After this the malware will display the total amount

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: oth versions use a .NET library provided by NCR to interact with their hardware. We don´t know if any vendor other than NCR uses this library as well: if so, this may make them vulnreable to Ploutus. This version is more silent than the previous one, but is still functional. The infection vector is still physical. The presence of security and anti- virus software in the ATM and the (logical and physical) hardening of the device should be considered vital for avoiding this kind of threat. The success of campaigns like this one could determine the future popularity of this kind of attack in the near future. TLP: Green 11 Appendix 1: Technical details Ploutus: Old version MD5: 488acf3e6ba215edef77fd900e6eb33b MD5: b9f5bd514485fb06da39beff051b9fdc Unusually this malware has its own security measures – an 8- character activation code is needed to start working with the malware. This code is based on the current date. The payload is packed and stored into a loader as a .NET resource. Both are PE EXE files and both are written in C# with .NET Framework 2.0. The loader decrypts its resource and loads it via Reflection. The payload is installed as a Windows service named “NCRDRVPS”. After successful installation the Trojan starts to monitor the keyboard input for commands using the SetWindowsHookEx API with WH_KEYBOARD_LL. TLP: Green 12 The following commands are supported: • 12340000: A test command which just prints the current date. • 12343570: Prints the generated ATM...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online