Wednesday, March 18, 2009

The Effect of Credit Crunch on Backdoors


In the scope of the current economic situation, it's not uncommon to hear the news how another bank is downsizing its departments and outsourcing its software development.

The big question is if this practice increases any risk of having the Time Bombs, hard-coded login names and passwords, or simple backdoors concealed in the software by its own developers.

An interesting piece of software spotted by Vanja Svajcer from Sophos proves it does.

While it is not entirely clear (no evidence) how this software penetrated on an ATM, an educational guess is that it was implanted by someone who knew the architecture and had direct physical access to the Diebold ATM hardware and software. A privileged insider, who either wanted extra security in the times of hardship by having unlimited access to cash, or maybe planned to rob the banks in one large-scale distributed attack.



Anyway, the backdoor heavily conceals its presence under ATM. Why? Most likely, in order to stay undetected during the audit checks.

The backdoor consists of the dropper and the dropped component.

If the ATM's filesystem is NTFS, the dropper will create 2 alternative data streams:

%windir%\greenstone.bmp:redstone.bmp
%windir%\greenstone.bmp:bluestone.bmp

Otherwise, it will create 2 files:

%windir%\redstone.bmp
%windir%\bluestone.bmp

These ADS/files are created from these copies of the files, if they are found in the system:

%windir%\trl2
%windir%\kl

The dropper then adjusts its own privilege to the level of SeDebugPrivilege and takes 50 attempts to terminate the process lsass.exe.

The backdoor installs itself the following way:

  • retrieves the fully qualified path to the binary file of the system service "LogWriter"

  • stops system service "LogWriter"

  • appends to that name ":", followed by pwrstr.dll

  • drops its own resource PACKAGEINFO into the alternative data stream [LogWriter_binary_filename]:pwrstr.dll

  • starts system service "LogWriter" – this will launch the dropped DLL from the newly specified ADS name


Finally, the dropper will inject and run a remote thread in the process explorer.exe, a thread that enumerates and deletes all Windows Prefetch files.

Once activates, the dropped DLL will injects 2 threads: one will be injected into the process mu.exe, another one - into the process SpiService.exe, a main service ("Diebold XFS Service") of the proprietary software that runs on Diebold ATMs. These threads will be responsible for inter-process communication with the Diebold driver via the named pipe "\\.\pipe\lsndbd".

Another thread will start repeatedly calling an API SQReceiveFromServer(), exported by sharedq.dll, once per second. The contents of the buffer filled with this function will then be parsed for the presence of the tags "TCS," and "HST,".

If any values specified in those tags are split with the delimiter ";", the thread will extract and log them into the ADS %windir%\greenstone.bmp:redstone.bmp on NTFS system, or file %windir%\redstone.bmp on non-NTFS system.

If the tag "TCS," means "transactions" and "HST," means "history", the backdoor may be collecting the details of user transactions in the aforementioned file.

In case the transaction parsing process detects particular contents, presumably unique to the attacker of the ATM, the backdoor will enter GUI mode that will grant an attacker full access to the backdoor. In this case, it will display on ATM screen a dialog box with the caption "Agent" and a prompt "Enter command:", and instruct the Diebold driver to activate the keypad and read the input via a series of commands issued with DbdDevExecute() API, exported by DbdDevAPI.dll. For example, the driver will receive commands: EPP4_ENCODE_DECODE, EPP4_ENABLE_KEYBOARD_READ.

An attacker then provides one out of 10 possible commands by entering a number on an ATM keypad. Every command causes the backdoor to take specific action.

For example, command "2" will instruct the backdoor to read the version of the installed Diebold software from the registry keys:

HKLM\SOFTWARE\Diebold\Agilis 91x Core
HKLM\SOFTWARE\Diebold\Agilis 91x

Then, this command will read the contents of the temporary files/ADS redstone.bmp and bluestone.bmp, and parse the transaction details from these logs. Finally, it will show a message box with the collected statistics for the attacker in the following form:

Agilis [version number]
Agent [version number]
Transactions [number]
Cards [number]
KEYs [number]


Command "6" will instruct the backdoor to recover the "Key A" and "Key B" from the file/ADS redstone.bmp. It will then print them on a new receipt – the receipt will then be ejected.

Command "8" allows an attacker to display all internal counters in a newly created dialog box (this may potentially reveal the amount of cash currently stored in ATM).

Command "7" will generate a random number and then calculate a password that is unique for that random number.
Then, it will display an "Autorization" dialog box (orthography preserved):

Request Code: [random number]
Enter Responce:

It allows 3 attempts to be undertaken to enter correct password.

If the provided password is correct, it will display another dialog box with a caption "Enter Command" (orthography preserved):

1..4 - dispense cassete
9 - Uninstall
0 - Exit

In case of the choice 1-4, it will release commands AFD_DISPENCE, AFD_PRESENT, and AFD_RESTORE to the Diebold driver to instruct the Advanced Function Dispenser (AFD) module to dispense an ATM cassette with cash.

With this level of sophistication, considering the trojan horse in its classic form is inside the ATM, even the following paranoid technique will unlikely make any difference: