![Page 2: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/2.jpg)
• Llevamos mas de 7 años en el sector de seguridad de la información Defensa y Banca• Hemos auditado modelos de Cajeros ATM de Múltiples marcas (casi todas), además somos la
empresa que mas experiencia tiene auditando cajeros de la región.• Tenemos experiencia en Software XFS (casi todos los software XFS)• En total mas de 44,000 ATMs cubren algunas de nuestras recomendaciones• Mas de 30,000,000 USD en resolución de casos de faltantes de efectivo• Monitorizamos miles de ATMs mediante nuestras soluciones de ATMs• Hemos dictado cursos de Seguridad en Cajeros automáticos a mas de 50 instituciones bancarias en
latino américa.• Formamos parte de varias asociaciones y consejos de seguridad en ATMs• Desarrollamos soluciones para Seguridad y monitorización para Cajeros Automáticos
Experiencia
![Page 3: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/3.jpg)
![Page 4: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/4.jpg)
![Page 5: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/5.jpg)
Hardware Anti skimming
Sensores, Anti-cash trapping, Cámaras etc..
Software
![Page 6: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/6.jpg)
The number of ATMs installed worldwide grew by 3% to 3.3
million in 2016. As in recent years, the vast majority of new ATMs
were installed in Asia-Pacific
Numero de ATMsen millones en todo el mundo
![Page 7: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/7.jpg)
Cantidad de ATMspor persona en latino América
https://datos.bancomundial.org/indicador/FB.ATM.TOTL.P5?view=chart
![Page 8: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/8.jpg)
Cantidad de ATMs por persona en latino América
http://www.tecnocom.es/-/crece-el-uso-de-cajeros-y-terminales-punto-de-venta-en-latinoamerica
![Page 9: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/9.jpg)
EAST also reported a 28% increase in ATM related fraud attacks, up from 8,421 in H1 2015 to 10,820 in H1 2016.
This rise was mainly driven by a 281% increase in Transaction Reversal Fraud (up from 1,270 to 4,840 incidents).
The downward trend for card skimming continues with 1,573 card skimming incidents
reported, down 21% from 1,986 in H1 2015.
Reportes de Ataques ATMs EUROPA
![Page 10: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/10.jpg)
EUROPOL
![Page 11: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/11.jpg)
Malware
![Page 12: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/12.jpg)
![Page 13: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/13.jpg)
![Page 14: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/14.jpg)
Skimer PloutusPadpin/
TyupkinNeoPocket Suceful
Green
DispenserRipper
Malware Echo
en LATAM XDAño Descubierto 2007 2013 2014 2014 2015 2015 2016 2016 Sept.
Regiones
AfectadasRusia, Ukraine, y
EUMéxico
Europa, sur este
AsiaN/A N/A Mexico Thailand México
Proveedor
afectadoDiebold NCR NCR Diebold Diebold, NCR Wincor
Diebold, NCR,
WincorDiebold, NCR,
Tipo de
instalación en el
ATM
Desconocida CD-ROM CD-ROM Desconocida N/A Desconocida Desconocida USB
Múltiples
familias o
variantes
Si Si No No No No No SI
Lenguajes de
programacionDelphi
C# compiled into
.NET
C# compiled into
.NETVB Borland C++ Visual C++ Visual C++ C# compiled into .NET
Librería para
acceder a los
perimetrales
DbdDevAPI.dll
ncr.aptra.axfs.dll
MSXFS.dllNo accede
perimetralesMSXFS.dll MSXFS.dll MSXFS.dll MSXFS.dllactivexfscontrols.d
ll
Control de
acceso
implementado
Si Si Si Si No SI Desconocido Desconocido
Dispensa
efectivoSi Si Si No No Si Si Si
Roba
informaciónSi No No Si Si No Desconocido Si
Menú de usuario Si Si Si No Si Si Si No
![Page 15: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/15.jpg)
Skimer PloutusPadpin/Tyup
kinNeoPocket Suceful
GreenDispe
nserRipper
Malware Echo en
LATAM XD
Comandos
recibidos viaPIN pad
Keyboard, PIN
pad, SMSPIN pad Raw socket, files
Keyboard,
MousePIN pad
Keyboard, PIN
pad, bank card
Keyboard, PIN pad,
raw socket
Lenguaje de
StringsEspañol Ingles, Español Ingles Español Ruso Ingles Ingles Español
Roba datos
cifradosSi No No Si No No No No
Campaña de
ataque limitada a
tiempo
No
Needs
activation every
24hrs
Operates only
at certain times
Operates before
May 21st, 2014No
Operates Jan
1st – Aug
31st2015
No No
Persistente entre
RebootsSi Si Si Si No No Si Si
Desabilita
antivirusNo No
Si
(via otra
herramienta)
Si No No No Si
Desabilita
sensores ATMNo No No No Si No No No
En este análisis no incluimos Malware Plotus.d, Alice, ATMitch
![Page 16: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/16.jpg)
0
0,5
1
1,5
2
2,5
3
3,5
4
4,5
2007 2013 2014 2015 2016 2017
Malware Frecuencia
Frecuencia en cantidad de veces al año Cantidad de software malicioso identificado durante el año en cuestión
![Page 17: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/17.jpg)
Frecuencia en cantidad de veces al año
Cantidad de software malicioso identificado durante el año en cuestión
![Page 18: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/18.jpg)
![Page 19: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/19.jpg)
Arquitectura XFS
![Page 20: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/20.jpg)
Arquitectura XFS
El API del XFS tiene las siguientes funciones, estas funciones pueden usarse tanto
para la operatividad normal como para el uso indiscriminado del malware:
• Funciones básicas – StartUp/CleanUp, Open/Close, Lock/Unlock, y Execute, son
funciones comunes a todas las clases y dispositivos XFS.
• Funciones Administrativas – como son “Iniciación de dispositivo ”, reset,
suspender y Resume.
• Comandos específicos – son usadas para requerir información del servicio o
dispositivo en concreto y inicializar funciones puntuales.
Estos comandos específicos se envían a los dispositivos y son parámetros como
GetInfo y Execute
![Page 21: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/21.jpg)
WOSA XFS Multivendor• void DispenseAndPresent(long Amount, VARIANT NoteCounts,
BSTR Currency, BSTR MixAlgorithm, long Timeout)
XFS – Agilis• WFSExecute(hServ, WFS_CMD_CDM_DISPENSE, (LPVOID)
&cmdData, dwTimeOut, &wfsResult);
![Page 22: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/22.jpg)
• Skimmer• Plotus• Padpin/Tyupkin• GreenDispenser• Alice
Ataques que requieren acceso fisico
![Page 23: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/23.jpg)
Ataques
![Page 24: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/24.jpg)
• Ataque en Taiwan en Julio 2016
• Cobalt Strike• Anunak/Carbanak• Ripper • ATMitch
Ataques Mediante la Red
![Page 25: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/25.jpg)
XFS:
• Agilis
• Phoenix
WOSA XFS
• KAL
• NCR
• Dispenser communications can encrypted
• EPP can be connected to HSM
• Network Communications can have VPN configured
• Windows you can find a White listing (end-point
security)
Software Exchange
Financial Services MALWARE
J/XFS
• Procash/Probase
• Comunicación Host –
ATM
• ISO 8583
• NDC/DDC
![Page 26: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/26.jpg)
MALWARE
HardwareEPP Dispenser Card Reader Printer Network Card
Windows 7
usboi.sys snapi.dll
Diebold XFS
Msxfs.dll Empower EJD serverTask manager
Services
Java Virtual Machine JVM
Diebold
ACU OSD+ TmpTool.exe logViewer
Java + Microsoft .net Framework 4.0
AgilisShell.exe
![Page 27: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/27.jpg)
MALWARE
Hardware
EPP Dispensador Card Reader Printer Network Conector
Windows 7usboi.sys winusb.sys
NCR WOSA-XFSMsxfs.dll WOSA services
NCR - ulSysApp.exeNDC/DDC Comunicaciones Program files/NCR Aptra Program Files/Common files/ncr/ ul*.dll
Microsoft .net Framework 4.0
NCR system Aplicationulmntapp.exe
![Page 28: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/28.jpg)
MALWARE
Middleware
ulcorcom.dll
NcrDisp1.dll UsbEpp2.dll NCRUsb80.dll
winusb.sys (kernel)
Dispenser EPP Printer
MsXFS.dll
![Page 29: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/29.jpg)
Kalignite Platform
ActiveX
Application Interface
VBScript, Visual Basic, C++, …
Hardware Interface
Independent of vendor
XFS or OPOS
Kalignite Platform is open at both the application interface and the hardware
interface.
Big Bank Server
KAL
based
App on
ATM
Vendor 3
KAL based
App on
ATM
Vendor 1
KAL
based
App on
ATM
Vendor 2
The Big Bank application based
on the Kalignite Platform works
on all vendor hardware.
![Page 30: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/30.jpg)
![Page 31: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/31.jpg)
![Page 32: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/32.jpg)
Taxonomía de UN ATAQUE
![Page 33: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/33.jpg)
RECOMENDACIONES
![Page 34: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/34.jpg)
RECOMENDACIONES
![Page 35: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/35.jpg)
RECOMENDACIONES
![Page 36: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/36.jpg)
RECOMENDACIONES
![Page 37: The Future Of Malware in ATM - Amazon Web Services](https://reader030.vdocumento.com/reader030/viewer/2022012023/6169d74011a7b741a34bf4bb/html5/thumbnails/37.jpg)
Herramienta para colaborar en la información de los tipos de ataques
http://atmalerts.org/