A malicious software affecting automated teller machines (ATMs) in Mexico could possibly spread to other countries now. Symantec warned that the malware known as Ploutus has an original source code in Spanish but because the code language has already been translated into English, the malicious program may start spreading into English speaking countries.
The security vendor has recently disclosed that two versions of Ploutus have already been discovered. Both versions are designed and engineered to empty specific types of ATMs, which are yet to be identified. By translating the malware into English, it has been made potentially robust.
How malware is installed
The malware is installed using the old fashioned way. A CD is inserted into a CD boot disk inside a targeted ATM that runs on Microsoft Windows. This installation method may indicate that the perpetrators or cybercriminals could be aiming to affect any standalone ATM, where there is easier access.
Ploutus has been programmed for certain ATM models. There is an assumption that there are four cassettes, each dispensing within the machine. The malware would then compute the amount of money that must be dispensed based on the total number of bills. If a cassette has less than the most number of 40 bills, it would release whatever is left. It may repeat this process until it empties the ATM.
Symantec has also discovered that the attackers could have deeper knowledge of software as well as hardware of specific ATM models. Thus, it is clear that the creators of the malware really and clearly understand how the machines work.
As mentioned, two versions of the malware have been discovered. The first version of the malware displays graphical user interface after numerical sequence on ATM keypad is encoded. This version of Ploutus could possibly be controlled by any keyboard.
The ‘B’ variant could strike several differences. First, it accepts commands only through the keypad. However, it would display a window indicating the cash left in the ATM together with transaction log upon dispensing of cash. The attacker could not enter certain number of bills. That is why the malware alternatively withdraws cash from the cassette containing the most number of available bills.
Symantec has a recommendation to the operators of the ATMs. The company advises those to modify BIOS boot so that it would only boot from hard disk and reject booting from CDs, USB sticks, or DVDs. The BIOS must also be protected by password so that the options for booting could not be changed.
For comments and suggestions, leave a message in the comments section below. Like and Follow our Facebook page for more stories and to stay up-to-date with the latest happenings.