There is a growing chorus of voices calling for businesses and home users to upgrade existing Windows XP installations to newer versions of Windows, if not for the features, then at least for the improved security and support. ATMs are basically computers that control access to cash, and as it turns out, almost 95 percent of them run on versions of Windows XP. With the looming end-of-life for Windows XP slated for April 8, 2014, the banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet. This risk is not hypothetical — it is already happening. Cybercriminals are targeting ATMs with increasingly sophisticated techniques.

In late 2013, we blogged about new ATM malware in Mexico, which could let attackers force ATMs to spew cash on demand using an external keyboard. That threat was named Backdoor.Ploutus. Some weeks later, we discovered a new variant which showed that the malware had evolved into a modular architecture. The new variant was also localized into the English language, suggesting that the malware author was expanding their franchise to other countries. The new variant was identified as Backdoor.Ploutus.B (referred to as Ploutus throughout this blog).

What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to the compromised ATM, then walk up and collect the dispensed cash. It may seem incredible but this technique is being used in a number of places across the world at this time.

In this blog, we will show you how this functionality works.



Figure 1. How attackers withdraw cash from an ATM using a phone

Connecting a mobile phone to the ATM

The criminals can remotely control the ATM by using a mobile phone which is connected to the inside of the ATM. There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM).

The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus. Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used.

Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.

Sending SMS messages to the ATM

After the mobile phone is connected to the ATM and set up is completed, the criminals can send specific SMS command messages to the phone attached inside the ATM. When the phone detects a new message under the required format, the mobile device will convert the message into a network packet and will forward it to the ATM through the USB cable.

The network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM. As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number “5449610000583686” at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus. An example of such a command is shown below:

cmd.exe /c PLOUTOS.EXE 5449610000583686=2836957412536985

In previous versions of Ploutus, the master criminal would have to share these digits with the money mule, which could allow the money mule to defraud the master criminal if they realize what the code allows them to do. In this version of Ploutus, the mule never sees the 16 digits, giving the master criminal added security and the ability to centrally control cash withdrawals. The code is active for 24 hours.

Using SMS messages to remotely control the ATM is a much more convenient method for all of the parties in this scheme, because it is discrete and works almost instantly. The master criminal knows exactly how much the money mule will be getting and the money mule does not need to linger for extended periods around an ATM waiting for it to issue the cash. The master criminal and money mule can synchronize their actions so that the money is issued just as the money mule pretends to withdraw cash or is walking past the ATM.

Putting it all together

Now that we have looked into the details of how this scheme works, here’s an overview of how it all fits together.



Figure 2. Ploutus ATM attack overview

Process overview

The attacker installs Ploutus on the ATM and connects a mobile phone to the machine with a USB cable. The controller sends two SMS messages to the mobile phone inside the ATM. SMS 1 must contain a valid activation ID in order to enable Ploutus in the ATM. SMS 2 must contain a valid dispense command to get the money out. The phone detects valid incoming SMS messages and forwards them to the ATM as a TCP or UDP packet. In the ATM, the network packet monitor module receives the TCP/UDP packet and if it contains a valid command, it will execute Ploutus. Ploutus causes the ATM to spew out the cash. The amount of cash dispensed is pre-configured inside the malware. The cash is collected from the ATM by the money mule.

What can be done to protect ATMs?

Modern ATMs have enhanced security features, such as encrypted hard-drives, which can prevent these types of installation techniques. However, for older ATMs still running on Windows XP, protecting against these types of attacks is more challenging, especially when the ATMs are already deployed in all sorts of remote locations. Another difficulty that needs to be addressed is the physical security of the computer inside the ATMs. While the ATM’s money is locked inside a safe, the computer generally is not. Without adequate physical security for these older ATMs, the attacker has the upper hand.

A number of measures could be taken to make things more difficult for the criminals. These include:

Upgrading to a supported operating system such as Windows 7 or 8

Providing adequate physical protection and considering CCTV monitoring for the ATM

Locking down the BIOS to prevent booting from unauthorized media, such as CD ROMs or USB sticks

Using full disk encryption to help prevent disk tampering

Using a system lock down solution such as Symantec Data Center Security: Server Advanced (previously known as Critical System Protection)

With all these measures in place, attackers would find it much harder to compromise an ATM without a complicit insider.

Symantec’s consumer, endpoint and server protection solutions will continue to support Windows XP systems for the foreseeable future; however, we strongly recommend that Windows XP users should upgrade to a more current operating system as soon as possible.