![Config. Info. cont..
• Example (service providers):
[HKEY_LOCAL_MACHINESOFTWAREXFSSERVICE_PROVIDERSPIN]
"dllname"="PIN.DLL"
"vendor_name"="XFS Solutions Provider"
"version"="1.0.0"
[HKEY_LOCAL_MACHINESOFTWAREXFSSERVICE_PROVIDERSIDC]
"dllname"="IDC.DLL"
"vendor_name"="XFS Solutions Provider"
"version"="1.0.0"
[HKEY_LOCAL_MACHINESOFTWAREXFSSERVICE_PROVIDERSCDM]
"dllname"="CDM.DLL"
"vendor_name"="XFS Solutions Provoder"
"version"="1.0.0"](https://image.slidesharecdn.com/atmmalware-170227101911/85/ATM-Malware-Understanding-the-threat-11-320.jpg)
![Config. Info. cont..
• Example (logical services)
[HKEY_USERS.DefaultXFSLOGICAL_SERVICESCashDispenser]
"class"="CDM"
“provider"="CDM"
[HKEY_USERS.DefaultXFSLOGICAL_SERVICESPinpad]
"class"="PIN"
“provider"="PIN"
[HKEY_USERS.DefaultXFSLOGICAL_SERVICESMagstripe]
"class"="IDC"
"provider"="IDC"](https://image.slidesharecdn.com/atmmalware-170227101911/85/ATM-Malware-Understanding-the-threat-13-320.jpg)
ATM Malware: Understanding the threat
- 1. ATM Malware: Understanding the Threat Amit Malik Co-Founder @ Cysinfo (https://cysinfo.com) Researcher @ Netskope Linkedin: https://in.linkedin.com/in/doublezer0
- 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is “AS IS” without any warranty or conditions of any kind. Also the views/ ideas/knowledge expressed here are solely of the author’s only and nothing to do with the company or the organisation in which the author is currently working. However in no circumstances neither the speaker nor Cysinfo is responsible for any damage or loss caused due to use or misuse of the information presented here.
- 3. News..
- 4. Agenda • Introduction • XFS subsystem/middleware architecture • XFS Internals • ATM Malware evolution • Case Study RIPPER ATM Malware
- 5. Introduction • ATM (Automated Teller Machine) • As per ATM Industry Association (ATMIA) there are around 3 Million ATMs installed worldwide. • Majority of the ATMs use windows operating system. • WOSA/XFS or CEN XFS is the software standard used by ATM platforms for ATM device interactions. • XFS subsystem basically provides the common API to access and manipulate the ATM devices from different vendors. • Leading ATM vendors: • NCR • Diebold • Wincor
- 7. XFS (eXtensions for Financial Services) Architecture *pic: CEN/XFS Specifications
- 8. XFS APIs • Application uses XFS APIs to communicate with service providers. • APIs can be called synchronously or asynchronously. • XSF manager translates the APIs to SPIs • APIs starts with WFS* • Example: WFSOpen, WFSExecute, WFSGetInfo etc.
- 9. Configuration Information • XFS manager uses configuration information to route APIs to SPIs. • Configuration information is stored in windows registry hives. • PC dependent information is stored under • HKEY_LOCAL_MACHINESOFTWAREXFS • User dependent information is stored under: • HKEY_USERS.DefaultXFS • .Default or user id.
- 10. Config. Info. cont.. • PC dependant information. • XFS_Manager: trace file, share file information etc. • Service_Provider: XFS compliant service provider - dll name, version, vendor name • Physical_service: physical attachments configuration by the solution providers. *pic:CEN/XFS Specifications
- 11. Config. Info. cont.. • Example (service providers): [HKEY_LOCAL_MACHINESOFTWAREXFSSERVICE_PROVIDERSPIN] "dllname"="PIN.DLL" "vendor_name"="XFS Solutions Provider" "version"="1.0.0" [HKEY_LOCAL_MACHINESOFTWAREXFSSERVICE_PROVIDERSIDC] "dllname"="IDC.DLL" "vendor_name"="XFS Solutions Provider" "version"="1.0.0" [HKEY_LOCAL_MACHINESOFTWAREXFSSERVICE_PROVIDERSCDM] "dllname"="CDM.DLL" "vendor_name"="XFS Solutions Provoder" "version"="1.0.0"
- 12. Config. Info. cont.. • User dependent configs • Logical services can provide one or more physical services, for example cash dispenser and coin dispenser can be the part of one logical service. • logical services: service class, service provider (service provider key name in service providers) *pic: CEN/XFS specifications
- 13. Config. Info. cont.. • Example (logical services) [HKEY_USERS.DefaultXFSLOGICAL_SERVICESCashDispenser] "class"="CDM" “provider"="CDM" [HKEY_USERS.DefaultXFSLOGICAL_SERVICESPinpad] "class"="PIN" “provider"="PIN" [HKEY_USERS.DefaultXFSLOGICAL_SERVICESMagstripe] "class"="IDC" "provider"="IDC"
- 14. Important XFS APIs • WFSStartUp - Initiate a connection between an application and the XFS Manager • WFSOpen - Open a session between an application and a service provider • WFSRegister - Enable monitoring of a class of events by an application • WFSExecute - Send service-specific commands to a service provider • WFSGetInfo - Retrieve service-specific information from a service provider • Pretty much all of the APIs can be called Asynchronously except few (eg: WFSStartUp etc.) • Async - WFSAsyncExecute, WFSAsyncOpen, WFSAsyncRegister etc. • Application must perform WFSOpen for each logical service.
- 15. ATM Malware Evolution 2007 2013 2014 2015 2016 Skimer Padpin, Neopocket Ploutus Sucful, GreenDispenser Ripper, Alice
- 16. Case Study • RIPPER ATM Malware • Linked with Bt12 million hack • Targets Major ATM manufactures (NCR, Diebold, Wincor) • Reads both magnetic stripe and EMV chip data. • Cash dispenser functionalities • Lets jump on to the malware code analysis!
- 17. Code…
- 18. Code (path)
- 19. Code..
- 20. Code..
- 21. References • CEN/XFS:https://www.cen.eu/work/areas/ICT/ eBusiness/Pages/CWA16374.aspx • https://www.fireeye.com/blog/threat-research/ 2016/08/ripper_atm_malwarea.html • http://blog.trendmicro.com/trendlabs-security- intelligence/untangling-ripper-atm-malware/