Ploutus generates a 16 bit long random id for the atm

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: through the use of the .NET library provided by NCR. We don´t know for sure how “public” this library is, but it is known that in some forums this information was sold. TLP: Green 7 New version: Ploutus A month after the discovery of Ploutos, another version of the malware, renamed as Ploutos, was found; and, interestingly enough, the new version is translated to English. As with the previous sample, this new one also uses obfuscation to protect itself, in this case using a widely known Microsoft’s .NET framework packer and obfuscator utility called “Confuser” (version 1.9). Using the latest version of this tool shows that the sample was created recently. This new version of Ploutos was re- engineered with a modular architecture model in mind, so we can assume that this was done on purpose to create a more stable and robust version of the malware. The graphical user interface is not present anymore and the interaction with the malware is done through the ATM’s keypad. A graphical comparison on the classes available within the two samples found is shown below: NEW PLOUTOS OLD PLOUTUS One of the most notable differences in the new version is the lack of GUI, but this is a logical step to reduce the risk of being detected while operating in the bank premises. The new version allows dispensing of money by just pressing some keys on the standard keypad, as a regular user would do. TLP: Green 8 Another main difference is that many of the Spanish words found within the code were removed or changed to...
View Full Document

This document was uploaded on 01/15/2014.

Ask a homework question - tutors are online