Sophos guys published an article in 2009 about a malware who target Diebold ATM:
The sample was requested on kernelmode since august and i wanted to have a look but that was not my priority to talk about this.
File infos and programming language used
Russian carders looking for Diebold programming guide:
Apparently this documents (Agilis 91x EMV User and Programmer Guide) was leaked:
(And i've read the Diebold document to compare stuff used inside the malware and described in the PDF but nothing really helped me)
After for accessing physicaly to ATM and load the malware... i don't know but i've found people who buy ATM drives, so i think with money and corruption of a privileged insider it's not really a problem.
Send command to the ATM:
Save logs ?
Hooks API from DbdDevAPI.dll to manipulate the ATM ?
Targeted GetProcAddress to retrieve functions
Injects a thread in "mu.exe" process
Create 2 threads:
Establish a connection to the service control manager and do operations on lsass.exe
Shutdown the atm
Request a password and if correct do operations on the ATM (probably a security made by the coder)
1..4 - Dispense cassete
9 - Uninstall
0 - Exit
Requesting a password:
Get the ATM version:
Agent, transactions, cards, keys numbers:
Probably a part of the code used to parse transactions in Ukrainian, Russian and US currencies if i refer to the Vanja Svajcer article.
From what is see the malware can dispense cash, print logs, shutdown the atm, get the ATM version and uninstall itself.
It's a sophisticated piece and unusual, i've not fully understand what's he do (i'm really bad at dead-listing)
Debugging this one from a compromised Diebold will surely don't cause me these problems, but anyway that the first time i see a malware like this.