really figure out how the state machine works

439
00:29:02,900 --> 00:29:04,220
and that's really the purpose

440
00:29:04,220 --> 00:29:08,380
but fortunately for us there was a solution for this

441
00:29:08,380 --> 00:29:12,700
and that is what the little colored bar at the bottom of the slide shows you

442
00:29:12,700 --> 00:29:17,500
again, this is something that IDA Pro generates for you, this disassembler tool

443
00:29:17,500 --> 00:29:20,300
you can see the blue stuff at the front

444
00:29:20,300 --> 00:29:24,780
that's the real code of the malware

445
00:29:24,780 --> 00:29:27,100
all of that lives in the code section

446
00:29:27,100 --> 00:29:28,700
and is at the beginning

447
00:29:28,700 --> 00:29:31,540
and the green stuff here is library functions

448
00:29:31,540 --> 00:29:33,978
here we have some data

449
00:29:33,978 --> 00:29:36,700
and at the end there is some code again

450
00:29:36,700 --> 00:29:39,100
and suprisingly this is the state machine

451
00:29:39,100 --> 00:29:42,780
and it's pretty convenient for us that this is somewhere else in the memory layout

452
00:29:42,780 --> 00:29:43,980
so what you can do is

453
00:29:43,980 --> 00:29:46,780
you can put a memory break point a the section here

454
00:29:46,780 --> 00:29:51,740
and by doing this trap every attempt to execute the state machine code

455
00:29:51,740 --> 00:29:54,140
and then when you're in the state machine

456
00:29:54,140 --> 00:29:57,660
you put a break point on the original, on the real code, up there

457
00:29:57,660 --> 00:30:01,800
and you get the exit point of the state machine

458
00:30:01,800 --> 00:30:05,580
by doing this you can basically treat the state machine as a black box

459
00:30:05,580 --> 00:30:07,580
you don't care about the calculations at all

460
00:30:07,580 --> 00:30:12,200
you can still reconstruct the relationship between the calling function and the callee

461
00:30:12,200 --> 00:30:14,980
okay

462
00:30:14,980 --> 00:30:23,580
unfortunately we couldn't use this break point method to understand how these value calculations are performed

463
00:30:23,580 --> 00:30:29,220
but, well, you still can inspect memory and somehow understand a little bit of that somehow at least

464
00:30:33,260 --> 00:30:38,459
okay now we wanna demo to you how this thing looks like

465
00:30:38,459 --> 00:30:42,200
unfortunately we don't own an ATM that we can infect

466
00:30:42,200 --> 00:30:46,710
but we have a virtual machine here that's running the malware

467
00:30:48,270 --> 00:30:50,500
and we've patched the malware a little bit here

468
00:30:50,500 --> 00:30:51,900
I think we didn't tell you

469
00:30:51,900 --> 00:30:54,420
so what's happening is these screens when you enter the secret code

470
00:30:54,420 --> 00:30:57,180
these screens that you saw on the slide

471
00:30:57,180 --> 00:31:01,140
they're displayed on a second desktop

472
00:31:01,140 --> 00:31:03,580
on Windows you can have as many desktops

473
00:31:03,580 --> 00:31:05,660
like virtual desktops as you want

474
00:31:05,660 --> 00:31:08,260
and then switch back and forth between these desktops

475
00:31:08,260 --> 00:31:09,420
so what's happening is

476
00:31:09,420 --> 00:31:11,180
these screens are displayed on a second desktop

477
00:31:11,180 --> 00:31:15,300
and then execution switches over

478
00:31:15,300 --> 00:31:17,940
the displays which is over to this desktop

479
00:31:17,940 --> 00:31:21,700
so you leave the original ATM display and it's process alone

480
00:31:21,700 --> 00:31:24,340
you just switch over to your secret menu desktop

481
00:31:24,340 --> 00:31:27,150
and when you're done, you can switch back

482
00:31:28,100 --> 00:31:31,140
that's a little difficult to debug

483
00:31:31,140 --> 00:31:34,620
because when you do that, when you're running in a debugger and using break points and stuff

484
00:31:34,620 --> 00:31:38,740
and the malware all of a sudden switches to a second desktop

485
00:31:38,740 --> 00:31:42,200
you can't control the debugger anymore, because it's running on the first desktop

486
00:31:42,200 --> 00:31:47,740
so we had to patch a few things to make it more convenient for us to demonstrate this

487
00:31:47,740 --> 00:31:50,880
and that's what we're gonna do now

488
00:31:56,140 --> 00:31:57,820
can you...?

489
00:31:57,820 --> 00:32:01,580
so we have this little Windows XP VM

490
00:32:01,580 --> 00:32:04,140
because we want to be accurate, right?

491
00:32:04,140 --> 00:32:07,700
and I'm gonna start two processes here

492
00:32:07,700 --> 00:32:11,580
one is: I have some little batch scripts

493
00:32:11,580 --> 00:32:17,620
one is the one that simulates the malware running in the lsass process

494
00:32:17,620 --> 00:32:23,860
and the other one simulates the malware running in the cash client

495
00:32:23,860 --> 00:32:25,220
this one here

496
00:32:25,220 --> 00:32:32,200
and let's just presume that this is showing the stardard ATM screen here

497
00:32:32,200 --> 00:32:34,820
so "Enter your PIN" and stuff like that, okay

498
00:32:34,820 --> 00:32:36,780
so what we're gonna do now is

499
00:32:36,780 --> 00:32:40,700
we're gonna enter the 12 digit secret code that we saw on the first slide

500
00:32:40,700 --> 00:32:44,470
you remember that, right?

501
00:32:48,310 --> 00:32:52,340
and if you do that, you're presented with this menu here

502
00:32:58,650 --> 00:33:01,500
do you wanna talk about those values? how that's calculated?

503
00:33:01,500 --> 00:33:02,900
sb: yeah probably

504
00:33:02,900 --> 00:33:08,100
so the only thing which is hard coded are the three lines at the bottom here

505
00:33:08,100 --> 00:33:16,260
and all of the rest is just generated with the actual amounts they find on this ATM

506
00:33:16,260 --> 00:33:20,540
so the ATMs, they have a lot of loo files which they create

507
00:33:20,540 --> 00:33:23,980
and they're just saved on the hard drive

508
00:33:23,980 --> 00:33:25,660
and within that files

509
00:33:25,660 --> 00:33:31,180
every payment transaction is noted

510
00:33:31,180 --> 00:33:34,260
what the malware does is

511
00:33:34,260 --> 00:33:36,740
it requests the newest of that files

512
00:33:36,740 --> 00:33:41,700
and just pulls the values into that screen

513
00:33:41,700 --> 00:33:48,140
and so the attacker is presented with the actual value of the amount of money

514
00:33:48,140 --> 00:33:52,660
and there he can just choose which one he wants to cash out

515
00:33:52,660 --> 00:33:57,700
so just the 100 bills, or all of them

516
00:33:57,700 --> 00:33:59,700
this is quite interesting

517
00:33:59,700 --> 00:34:05,740
we took this screen from an ATM which was already attacked

518
00:34:05,740 --> 00:34:14,220
there you can see that especially, or only the $100 cash cassette was cashed out

519
00:34:14,220 --> 00:34:24,500
because, you know how long it takes if you're just cashing out 100 or 200 Dollars or Euros

520
00:34:24,500 --> 00:34:30,660
and if you can imagine if you have a whole cassette full of money

521
00:34:30,660 --> 00:34:33,420
that takes a lot of time

522
00:34:33,420 --> 00:34:43,420
so this is why they most likely just cashed out this cassette with the most valuable input

523
00:34:43,420 --> 00:34:48,500
tw: so what I can do now is

524
00:34:48,500 --> 00:34:51,340
I can either press "0" and then I leave that again

525
00:34:51,340 --> 00:34:55,300
and, you know, ATM shows its standard screen again

526
00:34:55,300 --> 00:34:57,300
or I press "1"

527
00:34:57,300 --> 00:35:01,380
I'm gonna do that now, just to show you what's happening

528
00:35:01,380 --> 00:35:05,420
and now it's challenging me with this code here

529
00:35:05,420 --> 00:35:09,260
and I have to enter the response

530
00:35:09,260 --> 00:35:12,660
and yeah, I mean, it's a 6 digit number

531
00:35:12,660 --> 00:35:14,260
the problem is

532
00:35:14,260 --> 00:35:17,700
because we're not running on a real ATM, we cannot simulate this here

533
00:35:17,700 --> 00:35:20,100
so I mean, I can enter a number here

534
00:35:20,100 --> 00:35:24,900
but even if it would be the right one and it would accept this

535
00:35:24,900 --> 00:35:29,620
we wouldn't be able to go any further, because some pieces are missing here

536
00:35:29,620 --> 00:35:33,580
unfortunately... let me restart this

537
00:35:45,140 --> 00:35:46,980
there we go again

538
00:35:49,790 --> 00:35:52,419
usually what happens is

539
00:35:52,419 --> 00:35:54,100
you press "1"

540
00:35:54,100 --> 00:35:57,200
you get the challenge code

541
00:35:57,200 --> 00:35:59,420
you call your HQ

542
00:35:59,420 --> 00:36:00,756
you get the response code

543
00:36:00,756 --> 00:36:02,182
you enter your response code

544
00:36:02,182 --> 00:36:05,740
and then you have access to this second level menu, so to speak

545
00:36:05,740 --> 00:36:08,860
that allows you to actually cash out

546
00:36:08,860 --> 00:36:12,900
well, as I said, we cannot really do that here

547
00:36:12,900 --> 00:36:17,200
so we have to simulate the fact that we're authenticated

548
00:36:17,200 --> 00:36:20,340
we entered the right response code

549
00:36:20,340 --> 00:36:24,110
for that we patched a little bit in this DLL

550
00:36:24,110 --> 00:36:27,068
unfortunately we have to wait for three minutes now

551
00:36:27,068 --> 00:36:29,096
because there is a timeout

552
00:36:29,096 --> 00:36:33,540
they implemented a timeout as a measure to not leave this screen open

553
00:36:33,540 --> 00:36:35,600
when, you know, something happens

554
00:36:35,600 --> 00:36:37,620
the guy has to run off or something

555
00:36:37,620 --> 00:36:39,620
because police is coming or something

556
00:36:39,620 --> 00:36:41,380
and then you don't want to leave this on the scren

557
00:36:41,380 --> 00:36:44,940
so they implemented a timer that fires after three minutes

558
00:36:44,940 --> 00:36:48,200
and then after three minutes this window is closed

559
00:36:48,200 --> 00:36:53,580
we patched this timer, that after three minutes the second layer menu is opened instead

560
00:36:53,580 --> 00:36:57,900
we have to talk a little bit more, until that happens now

561
00:36:57,900 --> 00:37:01,540
sb: probably about the version number

562
00:37:01,540 --> 00:37:05,500
cause there you can see, they named their software

563
00:37:05,500 --> 00:37:10,780
typical software style of course

564
00:37:10,780 --> 00:37:13,260
with a four digit value number

565
00:37:13,260 --> 00:37:15,420
so they have really a development cycle

566
00:37:15,420 --> 00:37:17,200
for this malware

567
00:37:17,200 --> 00:37:23,300
and they really are improving that with nearly every attack they are doing

568
00:37:23,300 --> 00:37:27,300
they collect all facts they have, they improve antiforensics

569
00:37:27,300 --> 00:37:31,500
and build in a little more functionality

570
00:37:31,500 --> 00:37:36,780
you can really track these changes, they made

571
00:37:36,780 --> 00:37:39,820
this developement improves

572
00:37:42,840 --> 00:37:48,780
tw: another thing we can tell you meanwhile is that this challenge code is generated from two things

573
00:37:48,780 --> 00:37:51,780
again, we don't know how it's generated, we don't know the algorithm

574
00:37:51,780 --> 00:37:53,620
but we do know the input

575
00:37:53,620 --> 00:37:56,900
and the two things that are the input to this algorithm

576
00:37:56,900 --> 00:38:01,620
are an ID that's unique to the ATM

577
00:38:01,620 --> 00:38:04,600
or the station, whatever you wanna call it

578
00:38:04,600 --> 00:38:05,660
and a random value

579
00:38:05,660 --> 00:38:07,300
so there's some randomness in there

580
00:38:07,300 --> 00:38:11,860
by this you make sure that even if the same random value is chosen

581
00:38:11,860 --> 00:38:14,380
the codes are different for two different ATMs

582
00:38:14,380 --> 00:38:18,460
so the guy has to in fact call you and ask for the code

583
00:38:18,460 --> 00:38:23,580
he cannot, you know, just by accident enter the right thing and take the money for himself

584
00:38:23,580 --> 00:38:30,520
alright now would be a good time for the timer to fire

585
00:38:33,490 --> 00:38:34,940
let's see

586
00:38:34,940 --> 00:38:37,600
okay, I have another story

587
00:38:37,600 --> 00:38:40,140
the dropper executable

588
00:38:40,140 --> 00:38:45,900
when something goes wrong, they calculate an error message, an error code

589
00:38:45,900 --> 00:38:46,980
oh, there we go

590
00:38:46,980 --> 00:38:50,260
and this error code is derived from the value 1337

591
00:38:50,260 --> 00:38:52,820
so apparently they think they are leet

592
00:38:52,820 --> 00:38:57,980
which didn't really stop us from reverse engineering their software

593
00:39:04,200 --> 00:39:08,260
this screen is like what we showed on the second slide

594
00:39:08,260 --> 00:39:12,220
which basically says "this terminal is out of order, go to the next one"

595
00:39:12,220 --> 00:39:14,300
and when you see this

596
00:39:14,300 --> 00:39:15,860
I mean, two purposes:

597
00:39:15,860 --> 00:39:22,540
one: others who want to dispense money from the ATM, if they see this, they would not touch it

598
00:39:22,540 --> 00:39:24,600
and go to another one

599
00:39:24,600 --> 00:39:27,820
but this also tells you that now you can enter another code

600
00:39:27,820 --> 00:39:32,660
which turns out to be the same 12 digit sequence that we already know

601
00:39:32,660 --> 00:39:34,980
to enter the second hidden menu

602
00:39:34,980 --> 00:39:41,460
and there we go

603
00:39:41,460 --> 00:39:45,180
this is now the real menu that you can use to control the ATM

604
00:39:45,180 --> 00:39:49,660
again, you see the first four lines show you how much money for the different bills

605
00:39:49,660 --> 00:39:51,820
or different notes is in there

606
00:39:51,820 --> 00:39:53,980
but now you can actually, you know, cash out

607
00:39:53,980 --> 00:39:55,900
you can dispense that money from the machine

608
00:39:55,900 --> 00:40:07,900
so for example if I press "1", hopefully I can get the 300 R-Dollars

609
00:40:07,900 --> 00:40:11,860
or if I press "4", I can get the 50s

610
00:40:11,860 --> 00:40:18,300
so let me do that now and you can pay attention to the purple line at the bottom

611
00:40:18,300 --> 00:40:20,700
so I press "4" now

612
00:40:20,700 --> 00:40:24,740
and it said "wait" or "waiting" or something like that

613
00:40:24,740 --> 00:40:27,140
and now it says "command has failed"

614
00:40:27,140 --> 00:40:30,460
which is too bad because I wanted money, but my VM...

615
00:40:30,460 --> 00:40:32,220
the emulation is not that good

616
00:40:32,220 --> 00:40:36,600
sb: still didn't get to manage to really cash out some money from that machine here

617
00:40:36,600 --> 00:40:38,100
tw: that would be nice

618
00:40:38,100 --> 00:40:40,200
so I could now try to cash out 1, 2, 3, 4

619
00:40:40,200 --> 00:40:41,900
and always I get this failure message

620
00:40:41,900 --> 00:40:47,500
but this is where the malware actually interacts with the cash client

621
00:40:47,500 --> 00:40:54,820
it loads, or resolves the libraries that belong to this cash client and then calls the API functions

622
00:40:54,820 --> 00:40:58,220
to trigger the dispense functionality

623
00:40:58,220 --> 00:41:02,340
but the other options at the bottom of the screen are also interesting

624
00:41:02,340 --> 00:41:04,540
let me show you "7" and "8" first

625
00:41:04,540 --> 00:41:07,420
and that's why I have this little window open here

626
00:41:07,420 --> 00:41:08,460
I hope you can see that

627
00:41:08,460 --> 00:41:10,700
so this is my network connection

628
00:41:10,700 --> 00:41:13,140
the network devices that are installed

629
00:41:13,140 --> 00:41:19,600
and as she said, every ATM has a persistentnetwork connection to the bank

630
00:41:19,600 --> 00:41:22,300
so they can control what's going on and monitor and so on

631
00:41:22,300 --> 00:41:27,980
so probably before you wanna cash out, you wanna disable the network entirely

632
00:41:27,980 --> 00:41:30,200
and they can use "7" and "8" to do that

633
00:41:30,200 --> 00:41:37,300
so let me press "7", you take a look at that window on the right hand side

634
00:41:37,300 --> 00:41:39,660
you can see, the adapters are disabled now

635
00:41:39,660 --> 00:41:42,540
and now I'm going to press "8" again

636
00:41:42,540 --> 00:41:43,900
and now they're enabled again

637
00:41:43,900 --> 00:41:45,860
that's convenient, right

638
00:41:45,860 --> 00:41:49,820
so you can disable and enable the network adapters entirely

639
00:41:49,820 --> 00:41:54,380
if you press "6" you're going back to this mode

640
00:41:57,700 --> 00:42:01,900
and finally you can also format the system

641
00:42:04,180 --> 00:42:07,340
I mean obviously because you wanna remove all the traces

642
00:42:07,340 --> 00:42:11,780
so if I press "5", you see that little screen, that we already know

643
00:42:11,780 --> 00:42:14,860
from the slide

644
00:42:14,860 --> 00:42:16,620
they're somewhat cautious here

645
00:42:16,620 --> 00:42:19,500
again, if you do that, you can either press "0"

646
00:42:19,500 --> 00:42:21,780
then you get back to the previous menu

647
00:42:21,780 --> 00:42:25,700
or you can press "9" and confirm that you actually wanna format the system

648
00:42:25,700 --> 00:42:27,340
and doing that' now

649
00:42:27,340 --> 00:42:32,660
and again it presents you with a challenge and you have to enter a 6 digit response code

650
00:42:32,660 --> 00:42:38,340
the algorighm that's used to calculate this here is different from the previous one

651
00:42:38,340 --> 00:42:41,620
and I mean we figured it out somewhat

652
00:42:41,620 --> 00:42:46,500
but the funny thing is, that it doesn't actually format the system

653
00:42:46,500 --> 00:42:49,460
it just uninstalles the malware

654
00:42:49,460 --> 00:42:53,860
I don't know what the right answer to this is now

655
00:42:53,860 --> 00:42:56,980
if you enter the wrong one, it keeps asking

656
00:42:56,980 --> 00:43:00,820
and interestingly you cannot get out of this state anymore

657
00:43:00,820 --> 00:43:04,580
so if you don't know the right answer, you're trapped in this

658
00:43:04,580 --> 00:43:08,820
and after three minutes the "out of order" thing is displayed again

659
00:43:08,820 --> 00:43:13,200
but if you enter the sectet code, you don't have access to the main menu again

660
00:43:13,200 --> 00:43:15,460
you will always end up in this screen

661
00:43:15,460 --> 00:43:22,940
so unless you enter the right code here, well, you locked yourself out

662
00:43:26,880 --> 00:43:27,600
alright

663
00:43:27,600 --> 00:43:34,220
we wanna conclude with some speculation about the people behind this maybe

664
00:43:34,220 --> 00:43:36,660
we obviously don't really know who it is

665
00:43:36,660 --> 00:43:39,740
but, you know, there are some interesting facts

666
00:43:39,740 --> 00:43:46,200
and after that we'll open it up for questions and, you know, a little Q&A

667
00:43:46,200 --> 00:43:48,940
sb: what we really can tell for sure

668
00:43:48,940 --> 00:43:51,260
that they want to make serious money with that

669
00:43:51,260 --> 00:43:54,340
they put a lot of effort in implementing and investigating

670
00:43:54,340 --> 00:43:57,180
in coding actually

671
00:43:57,180 --> 00:44:04,420
they build up quite a big team to do that and they have apparently different roles

672
00:44:04,420 --> 00:44:06,460
that are strictly assigned

673
00:44:06,460 --> 00:44:11,420
so every role has his part and is able to do his part

674
00:44:11,420 --> 00:44:13,660
so it's quite separated

675
00:44:13,660 --> 00:44:18,860
for sure they have to have profound knowledge about the ATMs

676
00:44:18,860 --> 00:44:21,620
so most likely they really had one

677
00:44:21,620 --> 00:44:28,620
to test all these features and to really check whether the coding is correct

678
00:44:28,620 --> 00:44:30,380
whether they get any error messages

679
00:44:30,380 --> 00:44:32,100
something like that

680
00:44:32,100 --> 00:44:39,300
so either they probably robbed one and reverse engineered the original cash client

681
00:44:39,300 --> 00:44:41,180
to derive the malware from it

682
00:44:41,180 --> 00:44:45,420
or they most likely had someone in the inside

683
00:44:45,420 --> 00:44:48,220
which was just to...

684
00:44:48,220 --> 00:44:50,460
which had to develop the original cash client

685
00:44:50,460 --> 00:44:54,460
and therefore really knows exactly how this works

686
00:44:54,460 --> 00:45:00,380
how it's possible just to trigger a cash out

687
00:45:00,380 --> 00:45:04,500
without entering a valid card, the PIN code

688
00:45:04,500 --> 00:45:10,600
circumvent all the security measures that are implemented here

689
00:45:10,600 --> 00:45:15,700
they have quite good development skills

690
00:45:15,700 --> 00:45:19,500
so the code is quite sorted

691
00:45:19,500 --> 00:45:23,340
you see the development cycles

692
00:45:23,340 --> 00:45:36,820
they implement new features just like the AppInit DLL key stuff and so on

693
00:45:36,820 --> 00:45:46,860
at least they are capable of protecting the code against people like him

694
00:45:46,860 --> 00:45:49,900
they're just trying to reverse engineer malware

695
00:45:49,900 --> 00:45:53,600
and they really try to cover their tracks for forensic investigations

696
00:45:53,600 --> 00:45:58,820
so they made it really hard to get the pieces together

697
00:45:58,820 --> 00:46:06,580
to just have a full image of how that finally works together

698
00:46:06,580 --> 00:46:07,980
tw: alright

699
00:46:07,980 --> 00:46:11,540
that was almost the last slide

700
00:46:11,540 --> 00:46:13,580
you guys remember the 12 digits

701
00:46:13,580 --> 00:46:15,220
from the first slide

702
00:46:15,220 --> 00:46:18,300
so next time, before you dispense the money from an ATM, enter the 12 digits first

703
00:46:18,300 --> 00:46:20,740
to make sure that it's not hacked

704
00:46:20,740 --> 00:46:22,820
right, and if it is hacked

705
00:46:22,820 --> 00:46:29,600
then you enter this here

706
00:46:29,600 --> 00:46:31,140
because that uninstalls the malware

707
00:46:31,140 --> 00:46:41,070
*applause*

708
00:46:48,540 --> 00:46:54,420
well then we do a short Q&A, if it's okay for you

709
00:46:54,420 --> 00:46:57,180
please, everybody that has a question

710
00:46:57,180 --> 00:47:00,980
please line up on the microphones

711
00:47:00,980 --> 00:47:04,220
signed with the numbers

712
00:47:04,220 --> 00:47:20,540
and then we will do a short Q&A from approximately 8 to 10 minutes

713
00:47:20,540 --> 00:47:22,860
alright, let's start with you

714
00:47:22,860 --> 00:47:25,100
hi, I have two questions

715
00:47:25,100 --> 00:47:30,620
the first question is whether they were gathering PIN codes and no strips

716
00:47:30,620 --> 00:47:32,660
to be able to use them later on

717
00:47:32,660 --> 00:47:37,700
and the second question is whether the ATM is connected to the Internet through the network connection

718
00:47:37,700 --> 00:47:40,600
I didn't get all of that

719
00:47:40,600 --> 00:47:42,380
can the others be a little quiet

720
00:47:42,380 --> 00:47:45,180
so we have the chance to understand the questions

721
00:47:45,180 --> 00:47:46,900
sorry, can you please repeat?

722
00:47:46,900 --> 00:47:52,540
so my first question is whether the PIN codes and this magnetic strip

723
00:47:52,540 --> 00:47:57,660
or any other information linked to the credit card number is gathered by this malware

724
00:47:57,660 --> 00:48:02,980
and the second question is wether net network connection gives Internet access to the ATM

725
00:48:02,980 --> 00:48:06,980
let me answer the first one, and for the second one, I'll refer to her

726
00:48:06,980 --> 00:48:13,460
so this one could gather information like credit card stuff and so on

727
00:48:13,460 --> 00:48:14,660
but it doesn't

728
00:48:14,660 --> 00:48:16,200
not this one

729
00:48:16,200 --> 00:48:17,980
I didn't get the second question

730
00:48:17,980 --> 00:48:23,140
second question was: can you access the ATMs over the Internet? is there internet connection?

731
00:48:23,140 --> 00:48:27,580
no, actually they do not have an Internet connection

732
00:48:27,580 --> 00:48:30,940
but it is possible to build, so far

733
00:48:30,940 --> 00:48:35,220
we did that in a test, where we tested an ATM

734
00:48:35,220 --> 00:48:40,300
you can use this USB connection where they plugged in the bootable device

735
00:48:40,300 --> 00:48:45,903
and just put an UTMS stick there and then you have an Internet connection

736
00:48:45,903 --> 00:48:48,348
but by default there is none

737
00:48:48,348 --> 00:48:51,003
but we did that, yeah

738
00:48:51,003 --> 00:48:55,700
okay, then let's take number 1

739
00:48:55,700 --> 00:48:58,460
thank you for your talk

740
00:48:58,460 --> 00:48:59,900
I have two short questions

741
00:48:59,900 --> 00:49:03,200
what was the time span between the infection and the cash out?

742
00:49:03,200 --> 00:49:08,598
and did the attackers try to intercept card data?

743
00:49:09,298 --> 00:49:11,260
so, the second question is the same as the previous one

744
00:49:11,260 --> 00:49:14,180
they don't intercept any card data

745
00:49:14,180 --> 00:49:16,820
they don't gather like credit card information and stuff like that

746
00:49:16,820 --> 00:49:22,260
they only like jackpot - as Barnaby Jack called it - the ATMs

747
00:49:22,260 --> 00:49:24,580
they only dispense money from the ATM

748
00:49:24,580 --> 00:49:27,620
for the first question, what was the first question again?

749
00:49:27,620 --> 00:49:30,820
what was the time span between the infection and the cash out?

750
00:49:30,820 --> 00:49:34,580
how much time is between the infection and the actual cash out

751
00:49:34,580 --> 00:49:40,140
we discovered that were only two to three days

752
00:49:40,140 --> 00:49:47,180
so they could have any time between that, but they really try to make it short

753
00:49:47,180 --> 00:49:51,780
and of course they waited for the right time, so right after the recharging

754
00:49:51,780 --> 00:49:56,540
because thats the point of the most money

755
00:49:56,540 --> 00:49:59,140
okay, then number 3 please

756
00:49:59,140 --> 00:50:01,600
hi, thank you for your talk

757
00:50:01,600 --> 00:50:04,180
question about banking security

758
00:50:04,180 --> 00:50:08,860
this beeing Windows XP, I missed the part of code signing

759
00:50:08,860 --> 00:50:12,260
and verified publishers and such

760
00:50:12,260 --> 00:50:17,070
do banks employ these security measures or not?

761
00:50:17,900 --> 00:50:19,860
they do have security measures

762
00:50:19,860 --> 00:50:25,470
but they're only implemented when the XP is running

763
00:50:25,470 --> 00:50:28,890
so they have whitelisting for applications

764
00:50:28,890 --> 00:50:31,110
they have monitoring for the process

765
00:50:31,110 --> 00:50:33,300
and they have an anti-virus

766
00:50:33,300 --> 00:50:34,540
and of course something like that

767
00:50:34,540 --> 00:50:37,870
but in essence everyone can dump their own software on it and run it

768
00:50:37,870 --> 00:50:43,220
there is no whitelist for signatures or publishers, right?

769
00:50:43,220 --> 00:50:44,580
there is a whitelist

770
00:50:44,580 --> 00:50:49,940
actually there is, but that was the point why they did that

771
00:50:49,940 --> 00:50:52,500
via bootable USB stick

772
00:50:52,500 --> 00:50:58,600
because they wrote this DLL just within the system folder

773
00:50:58,600 --> 00:51:02,140
and they have a whitelist for applications, but not for the DLLs

774
00:51:02,140 --> 00:51:05,100
which these applications are using

775
00:51:05,100 --> 00:51:10,820
I mean, it goes without saying that you can take measures to make the ATMs more secure

776
00:51:10,820 --> 00:51:12,660
because this is kind of a trivial attack

777
00:51:12,660 --> 00:51:14,700
and as you said, everybody could do that

778
00:51:14,700 --> 00:51:16,820
and that's kind of the reason why we're giving this talk

779
00:51:16,820 --> 00:51:21,350
it's no use in keeping vulnerabilites secret

780
00:51:21,350 --> 00:51:24,220
they should be like talked about openly

781
00:51:24,220 --> 00:51:27,260
and then people can go and fix their problems, right

782
00:51:27,260 --> 00:51:28,300
thank you

783
00:51:30,090 --> 00:51:36,220
do we have a question from IRC or the community out there?

784
00:51:37,010 --> 00:51:39,660
yes there was one question coming from IRC

785
00:51:39,660 --> 00:51:46,200
which was: how to get on the USB printer port to reverse that machine?

786
00:51:48,100 --> 00:51:50,200
can you repeat the question please?

787
00:51:50,200 --> 00:51:54,540
how to get on the USB port or printer port to reverse that machine?

788
00:51:57,700 --> 00:52:01,820
this was just via cutting a hole into the chassis

789
00:52:01,820 --> 00:52:03,620
so this is just a...

790
00:52:03,620 --> 00:52:05,700
this is no metal, this is not a safe

791
00:52:05,700 --> 00:52:08,180
so this is just a plastic

792
00:52:08,180 --> 00:52:10,200
and there you can just cut a hole in it

793
00:52:10,200 --> 00:52:13,580
and then you can actually access the USB port

794
00:52:13,580 --> 00:52:18,300
I mean, they physically damaged the ATM to be able to access the USB port

795
00:52:18,300 --> 00:52:21,860
and then they had to cut the network connection

796
00:52:21,860 --> 00:52:23,659
and that triggered a reboot

797
00:52:23,659 --> 00:52:25,980
so it's really a trivial attack

798
00:52:25,980 --> 00:52:27,300
not that hard

799
00:52:28,880 --> 00:52:30,260
okay number 4 please

800
00:52:30,880 --> 00:52:32,340
yes

801
00:52:32,340 --> 00:52:33,900
two part question

802
00:52:33,900 --> 00:52:38,860
you would think that banking and money would be a high priority thing to secure

803
00:52:38,860 --> 00:52:41,260
why are they using Windows XP?

804
00:52:41,260 --> 00:52:43,180
and the second one is

805
00:52:43,180 --> 00:52:46,660
*applause*

806
00:52:46,660 --> 00:52:48,300
second one is

807
00:52:48,300 --> 00:52:51,860
if there was a time-frame of I think it was three days between the two attacks

808
00:52:51,860 --> 00:52:55,200
why don't they realize, there is hole cut into their ATM and just...

809
00:52:55,200 --> 00:52:56,660
change it out?

810
00:52:56,660 --> 00:52:59,540
*applause*

811
00:52:59,540 --> 00:53:01,420
there is a...

812
00:53:01,420 --> 00:53:04,700
that depends on the USB port that they used

813
00:53:04,700 --> 00:53:06,380
there is one on the back, so you don't see it

814
00:53:06,380 --> 00:53:08,100
and the other is just...

815
00:53:08,100 --> 00:53:17,100
you can cut that very exact and then they just repaired it afterwards

816
00:53:17,100 --> 00:53:22,850
they just fixed it

817
00:53:22,850 --> 00:53:24,700
and for the first question

818
00:53:24,700 --> 00:53:30,700
the problem in the main cases is that there are hundreds of thousands of teller machines

819
00:53:30,700 --> 00:53:33,539
for each bank

820
00:53:33,539 --> 00:53:36,140
and that's just the problem

821
00:53:36,140 --> 00:53:38,300
they are of course starting to renew that

822
00:53:38,300 --> 00:53:43,180
but when they are at the end doing that

823
00:53:43,180 --> 00:53:48,660
Windows has already realeased two newer versions of operating systems

824
00:53:48,660 --> 00:53:51,860
and that's one part of it

825
00:53:51,860 --> 00:53:58,200
and the other thing, if we had Windows 7 here it wouldn't change a thing

826
00:53:58,200 --> 00:54:02,730
I mean, that's probably a question for the banks that we can't really answer

827
00:54:02,730 --> 00:54:06,600
but as long as they're convered by insurances

828
00:54:06,600 --> 00:54:08,140
they don't really have to care

829
00:54:08,140 --> 00:54:09,940
which is of course kind of short sighted

830
00:54:09,940 --> 00:54:14,370
but maybe thats how it works

831
00:54:15,100 --> 00:54:20,300
okay and now the last question from number 1

832
00:54:20,300 --> 00:54:25,500
hi there, I was just curious about this particular ATM model

833
00:54:25,500 --> 00:54:32,380
if we're framing this picture of this is let's say the state of security and ATM technology

834
00:54:32,380 --> 00:54:37,900
or if it's just let's say an example for how to not build an ATM

835
00:54:37,900 --> 00:54:40,740
I mean are these bad guys simply the first who found out

836
00:54:40,740 --> 00:54:43,460
well it's basically that simple

837
00:54:43,460 --> 00:54:48,220
or is it just let's say a really bad model, they have exploiting?

838
00:54:50,650 --> 00:54:54,200
that all depends on the original cash client

839
00:54:54,200 --> 00:55:00,340
so the teller machines are all the same, but every bank has an own cash client

840
00:55:00,340 --> 00:55:07,260
it's an own software which is really doing the cashing out

841
00:55:07,260 --> 00:55:09,180
and they're all different

842
00:55:09,180 --> 00:55:12,618
and you have to develop the malware exactly for just one cash client

843
00:55:12,618 --> 00:55:16,380
because it won't work on others

844
00:55:16,380 --> 00:55:18,140
I mean, sorry

845
00:55:18,940 --> 00:55:21,740
I mean also speaking about this physical security

846
00:55:21,740 --> 00:55:24,100
I mean, having an easy accessible USB port

847
00:55:24,100 --> 00:55:29,860
and booting USB images without any additional security measure

848
00:55:29,860 --> 00:55:32,140
I mean, is this state of the art?

849
00:55:33,410 --> 00:55:34,780
no, it's not

850
00:55:34,780 --> 00:55:36,580
actually this has been fixed

851
00:55:36,580 --> 00:55:38,900
because there is an whole disk encryption in place now

852
00:55:38,900 --> 00:55:42,460
that just prevents this way of attack

853
00:55:42,460 --> 00:55:49,980
but yeah, it's not at all teller machine currently implemented

854
00:55:49,980 --> 00:55:52,940
so yes, it's kind of state of the art

855
00:55:52,940 --> 00:55:56,100
yeah, great, thank you

856
00:55:56,100 --> 00:55:58,260
okay then now

857
00:55:58,260 --> 00:56:04,260
thank you to our security researchers

858
00:56:04,260 --> 00:56:07,100
give them a great and warm applause, please

859
00:56:07,100 --> 00:56:10,190
thanks for coming, thank you