Backdoor.Ploutus Reloaded – Ploutus Leaves Mexico

backdoor ploutus head.jpg


On September 4, 2013, we were the first to discover and add detections for a new malware targeting ATMs named Backdoor.Ploutus, as reported by our Rapid Release Definitions. Recently, we identified a new variant of this threat and realized that it has been improved and translated into English, suggesting that the ATM software is now being used in other countries.

Symantec added a generic detection for this new variant as Backdoor.Ploutus.B on October 25, 2013, so Ploutus can be detected when it is inactive and when it is running.

Infection methodology

According to external sources, the malware is transferred to the ATM by physically inserting a new boot disk into the CD-ROM drive. The boot disk then transfers malware.


The criminals have ported the malware to a more robust architecture and translated to English which suggests that they know the same ATM software can be exploited in other countries outside of Latin America.

The number of banks affected by Backdoor.Ploutus.B is out of the scope of this research and it should be handled by the affected parties.

New characteristics for Backdoor.Ploutus.B

The binary name of the English version is “Ploutos.exe” instead of “PloutusService.exe” and it has been changed from a standalone program to a modular architecture.

backdoor ploutus fig 1.png

Figure 1. Ploutus modular architecture

The new NCRDRVP service is highly obfuscated, hides its malicious actions to avoid detection, and may perform the following actions:

  • Install or uninstall the service
  • Perform keyboard  hooking
  • Load the Dispatcher DLL
  • Receive commands from the criminals through the ATM keypad
  • Forward the commands to the Dispatcher through a raw socket

The Dispatcher will listen for instructions by creating a raw socket. The raw socket is not easy to discover because it is not listed in the TCP or UDP protocols that the system uses. The Dispatcher may perform the following actions:

  • Parse the received commands to make sure they are valid
  • Execute Ploutus through command line arguments

Backdoor.Ploutus.B has the same interface (the NCR.APTRA.AXFS class) and still concentrates on dispensing money, but there are several differences. This version has the following characteristics:

  • It can print the entire ATM configuration if a USB Printer is connected to the machine (the Spanish version sends this information to a log file instead)
  • It does not feature a graphical user interface (GUI) and instead accepts commands from the ATM keypad
  • It will display a window to the attacker describing the money available in the ATM and a transaction log while dispensing the money
  • It does not offer support for a keyboard to be connected to the ATM
  • It withdraws money from the cassette with the most available bills, but lacks the option to enter a specific bill amount

Ploutus Reloaded fig 2 edit.png

Figure 2. Window showing money available in compromised ATM

Actions performed by Backdoor.Ploutus.B

The new version has the same functionalities as the old version:

  • Generates a random number and assigns it to the compromised ATM based on the current date at the time of infection
  • Sets a timer to dispense money (the malware will only dispense money in the first 24 hours after it is activated)
  • Dispenses money from the cassette with the most available bills

Interacting with Backdoor.Ploutus.B through the ATM keypad

The attackers send a 16-digits command code using the ATM keypad which is received by the NCRDRVP Service:

  • 123456789ABCDEFG

The code is then forwarded to the Dispatcher through a raw socket. The Dispatcher then sends a 33-digit instruction to Ploutus through the command line:

  • cmd.exe /c Ploutos.exe 5449610000583686=123456789ABCDEFG

If the last 16 digits are equal to: 2836957412536985, then Ploutus will generate an ATM ID. If Ploutus generates an ATM ID, the attackers can enter the same 16 digits, but will replace the final two digits in order to perform various actions.

If the final two digits are 99:

  • Ploutus will be terminated

If the final two digits are 54:

  • The ATM ID will be activated through a code generated based on an encoded ATM ID and the current date. This value is stored in the DATAC entry in the confg.ini file. A valid ATM activation code must be obtained in order for the ATM to dispense cash.
  • A timer will be set to dispense the money and the value will be stored in the DATAB entry in the config.ini file.

If the final two digits are 31:

  • The ATM will dispense money and print the entire ATM configuration if a USB printer is connected         

Dispense process compromised

  1. Ploutus will identify the number of dispenser devices in the ATM.
  2. It then obtains the number of available cassettes per dispenser and loads them. In this case, the malware assumes there is a maximum of four cassettes per dispenser since it knows the design of the ATM model.
  3. Next, it calculates the amount to dispense based on the bill count set as 40, which is multiplied by the cash unit value.
  4. It then starts the cash dispensing operation. If any of the cassettes have less than 40 units (bills) available, then it will find the cassette with more available units and dispense all the money from that cassette only.
  5. It will open a panel (see Figure 2) that displays the details of the transaction as well as the remaining money in the ATM. It will then hide the panel.
  6. Finally, it will repeat step four every time Ploutus is requested to dispense money.

ATMs spewing cash at a location near you

This discovery underlines the increasing level of cooperation between traditional physical world criminals with hackers and cybercriminals. With the ever increasing use of technology in all aspects of security, traditional criminals are realizing that to carry out successful heists, they now require another set of skills that wasn’t required in the past. The modern day bank robbers now need skilled IT practitioners on their team to help them carry out their heists. This type of thing isn’t just happening in films, it’s happening in real life, but this issue does not directly affect ATM users. In this case, financial institutions are the targets. Symantec recommends the following best practices:

  • Configure the BIOS boot order to only boot from Hard Disk (no CD/DVD, USB)
  • Secure the BIOS with a password so that the attackers cannot reconfigure the boot options
  • Consider removing hardware that allows the BIOS to read and start from boot
  • Ensure that AV signatures and security solutions are up to date

reCAPTCHAs are finally readable by normal humans

Google today announced that reCAPTCHAs served up to humans are finally readable without the need to squint your eyes or bang your keyboard in frustration after typing the wrong sequence of letters five times in a row. Who can even read those things, amirite?

Google has figured out how to tell if you're a human or a bot, and if you're human you get an easy CAPTCHA. We've asked Google why a CAPTCHA would be necessary at all if the company already knows you're human, but we haven't received an answer yet. Anyway, Google reCAPTCHA Product Manager Vinay Shet writes in a blog post:

The updated system uses advanced risk analysis techniques, actively considering the user’s entire engagement with the CAPTCHA—before, during and after they interact with it. That means that today the distorted letters serve less as a test of humanity and more as a medium of engagement to elicit a broad range of cues that characterize humans and bots.

As part of this, we’ve recently released an update that creates different classes of CAPTCHAs for different kinds of users. This multi-faceted approach allows us to determine whether a potential user is actually a human or not, and serve our legitimate users CAPTCHAs that most of them will find easy to solve. Bots, on the other hand, will see CAPTCHAs that are considerably more difficult and designed to stop them from getting through.

reCAPTCHA was developed at Carnegie Mellon University and acquired by Google in 2009. In addition to protecting websites from robots, the text typed in by humans helps digitize the text of books.

Read 2 remaining paragraphs | Comments


Dear AV provider: Do you enable NSA spying? Yours, EFF

The Electronic Frontier Foundation, security expert Bruce Schneier, and 23 others have called on antivirus providers around the world to protect their users against malware spawned by the National Security Agency and other groups that carry out government surveillance.

The move comes amid revelations that the NSA has a wide-ranging menu of software exploits at its disposal that have been used to identify users of the Tor anonymity service, track iPhone users, and monitor the communications of surveillance targets. Schneier has said that the NSA only relies on these methods when analysts have a high degree of confidence that the malware won't be noticed. That means detection by AV programs could make the difference between such attacks succeeding, failing, or being used at all.

"As a manufacturer of antivirus software, your company has a vital position in providing security and maintaining the trust of internet users as they engage in sensitive activities such as electronic banking," the 25 signatories wrote in an open letter sent on Thursday to AV companies. "Consequently, there should be no doubt that your company's software provides the security needed to maintain this trust."

Read 4 remaining paragraphs | Comments


Lightbeam: Mozilla releases add-on that reveals online data tracking

Mozilla has released Lightbeam, a Firefox add-on that aims to help people understand and visualize the data tracking that occurs online.

Lightbeam is the second iteration of an experimental add-on called Collusion, which was a personal project launched by Mozilla software developer Atul Varma. The browser extension creates a real-time graph of all of the tracking cookies being deposited on your browser as you move from site to site. It can distinguish between behavioral tracking cookies and non-behavioral ones. The idea is that users can better understand which sites are using the same behaviorally targeted advertisements (ahem, Criteo).

The tool aims to highlight both the first- and third-party companies that people interact with as they travel across the Web. It shows a map of the websites you visit and highlights the third parties that are also active on those pages. It will analyze the relationships between various first- and third-party sites that are stored in your online data.

Read 6 remaining paragraphs | Comments