Viry a Červi

Microsoft Patches Office Bug Actively Being Exploited - 10 Říjen, 2017 - 22:44
Microsoft’s Patch Tuesday security bulletin includes 62 fixes for vulnerabilities tied to Office, SBM1 and the Windows DNS client.
Kategorie: Viry a Červi

Apple's iOS password prompts prime punters for phishing: Too easy now for apps to swipe secrets, dev warns

The Register - Anti-Virus - 10 Říjen, 2017 - 21:39
Fake login request boxes spark formal bug report

Apple, we have a problem. A bug report filed Monday through Open Radar – which mirrors bug reports developers submit to Apple's private bug tracking system – suggests that password prompts in iOS apps can be misused to steal passwords and other secrets.…

Kategorie: Viry a Červi

Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket - 10 Říjen, 2017 - 21:32
Global consulting firm Accenture is the latest giant organization leaving sensitive internal and customer data exposed in a publicly available Amazon Web Services S3 storage bucket.
Kategorie: Viry a Červi

Microsoft Patches Critical Windows DNS Client Vulnerabilities - 10 Říjen, 2017 - 20:00
Microsoft patched three memory corruption vulnerabilities in the Windows DNS client that could be abused by a man-in-the-middle attacker to run arbitrary code.
Kategorie: Viry a Červi

Porn Site Becomes Hub for Malvertising Campaigns - 10 Říjen, 2017 - 19:53
A popular porn site is used by KovCoreG Group to launch multiple malvertising campaigns exposing millions to fake browser updates and malware.
Kategorie: Viry a Červi

Hackers in Arab world collaborate more than hoodie-clad Westerners

The Register - Anti-Virus - 10 Říjen, 2017 - 18:02
Ideological unity drives 'spirit of sharing' in crimeware market

Cybercriminals in the Arab states are some of the most cooperative in the world, according to Trend Micro this week.…

Kategorie: Viry a Červi

Why it’s time to stop calling users “n00bs” and “1d10ts”

Sophos Naked Security - 10 Říjen, 2017 - 18:01
We've tried blaming users for 30 years, and it hasn't worked. Here's a new way - listen to them and get them on your side...

Learning from the Disqus data breach

Sophos Naked Security - 10 Říjen, 2017 - 17:56
What does the Disqus data breach tell us about security?

Overdraft-fiddling hackers cost banks in Eastern Europe $100m

The Register - Anti-Virus - 10 Říjen, 2017 - 15:14
Mules open forged accounts, crooks clear them out from foreign ATMs

Hybrid cyber attacks on banks in former Soviet states has already resulted in estimated losses of $100m.…

Kategorie: Viry a Červi

Busted! Founder sells $51m website, hacks it, tries to sell site its own data

Sophos Naked Security - 10 Říjen, 2017 - 13:28
What's worse than Dracula sucking your blood? Dracula sucking your blood and then trying to sell it back to you

Real Mad-quid: Murky cryptojacking menace that smacked Ronaldo site grows

The Register - Anti-Virus - 10 Říjen, 2017 - 13:21
They’re taking our processor cycles

Cryptojacking is well on its way to becoming a new menace to internet hygiene.…

Kategorie: Viry a Červi

ATMii: a small but effective ATM robber

Kaspersky Securelist - 10 Říjen, 2017 - 11:00

While some criminals blow up ATMs to steal cash, others use less destructive methods, such as infecting the ATM with malware and then stealing the money. We have written about this phenomenon extensively in the past and today we can add another family of malware to the list – Backdoor.Win32.ATMii.

ATMii was first brought to our attention in April 2017, when a partner from the financial industry shared some samples with us. The malware turned out to be fairly straightforward, consisting of only two modules: an injector module (exe.exe, 3fddbf20b41e335b6b1615536b8e1292) and the module to be injected (dll.dll, dc42ed8e1de55185c9240f33863a6aa4). To use this malware, criminals need direct access to the target ATM, either over the network or physically (e.g. over USB). ATMii, if it is successful, allows criminals to dispense all the cash from the ATM.

exe.exe – an injector and control module

The injector is an unprotected command line application, written in Visual C with a compilation timestamp: Fri Nov 01 14:33:23 2013 UTC. Since this compilation timestamp is from 4 years ago – and we do not think this threat could have gone unnoticed for 4 years – we believe it is a fake timestamp. What’s also interesting is the OS that is supported by the malware: One more recent than Windows XP. We can see this in the image below, where the first argument for the OpenProcess() function is 0x1FFFFu.

OpenProcess call with the PROCESS_ALL_ACCESS constant

It is the PROCESS_ALL_ACCESS constant, but this constant value differs in older Windows versions such as Windows XP (see the picture below). This is interesting because most ATMs still run on Windows XP, which is thus not supported by the malware.

A list of PROCESS_ALL_ACCESS values per Windows version

The injector, which targets the atmapp.exe (proprietary ATM software) process, is fairly poorly written, since it depends on several parameters. If none are given, the application catches an exception. The parameters are pretty self-explanatory:

param  short description /load Tries to inject dll.dll into atmapp.exe process /cmd Creates/Updates C:\ATM\c.ini file to pass commands and params to infected library /unload Tries to unload injected library from atmapp.exe process, while restoring its state.

/load param

<exe.exe> /load

The application searches for a process with the name atmapp.exe and injects code into it that loads the “dll.dll” library (which has to be in the same folder as the exe.exe file). After it has been loaded it calls the DLLmain function.

/unload param <exe.exe> /unload

As the name already suggests, it is the opposite of the /load parameter; it unloads the injected module and restores the process to its original state.

/cmd param <exe.exe> /cmd [cmd] [params]

The application creates/updates C:\ATM\c.ini which is used by the injected DLL to read commands. The file is updated each time the .exe is run with the /cmd param.

Contents of c.ini after execution of “exe.exe /cmd info”

The executable understands the following set of commands:

command description scan Scans for the CASH_UNIT XFS service disp Stands for “dispense”. The injected module should dispense “amount” cash of “currency” (amount and currency are used as parameters) info Gets info about ATM cash cassettes, all the returned data goes to the log file. die Injected module removes C:\ATM\c.ini file dll.dll injecting module

After injection and execution of the DllMain function, the dll.dll library loads msxfs.dll and replaces the WFSGetInfo function with a special wrap function, named mWFSGetInfo.

At the time of the first call to the fake WFSGetInfo function, C:\ATM\c.ini is ignored and the library tries to find the ATM’s CASH_UNIT service id and stores the result, basically in the same way as the scan command does. If the CASH_UNIT service is not found, dll.dll won’t function. However, if successful, all further calls go to the mWFSGetInfo function, which performs the additional logic (reading, parsing and executing the commands from the C:\ATM\c.ini file).

Contents of C:\ATM\c.ini after execution of “exe.exe /cmd disp RUB 6000”

Below is an output of the strings program uncovering some interesting log messages and the function names to be imported. The proprietary MSXFS.DLL library and its functions used in the ATMii malware are marked with red boxes.

“scan” command

Because of the architecture of XFS, which is divided into services, the injected library first needs to find the dispense service. This command must be successfully called, because the disp and info commands depend on the service id retrieved by scan. Scan is automatically called after the dll has been injected into atmapp.exe.

After collecting the WFS_INF_CDM_STATUS data, additional data gets added to the tlogs.log. An example can be found below:

(387):cmd_scan() Searching valid service
(358):FindValidService() Checking device index=0
(70):CheckServiceForValid() ————————————————
(72):CheckServiceForValid() Waiting for lock
(76):CheckServiceForValid() Device was locked
(86):CheckServiceForValid() WFSGetInfo Success 0
(182):CheckServiceForValid() Done-> szDevice: WFS_CDM_DEVONLINE, szDispenser: WFS_CDM_DISPOK, szIntermediateStacker: WFS_CDM_ISEMPTY, szSafeDoor: WFS_CDM_DOORCLOSED
(195):CheckServiceForValid() Unlocking device
(390):cmd_scan() Service found 0

Part of a tlogs.log possible log after successfully executed “scan” command

“info” command

Before the criminals can dispense cash, they first need to know the exact contents of the different cassettes. For this, they use the info command which provides exhaustive information on all cassettes and their contents. The list of used XFS API functions is the same as with the scan command, but this time WFSGetInfo is called with the WFS_INF_CDM_CASH_UNIT_INFO (303) constant passed as a param.

Below is an example of the data in log file returned by the info command.

(502):ExecuteCmd() Executing cmd
(506):ExecuteCmd() CMD = info
(402):cmd_info() ! hFoundGlobalService = 0
(213):GetDeviceInformation() ————————————————
(220):GetDeviceInformation() Device locked 0
(337):GetDeviceInformation() Module: C:\program files\dtatmw\bin\atmapp\atmapp.exe
Cash Unit # 1, name=SOMENAME
Type: 3
Status: HIGH
Currency ID: 0x52-0x55-0x42
Note Value: 5000
Notes Count: 3000
Notes Initial Count: 3000
Notes Minimum Count: 10
Notes Maximum Count: 0

Example5 Part of a tlogs.log possible log after successfully executed “info” command

“disp” command

The dispense command is followed by two additional params in the command file: currency and amount. Currency must contain one of the three-letter currency codes of notes kept in the CASH_UNIT_INFO structure (currency codes are described in ISO_4217 e.g. RUB, EUR). The amount code holds the amount of cash to dispense and this value must be a multiple of ten.

“die” command

Does nothing except deleting C:\ATM\c.ini command file.


ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control. The first measure prevents criminals from running their own code on the ATM’s internal PC, while the second measure will prevent them from connecting new devices, such as USB sticks.

Montreal will host VB2018

Virus Bulletin News - 10 Říjen, 2017 - 10:12
Last week, we announced the full details of VB2018, which will take place 3-5 October 2018 at the Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada.

Read more
Kategorie: Viry a Červi

Leaky-by-design location services show outsourced security won't ever work

The Register - Anti-Virus - 10 Říjen, 2017 - 09:03
Google and Facebook can't – or won't – anticipate misuses of data that shouldn't exist

We’re leaking location data everywhere, and it's time to fix it by design.…

Kategorie: Viry a Červi

Smut-watchers suckered by evil advertising

The Register - Anti-Virus - 10 Říjen, 2017 - 03:28
'Millions' of Pr0rnHüb visitors offered fake browser updates

Security bods have closed off a malvertising campaign targeting an ad network spread through an ad network that targeted smut site P0rnHub.…

Kategorie: Viry a Červi

5 security mistakes your IT team wish you wouldn’t make

Sophos Naked Security - 9 Říjen, 2017 - 19:32
Your IT team will thank you for reading it!

How to do cybersecurity at work

Sophos Naked Security - 9 Říjen, 2017 - 17:58
This week in National Cybersecurity Awareness Month is about how to do cybersecurity at work - and we mean all of us, not just IT!

FormBook Malware Targets US Defense Contractors, Aerospace and Manufacturing Sectors - 9 Říjen, 2017 - 17:00
FormBook info-stealing malware has been part of two recent distribution campaigns and is being sold on the Dark Web for as little as $29 a week.
Kategorie: Viry a Červi

Fending off cyber attacks as important as combatting terrorism, says new GCHQ chief

The Register - Anti-Virus - 9 Říjen, 2017 - 16:01
Director Jeremy Fleming sets out priorities for intel agency

Keeping the UK safe from cyber attacks is now as important as fighting terrorism, the new GCHQ boss has said.…

Kategorie: Viry a Červi

1,000 jobs on the line at BAE Systems' Lancashire plants – reports

The Register - Anti-Virus - 9 Říjen, 2017 - 15:21
Warton braced for job cuts

BAE Systems, maker of military machinery, is to slash more than 1,000 jobs, according to reports, with most roles affected at its Warton plant in Lancashire, England – the main factory that builds the Eurofighter Typhoon.…

Kategorie: Viry a Červi
Syndikovat obsah