Tuesday 6 November 2012

Troj/Skimer-A

Sophos guys published an article in 2009 about a malware who target Diebold ATM:
http://nakedsecurity.sophos.com/2009/03/17/credit-card-skimming-malware-targeting-atms/
http://nakedsecurity.sophos.com/2009/03/17/malware-lurking-atm/
http://nakedsecurity.sophos.com/2009/03/18/details-diebold-atm-trojan-horse-case/

The sample was requested on kernelmode since august and i wanted to have a look but that was not my priority to talk about this.
There is something wrong with the compilation timedatestamp of the malware: 1992-06-19 - 22:22:17

File infos and programming language used

Russian carders looking for Diebold programming guide:


 Apparently this documents (Agilis 91x EMV User and Programmer Guide) was leaked:
This type of leak can help carders to develops malware against ATM but according to Vanja Svajcer, for Troj/Skimer-A, the coder used undocumented Diebold Agilis 91x functions.
(And i've read the Diebold document to compare stuff used inside the malware and described in the PDF but nothing really helped me)

After for accessing physicaly to ATM and load the malware... i don't know but i've found people who buy ATM drives, so i think with money and corruption of a privileged insider it's not really a problem.
 
Dialog:

Send command to the ATM:

Save logs ?

 Hooks API from DbdDevAPI.dll to manipulate the ATM ?

Targeted GetProcAddress to retrieve functions

Injects a thread in "mu.exe" process


Create 2 threads:

Establish a connection to the service control manager and do operations on lsass.exe

Shutdown the atm

Request a password and if correct do operations on the ATM (probably a security made by the coder)
1..4 - Dispense cassete
9 - Uninstall
0 - Exit
http://diebolddirect.com/atm-supplies-atm-cassettes.aspx

Requesting a password:

Get the ATM version:

Agent, transactions, cards, keys numbers:

Probably a part of the code used to parse transactions in Ukrainian, Russian and US currencies if i refer to the Vanja Svajcer article.

Print receipt:

From what is see the malware can dispense cash, print logs, shutdown the atm, get the ATM version and uninstall itself.
It's a sophisticated piece and unusual, i've not fully understand what's he do (i'm really bad at dead-listing)
Debugging this one from a compromised Diebold will surely don't cause me these problems, but anyway that the first time i see a malware like this.




1 comment: