Using a “low risk” trojan software, a group of hackers (believed to be from South America) managed to cart away about RM3 million (about USD $1million) from various ATM machines in Malaysia. ($1.00 USD ~ RM 3.3) .
Below are the photos of the suspects released by the Bukit Aman Police in Malaysia:
To date, the ATM machines in the following locations have been compromised by this trojan/virus called “ulssm.exe”
Selangor & Kuala Lumpur
- ATM in USJ (Subang Jaya): Lost: RM 265,000
- ATM in Section 14, PJ: Lost RM 395,850
- ATM in Dataran Sunway, PJ: Lost 221,160
- ATM in Kota Damansara, PJ: Lost 285,700
- ATM in Shah Alam: Lost 116,000
- ATM in Klang: Lost RM 150,000
- ATM in Jalan Imbi: RM 92,900
- ATM in Jln Yoong Shook Lin: RM 303,000
- ATM in Puchong: Lost RM ??
- ATM in Kajang: Lost RM ??
- ATM in Kelana Jaya: Lost RM ??
- ATM in Malacca Raya: Lost RM ??
- ATM in Bandar Hilir: Lost RM 232,770
- ATM in Batu Pahat: Lost RM 265,000
- ATM in Kluang: Lost RM 288,200
- ATM in Johor Baru: Lost RM ??
- ATM in Taman Molek: Lost RM ??
The Commercial Crime Investigation Department in Bukit Aman (Malaysia’s elite police force) said the suspects managed to opened the top panel of the ATM machines without using a “common key” and inserted a malicious CD to infect the machine with the “Ulssm.exe” virus – which caused the ATM system (running on Windows XP) to reboot.
The infected ATM system after the reboot will “obey” the commands to dispense all the available cash in the machine issued on the keypad by the hackers. This is the first “high-tech” method used by robbers to clean out ATM machines.
BUT is it really “high-tech” ? Perhaps it is compared to previous reported methods (e.g. trying to cart away the entire machine with bulldozers, pick-up trucks or trying to blast the machine open with a bomb).
In reality, I would consider it “low-tech” – because:
- These ATM machines were running on outdated, un-supported Windows XP which were discontinued early this year. Microsoft has issued ample warning about the XP’s end of life since last year.
- What were the banks thinking/doing – running a critical service on outdated, un-supported Operating System? And if they must run Windows XP, why wasn’t there an AntiVirus software installed? That is the first thing any sane person would do if they are running Windows Operating System.
- The Trojan/Virus is considered “low risk” by Symantec. See the Technical details below.
Backdoor.Padpin is a Trojan horse that targets automated teller machines (ATM). The Trojan enables an attacker to use the ATM PIN pad to submit commands to the Trojan.
Once executed, the Trojan creates the following file, which can be placed in any folder on the compromised computer:
[PATH TO THREAT]\ulssm.exe
The Trojan then creates the following registry entries so that it runs every time Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”ulssm.exe” = “[PATH TO THREAT]\ulssm.exe”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”ulssm.exe” = “[PATH TO THREAT]\ulssm.exe”
The Trojan can delete itself if it fails to gain control of the PIN pad or dispenser. The Trojan runs in the background until a specific code is entered on the ATM’s PIN pad.
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
- Dispense money from the compromised ATM
- Select which cassette the ATM dispenses money from
- Display cassette information such as bills left, denomination and total amount per cassette
- Temporarily disable the local network to avoid triggering alarms when withdrawing money
- Extend the duration of the session in order to continue stealing money
- Delete the Trojan from the compromised ATM
Fortunately, non of the Banks’ customer accounts have been compromised. This attack vector only targets the ATM Host machine (running Windows XP) to spit out available cash in the machines.
Maybe, it is high time the Banking Industry consider the more secure Linux for their ATM machines?