ATM malware Ploutus updated with English-language version

Share this article:

Just a couple of weeks after the Spanish-language ATM malware known as Ploutus was discovered making the rounds in Mexico, computer security software company Symantec has discovered an updated English-language version.

Aside from the language, the only real differences are that the binary name has changed to ‘Ploutus.exe' from ‘PloutusService.exe,' and it has been changed from a standalone program to a modular architecture, Satnam Narang, a researcher with Symantec Security Response, told SCMagazine.com on Monday.

Otherwise, the mechanism for crooks is mostly the same. Essentially, the malware is transferred into the ATM through the CD-ROM drive, attackers send a 16-digit command code using the ATM keypad, a dispatcher sends a 33-digit instruction to Ploutus through the command line, and then a timer is scheduled to dispense funds.

The malware will only spit out money within the first 24 hours of activation, Narang said.

Aside from placing great physical protections on ATMs, so as to avoid allowing criminals access to the money machine's CD-ROM drive, to defend against Ploutus Symantec has offered up some additional best practices for owners.

First, configure the BIOS boot order to only boot from the hard disk, and not a CD, DVD or USB, Narang said. He added that ATM vendors should secure the BIOS with a password so that attackers cannot reconfigure the boot options, consider removing hardware that allows the BIOS to read and start from the boot, and ensure that AV signatures and security solutions are up to date.

“This discovery underlines the increasing level of cooperation between traditional physical-world criminals with hackers and cyber criminals,” Narang said, adding that ATMs in off-site locations, such as malls and convenience stores, are more likely at risk. “With the ever increasing use of technology in all aspects of security, traditional criminals are realizing that to carry out successful heists, they now require another set of skills that wasn't required in the past.”

Russian security firm Safensoft discovered late in September that Ploutus was infecting ATMs in Mexico, and not long after information security company Trustwave released its own findings on the malware.

Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.