ATM malware dispenses cash to attackers

Summary: Kaspersky reports that Backdoor.MSIL.Tyupkin, mostly found in Russia, allows attackers to dispense cash using the keypad and special codes.

A backdoor program allowing cash dispersal has been detected on automated teller machines in multiple countries, although mostly in Russia. Kaspersky Lab reports that the program, designated Backdoor.MSIL.Tyupkin, requires physical access to the ATM system and booting it off of a CD to install the malware.

The malware is now widely detected by security software. It is a 32-bit Windows .NET assembly and affects devices from "a major ATM manufacturer."

Once installed, the malware waits for a user to enter a specific key sequence on the keypad. The sequence is freshly-generated for each session so that the ATM user needs to receive it from the gang that installed the malware and knows the algorithm. Once the initial key sequence is entered, the user at the ATM calls the gang and receives another code specific to the session. All this allows the gang to control the cash obtained precisely.

Once the second key is entered, the malware displays the amount of money in each cash "cassette," and releases 40 notes at a time from the specified cassette.

The malware only accepts commands to dispense cash at specific times on Sunday and Monday nights. Kaspersky says this is to make the scam harder to spot, but it also allows the ringleaders to be on duty to provide codes when the attacks are being performed.

The Kaspersky report does not say how attackers gain physical access to the systems, but clearly it involves a breakdown of physical security. Other software security measures, such as hard disk encryption and BIOS passwords, might have blocked the attack.

Kaspersky reports that they have received 20 reports of Backdoor.MSIL.Tyupkin from Russia, four from France, two each from Israel and China and one each from India, the U.S. and Malaysia.

atm