IFSEC Global

Author Bio ▼

IFSEC Global is the online community for the Security and Fire industry. Our market-leading live events span the globe, connecting buyers and sellers.
January 1, 2014

Sign up to free email newsletters


Want a Future-Proof Cyber Security Strategy? Look at Physical Security Now

How ATMs powered by Windows XP can be hacked to dispense cash by a simple SMS

A lot has been said about the increased vulnerability of Windows XP machines, especially with end of life support ending on April 8, 2014. With many Indian banks still using ATMs powered by Windows XP, the recent discovery by Symantec may be an alarm for Indian businesses. In a blog, Symantec’s Daniel Regalado, explains how is this done:

Connecting a mobile phone to the ATM

The criminals can remotely control the ATM by using a mobile phone which is connected to the inside of the ATM. There are multiple ways to connect a mobile phone to an ATM. A common method is to use a setup called USB tethering, which is effectively a shared Internet connection between a phone and a computer (or in this case, an ATM).

atm-attack-ploutus-attack-overview-fig2The attackers need to set the phone up correctly, connect it to the ATM and infect the ATM with Ploutus. Once all of these steps are complete, a full two-way connectivity is established and the phone is ready to be used. Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely.

Sending SMS messages to the ATM

After the mobile phone is connected to the ATM and set up is completed, the criminals can send specific SMS command messages to the phone attached inside the ATM. When the phone detects a new message under the required format, the mobile device will convert the message into a network packet and will forward it to the ATM through the USB cable.

The network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM. As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet and search for the number “5449610000583686” at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus.

An example of such a command is shown below: cmd.exe /c PLOUTOS.EXE 5449610000583686=2836957412536985



In previous versions of Ploutus, the master criminal would have to share these digits with the money mule, which could allow the money mule to defraud the master criminal if they realize what the code allows them to do. In this version of Ploutus, the mule never sees the 16 digits, giving the master criminal added security and the ability to centrally control cash withdrawals. The code is active for 24 hours.

Using SMS messages to remotely control the ATM is a much more convenient method for all of the parties in this scheme, because it is discrete and works almost instantly. The master criminal knows exactly how much the money mule will be getting and the money mule does not need to linger for extended periods around an ATM waiting for it to issue the cash. The master criminal and money mule can synchronize their actions so that the money is issued just as the money mule pretends to withdraw cash or is walking past the ATM.

Putting it all together



Now that we have looked into the details of how this scheme works, here’s an overview of how it all fits together.

The attacker installs Ploutus on the ATM and connects a mobile phone to the machine with a USB cable.

  1. The controller sends two SMS messages to the mobile phone inside the ATM.
  2. SMS 1 must contain a valid activation ID in order to enable Ploutus in the ATM.
  3. SMS 2 must contain a valid dispense command to get the money out.
  4. The phone detects valid incoming SMS messages and forwards them to the ATM as a TCP or UDP packet.
  5. In the ATM, the network packet monitor module receives the TCP/UDP packet and if it contains a valid command, it will execute Ploutus.
  6. Ploutus causes the ATM to spew out the cash. The amount of cash dispensed is pre-configured inside the malware.
  7. The cash is collected from the ATM by the money mule.

Free Download: The Wireless Access Control Report

Discover how your peers think standards, sustainability, mobile and the cloud are shaping the future of access control in this exclusive free report.

Based on a poll of hundreds of professionals involved in the procurement, operation, deployment or maintenance of access control systems, this report offers a unique into the perception and demand around wireless technology.

Leave a Reply

Notify of

Sign up to free email newsletters