Analyzing ATM malware

Since a time ago, they are beginning to appear a new wave of malware targeting Automated Teller Machines (ATM): Backdoor.MSIL.Tyupkin, Backdoor.Padpin, the newer GreenDispenser, etc… All of them seem to be using the eXtensions for Financial Services (XFS) library to manage ATM. If you try to debug/analyze or you introduce a sample of these malware families into a Cuckoo sandbox, it won’t run because it will fail to load msxfs.dll.

The problem is that XFS seems to be a private library. Simulators and debug environments are private software, and expensive to buy. I have been not able to find a open source solution. For this reason i decided to implement a fake msxfs.dll. It will have the same exports than the original one. There isn’t enough documentation and it’s hard to create a perfect simulator dll, I tried to simulate the most typical commands that these malware families are using, for example for returning random digits from the pinpad when the trojan tries to recover them.

Continue reading

Analysis of the ransom/infector W32_VirRnsm.A

There are lot of ransomware families around the world, however, since long time ago, they contain no new interesting features. VirRnsm.A is a malware that mixes characteristics of ransomwares and infectors. It is a ransomware capable to infect executable files (or an infector capable to encrypt your files). Technically, It doesn’t seem a great malware, but it is worth a look because, from my point of view, in the future we are going to start to see a lot of malwares of this type. Ransomware’s behaviour could end up being a payload of worms and infectors, rather than a malware by itself.

In spite of the fact that VirRnsm.A is an evolution in the ransoms world, probably, it would have spread itself faster if the malware, after infecting files, didn’t block the screen, showing a rescue message and revealing itself. Instead, imagine a worm or infector (a conficker, a sality,…), that arrives to a machine and hides itself with stealth techniques, trying to spread itself as much as possible, and waiting for a date to execute its payload (payload with ransomware behaviour). It could be a enormous chaos.

Continue reading

Getting CryptoWall and CryptoDefense working without C&C

It’s common to find malware samples that need the C&C to work. This is the case of Cryptowall and CryptoDefense ransomwares. If you need to debug samples of these families you will usually find the C&C down and the ransom won’t work and won’t encrypt files. It only will try to connect to C&C continuously.

In this article i’m going to describe a way to create a fake C&C for CryptoWall and CryptoDefense families, and how to get samples of these families working into a vmware for example.

Continue reading