op code 99 the malware will stop its execution by

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ID. • 12343571 + 8 digits: The activation code. The activation date and MD5 hash of the encoded activation code are stored in the configuration file. • 12343572 + bill index + number of bills: Dispenses the specified money. • F8F1F7F3F5F4F2 – Shows the GUI. The graphical interface provides the same features. The malware uses the .NET library, which is presumably made by NCR with public (in terms of .NET) interfaces required to work with ATM hardware. These interfaces include, for example, XFSCashDispenserClass - used to operate the dispenser. This deals with a wide range of events and the Trojan handles almost all of them just by printing the corresponding messages. One exception is AvailabilityChanged. This is used to get information about the remaining bills in the machine’s cassettes (1 through 4; via the IXFSCassette2 interface) and to dispense the requested amount of money via SyncDispense. As shown above, hackers can select the number and nominal value of bills as they wish. TLP: Green 13 Ploutos: New version MD5: eca2ca8ecf63816d9a157888e3d871dc The second version of the Trojan has some differences, starting with the new modular structure and the translation to English: §༊ The dispatcher and listener were made into separate modules §༊ The command format was changed • The command «2836957412536985» is used to generate a new ATM´s ID. It is stored in the configuration file. • New commands are now based on a 16- symbol ATM ID. The last 2 digits specify the command. The fol...
View Full Document

This document was uploaded on 01/15/2014.

Ask a homework question - tutors are online