ATM MALWARE

RSA ® INCIDENT RESPONSE REPORT:
THREAT DETECTION TECHNIQUES –
ATM MALWARE
ABSTRACT
This report covers four strains of ATM malware that enable cybercriminals to infect
ATM devices. It discusses the TTPs of these malware and how RSA ® ECAT for Endpoint
Security is used to detect and investigate them.
Authors: Stefano Maccaglia and Jared Myers
February 2016

TABLE OF CONTENTS
EXECUTIVE SUMMARY .......................................................................... 3
ATM MALWARE SUB-FAMILIES ............................................................. 3
1.1 BACKDOOR.PLOUTUS ........................................................................................................................................... 3
1.2 BACKDOOR.TYUPKIN ........................................................................................................................................... 4
1.3 BACKDOOR.ATM.SUCEFUL .................................................................................................................................... 4
1.4 BACKDOOR.ATM.GREENDISPENSER ..................................................................................................................... 4
1.5 TESTED SAMPLES ................................................................................................................................................. 5
2. ATTACK OVERVIEW .......................................................................... 5
3. CASH THEFT METHODS ..................................................................... 6
3.1 TROJANSPY:ATM/PLOUTUS ................................................................................................................................. 6
3.2 BACKDOOR.ATM.TYUPKIN .................................................................................................................................... 7
3.3 BACKDOOR.ATM.SUCEFUL .................................................................................................................................... 7
3.4 BACKDOOR.ATM.GREENDISPENSER ..................................................................................................................... 7
4. DETECTION ....................................................................................... 8
4.1 BEST PRACTICES TO PROTECT ATM SYSTEMS ...................................................................................................... 8
4.2 NETWORK VISIBILITY THROUGH RSA SECURITY ANALYTICS .............................................................................. 8
4.3 SYSTEM VISIBILITY THROUGH RSA ECAT ............................................................................................................ 9
4.4 RSA ECAT DETECTION: TROJANSPY:ATM/PLOUTUS ........................................................................................... 10
4.5 RSA ECAT DETECTION: BACKDOOR.ATM.TYUPKIN ............................................................................................. 10
4.6 RSA ECAT DETECTION: BACKDOOR.ATM.SUCEFUL ............................................................................................. 10
4.7 RSA ECAT DETECTION: BACKDOOR.GREENDISPENSER ...................................................................................... 11
5. CONCLUSION .................................................................................. 11
6. APPENDIX ...................................................................................... 12
6.1 ECAT SAMPLE’S ANALYSIS ................................................................................................................................. 12
6.2 YARA RULES ....................................................................................................................................................... 12

EXECUTIVE SUMMARY
The famous American bank robber, Willie Sutton, was credited for having said, “Because that’s where the money is.” (Although, he
denied saying this.) Sutton died in 1980, so we can only ponder what he would have thought of the vast Automated Teller Machine
(ATM) network that has all-but-replaced the bank branches he preyed upon in the early 20th Century. Most of these ATMs are
actually tiny banks, stacked with cash and merely protected by a lock, a camera, and software. It’s no wonder that ATMs have been
attractive criminal targets for quite some time.
In recent years, new ATM-focused cyber attacks have been discovered. The newer techniques do not require skimmers or other
traditional, physical tools; rather these attacks use malicious code, frequently leveraging unsupported operating systems with
unpatched vulnerabilities. The code may be loaded directly to the terminal itself, or remotely from a system with network access.
The spoils of these endeavors range from sensitive data to large cash withdrawals. Often the attacks blend the physical and cyber
realms, using accomplices (mules) who physically collect the money after the terminal has been infected.
A security professional may ask: Why not a more current operating system? Why not regular patching? Why not preventive tools
such as anti-virus (AV)? The answers mostly lie in the costs of upgrading, and the stability of these systems. A bad AV update or
virus removal could catastrophically upend millions of transactions. Upgrades are coming, slowly. And it’s reported that many
institutions have privately entered into agreements with Microsoft to extend the lives of their XP machines.¹ Microsoft ended public
support for Windows XP in 2014.
So, unlike many IT security professionals who struggle to respond as preventive security technologies continually fail, ATM network
security administrators have a much more acute challenge – how to identify malware and other intrusions when conventional
preventive approaches are ineffective.
Fortunately, pervasive visibility and analytics for these systems are available. Malicious activity can be detected. Security teams can
be alerted quickly, before the worst damage can occur.
This report explores four subfamilies of malware, specifically tailored for ATMs:
1. Backdoor.Ploutus
2. Backdoor.Tyupkin
3. Backdoor.ATM.Suceful
4. Backdoor.GreenDispenser
The report then discusses and demonstrates how these attacks can be detected using RSA ® Security Analytics and RSA ECAT.
ATM MALWARE SUB-FAMILIES
BACKDOOR.PLOUTUS
TrojanSpy:ATM/Backdoor.Ploutus was one of the first ATM malware variants to be disclosed publically 2 . Installation requires
physical access to the ATM, however if the attacker has the opportunity to remotely access the system from the internal 3
banking network (presumably with the help of a malicious insider or an unknowing user’s machine), the malware could also be
installed remotely.
Ploutus is typically installed via USB and operated by a mobile phone tethered to the ATM. The malware then sends or
receives data via the cellular phone, and the attacker can control the ATM’s operating system (OS) using SMS messages.
There can be two separate SMS commands:
The first contains an activation ID to enable the Ploutus malware on the ATM.
The second contains a command to dispense money.
The phone forwards valid SMS messages as TCP or UDP packets to the ATM OS. The ATM network packet module receives the
TCP/UDP packet and (if valid) executes, potentially resulting in the machine immediately dispensing cash. In the cases where
the Remote Desktop Protocol (RDP) is used, the malware can be managed via TCP or UDP packets. The amount of cash
dispensed is often pre-configured in the malware, and the cash is often collected using money mules.
1
http://money.cnn.com/2014/03/04/technology/security/atm-windows-xp
2 The first public article about Backdoor.Ploutus was released by Symantec in August 2013:
http://www.symantec.com/security_response/writeup.jsp?docid=2013-101123-2819-99&tabid=2
3 Some Banking networks use internal network segments to remotely administer ATM devices.

BACKDOOR.TYUPKIN
Backdoor.Tyupkin is a malware family that can be installed with physical access to the ATM terminal using a bootable CD, or
using RDP from another device on the network. This malware family exploits the NCR Persona series of ATM machines which
run Microsoft Windows 32-bit OS. Regardless of the method used to infect the ATM system, two files are copied onto the ATM
machine:
An executable (the malicious binary itself)
A debugging file (responsible for entrenching the malware in the registry before being deleted)
The malware gives the attacker (or the money mule) direct access to the terminal using the ATM’s keypad if the criminal
enters the correct passcode and session key. The terminal then prompts the attacker to select which cassette (cash box) from
which to dispense the cash. The amount is limited by how much cash is physically available in the machine. The malware also
disables the ATM’s communication on the local area network, most likely to disrupt remote monitoring or troubleshooting. The
malware can also be configured to function during specific time windows.
BACKDOOR.ATM.SUCEFUL
In September 2015, a new variant of ATM malware, dubbed SUCEFUL, was discovered. Initially the sample was uploaded to
VirusTotal (VT) from a Russian IP address. The timestamp indicates that it was likely compiled on August 25, 2015.
This malware family is probably still under development and testing by its authors. However, the advanced capabilities of this
malware indicate that the authors are evolving and aiming to steal data not previously harvested by other ATM malware.
Currently documented capabilities of Backdoor.ATM.Suceful include:
Reading all the credit/debit card track data
Reading data from the EMV chip 4 of the card
Control of the malware via ATM PIN pad
Retention or ejection of a card inserted into the ATM (This could be used to physically steal cards.)
Suppressing ATM sensors to avoid detection
BACKDOOR.ATM.GREENDISPENSER
The latest entry onto the ATM malware scene is Backdoor.ATM.GreenDispenser.
This variant was initially discovered in Mexico in September 2015. Our initial analysis, still ongoing, suggests that this
malware must be installed manually, because it requires an interactive boot process to be installed properly. The malware is
similar in functionality to the Tyupkin family, but does show some unique functionality:
Two-factor identification composed of a hardcoded PIN, and a second one obtained by decoding a QR code
Malicious code will only run on a system whose time and date is post-September 2015
Like other ATM malware families discussed in this report, GreenDispenser communicates with the hardware of the terminal,
such as the PIN pad and the cash dispenser, via XFS 5 , the middleware that facilitates client-server architecture for devices
used in the financial industry 6 . The malware can be configured to display a message to the potential ATM user, written in
English or Spanish, indicating that the machine is out of service. While regular cardholders might walk away from the machine
when seeing this error, the attackers or money mules simply type in an access code to access the malware’s menu.
TESTED SAMPLES
This report will not delve into the technical artifacts of the malware, but will describe how RSA ECAT for Endpoint Security can
alert an organization about these types of infections from the different families outlined above. Using RSA ECAT can help
4 "EMV® is a global standard for credit and debit payment cards based on chip card technology" taking its name from the card schemes Europay,
MasterCard, and Visa - the original card schemes that developed it. The standard covers the processing of credit and debit card payments using a card
that contains a microprocessor chip. For further information you can use this link: https://www.level2kernel.com/emv-guide.html
5 XFS (eXtensions for Financial Services) provides a client-server architecture for financial applications on the Microsoft Windows platform, especially
peripheral devices such as EFTPOS terminals and ATMs which are unique to the financial industry. It is an international standard promoted by the
European Committee for Standardization (known by the acronym CEN, hence CEN/XFS). The standard is based on the WOSA Extensions for Financial
Services or WOSA/XFS developed by Microsoft [SOURCE: Wikipedia].
6 CEN/XFS or XFS (eXtensions for Financial Services) provides a client-server architecture for financial applications on the Microsoft Windows platform,
especially peripheral devices such as EFTPOS terminals and ATMs which are unique to the financial industry. It is an international standard promoted by
the European Committee for Standardization (known by the acronym CEN, hence CEN/XFS). The standard is based on the WOSA Extensions for
Financial Services or WOSA/XFS developed by Microsoft [SOURCE: Wikipedia].

speed the response time, reducing overall exposure, and subsequently helping stop the attack before large amounts of cash or
sensitive data is stolen.
Included with this report is content that can be deployed to RSA Security Analytics and RSA ECAT for detecting this malware.
The content was tested on the following samples:
Sample
File
Type
Malware Type
MD5
done.exe EXE TrojanSpy:MSIL/Ploutus.gen!A 9cceef84ddef8c165800004aa0a30000
pulsar.exe EXE TrojanSpy:MSIL/Ploutus.gen!A eca2ca8ecf63816d9a157888e3d871dc
ulssm.exe EXE Backdoor.MSIL.Tyupkin.a af945758905e0615a10fe23070998b9b
123.exe EXE Backdoor.MSIL.Tyupkin.c 58f98bf643ce58be13d9daaf51b055a1
Project1.exe EXE Backdoor.ATM.Suceful 4bdd67ff852c221112337fecd0681eac
Comss_Vir_Type1_ (143).exe EXE Backdoor.Win32.Suceful.a f74755b92ffe04f97ac506960e6324bb
Greendispenser.exe EXE Backdoor.Win32.Greendispenser bcd3cdbded825b96861bfbc7a399b89a
A0001203.exe EXE Backdoor.Win32.Greendispenser c10b0157f6fd6590424a748f3c6c80ee
Table 1: Sample List
The digital appendix to this document includes Yara Signatures that can be used to determine if these types of malicious files
are currently present in an organization. Also included in the digital appendix is a blacklist that can be imported into RSA ECAT
to help an organization quickly identify and categorize known malicious files.
ATTACK OVERVIEW
With the looming end-of-life for Windows XP, the banking industry is grappling with the risk of cyber attacks aimed at their aging
ATM fleet. Cybercriminals are targeting ATMs with increasingly sophisticated techniques. Initially the attacks required physical access
to the machine, or assistance from a user or device with access to the ATM network. However, the attacks have evolved
considerably, now leveraging RDP and FTP communications. The only physical access now required with current ATM malware is
when the criminals (or mules) collect the cash.
In the following scenario, the attacker has breached the target’s network and has stolen the administrative credentials of the ATM
machine.
Figure 1: Attacker Inside the ATM Internal Network
In this case, the attacker used an RDP connection to download the malicious executable (in this case Suceful) to the ATM’s operating
system. Figure 2 below illustrates how the attacker could download the malicious file via FTP.

Figure 2: FTP Download
Next, the attacker can activate the malicious software on the ATM machine, which is illustrated in Figure 3 below.
Figure 3: Backdoor.ATM.Suceful Panel
In this case, RSA Security Analytics can easily identify and alert of the use of RDP and FTP communications protocols. This is
illustrated in the Detection Section of this paper.
CASH THEFT METHODS
TROJANSPY:ATM/PLOUTUS
The Ploutus variant, discussed above, uses an interesting approach to dispense cash. Initially, the attackers install the malware on
the machine, which is connected to a mobile phone via a USB cable. Once connected, the attacker sends two SMS messages to the
mobile phone; one for the activation of the malware, and the second containing a command to dispense money from the machine.
The messages received on the phone are forwarded to the ATM as a TCP or UDP packet, and executed by the Ploutus malware. This
will ultimately result in the ATM dispensing a preconfigured amount of money that will be collected physically by the mule.

Figure 4: Ploutus Attack Scenario
BACKDOOR.ATM.TYUPKIN
Like the Ploutus variant, Tyupkin also requires physical access to the ATM to install the malware, which then employs several
techniques to avoid detection. First, the malware is only active during specific time ranges at night on certain days of the week
(typically Sunday and Monday). The malware also needs a key-based random seed for every session. When both of these
requirements are satisfied, the malware will display the amount of money available in the cassettes loaded in the machine. The mule
then selects the cassette(s) from which to withdraw funds.
BACKDOOR.ATM.SUCEFUL
The Backdoor.ATM.Suceful variants will establish a connection with the terminal XFS manager, allowing the attackers to create their
own interface (using the native APIs WFSExecute) to control the system. The attacker can then open sessions with (and disable)
other relevant peripherals including:
Door sensors
Alarm sensors
Proximity sensors
The WFSExecute API can also read payment card data, including the cardholder name, account numbers, expiration dates and the
encrypted PIN. The attacker can also instruct the device to retain ATM cards, preventing the victim from removing his/her card. If
he/she physically leaves the ATM, then the attacker or his mules can retrieve the stolen card.
BACKDOOR.ATM.GREENDISPENSER
Like previous ATM malware families, GreenDispenser requires physical access to install. Like the Tyupkin variant, it requires a form
of two-factor authentication and only functions during specific timeframes. In many of the samples we analyzed, the malware only
functioned on machines with clocks set from January to September 2015. There is also a post-op secure delete function. These
functions are the result of XFS middleware exploits, and are likely intended to prevent or complicate forensic investigations.

Figure 5: GreenDispenser XFS Exploitation
Once authenticated, the attacker is presented with a second menu which allows him to access the cash dispenser and/or erase the
malware using the Sysinternals sdelete tool. Analysis of the GreenDispenser variant uncovered the batch code, displayed below,
which is used to delete the malicious code from the infected machine (once the money has been stolen).
:start
tasklist /F1 “IMAGENAME eq ” 2 | find /I /N “”> NUL
if “%ERRORLEVEL%”==”0” goto start
“\del.exe” /accepteula –p 3 –q “\”
del “\del.exe”
del “\”
shutdown –t 0 –r –f
del “%~ f0”
DETECTION
BEST PRACTICES TO PROTECT ATM SYSTEMS
Effective monitoring of ATMs can be achieved by deploying tools that provide sufficient visibility into the ATM’s operating system and
network traffic. Using the RSA Incident Response methodology, which leverages “Actionable IOCs” and proper “Visibility,” we suggest
that organizations implement the following monitoring controls:
Network visibility and analysis provided by a network monitoring platform such as RSA Security Analytics
System or host-level visibility using an endpoint threat detection and response tool such as RSA ECAT
To detect these and other ATM style attacks described above, RSA recommends using specific RSA Security Analytics parsers and
feeds, based on RSA intelligence together with Yara rules and application blacklists. This combination can help to ensure proper
network visibility (via RSA Security Analytics) and endpoint visibility (via RSA ECAT and integrated tools, such as Yara).
NETWORK VISIBILITY THROUGH RSA SECURITY ANALYTICS
In general terms, “Network Visibility” is designed to enable the security analyst to achieve awareness of the various applications,
protocols, and communications that are traversing their network. Being able to monitor and identify anomalous network activity is
paramount in a proactive approach. In most ATM networks, traffic is limited to specific protocols and the access to the ATMs should
only be performed from predefined and documented network segments using specific administrative credentials. These
recommendations can be enabled through the use of a technology such as RSA Security Analytics that can offer complete visibility
and near real-time identification of any internal or external breaches of the ATM terminals.
From the network point of view, it is recommended to develop and deploy a set of dedicated rules and alerts to quickly identify the
presence of malicious activity on the ATM network and originating from the ATM systems.

Figure 6 below illustrates the way malicious FTP and RDP sessions can be identified by RSA Security Analytics for the
Backdoor.ATM.Suceful attack.
Figure 6: Backdoor.ATM.Suceful Protocol Analysis (RDP & FTP)
Much like video surveillance has improved security in the physical world, RSA Security Analytics enables security analysts and
security operations teams to go “back in time” and see not only a replay of an issue or an attack, but also the activities that
preceded the attack and to see exactly what data was exfiltrated by the attacker.
SYSTEM VISIBILITY THROUGH RSA ECAT
For system or endpoint level visibility, a solution with no impact to the standard operations performed by ATM terminals can ensure
the ability to monitor and proactively investigate any anomalies or suspect behaviors. RSA ECAT provides such a continuous
monitoring and forensics capability, to monitor, evaluate, investigate and alert on suspicious activity on Windows-based systems
such as these ATMs. RSA ECAT, when used in conjunction with RSA Security Analytics, enables the investigation of historical traffic
even if the activity was not immediately identified as suspect by RSA Security Analytics.
Figure 7: RSA ECAT Score of SUCEFUL Process after Yara Scan Performed with Our Rules (See Appendix)

Analysts using RSA ECAT can triage systems across the network with minimal effort, drastically decreasing the overall response time.
When an organization deploys RSA ECAT on ATMs and properly baselines those systems, the process of detecting anomalous activity
is even easier. Whitelisting and blacklisting of files with RSA ECAT can also streamline the monitoring and investigation processes.
RSA ECAT DETECTION: TROJANSPY:ATM/PLOUTUS
TrojanSpy:ATM/Ploutus allows criminals to use a mobile phone to access an ATM by sending a simple text message that ultimately
results in cash being immediately dispensed. The variant we analyzed, Backdoor.Ploutus.B, is an evolution of the malware and was
used in several bank thefts between 2013 and 2015. This malware is a Trojan horse that opens a back door on a compromised ATM
using a USB link to a connected mobile phone enabling the attacker to manage the ATM via text messages (SMS). Running an RSA
ECAT agent (version 4.1 was used for this analysis) on an ATM terminal infected with Backdoor.Ploutus.B quickly detects the
malicious process. RSA ECAT scores modules from 1 to 1024, where a higher score indicates a higher confidence that the process is
malicious. The figure below shows the threat score collected from RSA ECAT.
Figure 8: ECAT Score for Win32.Ploutus Malware
RSA ECAT DETECTION: BACKDOOR.ATM.TYUPKIN
Backdoor.ATM.Tyupkin is another malware variant that allows cyber criminals to empty cash machines via direct manipulation. Once
inside the bank’s network, the attacker can traverse the network and introduce secondary tools to harvest credentials and obtain the
data they are seeking. Once attackers have the data they need to exfiltrate it, potentially using a staging server on the bank’s
network, RSA ECAT can quickly identify the Backdoor.ATM.Tyupkin process on an infected system. This is illustrated in Figure 9. If
the Yara signatures, which are included with this report, are deployed to RSA ECAT, this module would have received a score of 1024
(the worst possible score).
Figure 9: RSA ECAT score on Backdoor.ATM.Tyupkin
RSA ECAT DETECTION: BACKDOOR.ATM.SUCEFUL
Backdoor.ATM.Suceful is a newer variant in the ATM malware landscape. It incorporates features traditionally not built into ATM
malware. The new malware uses an advanced technique to target cardholders. Once the ATM system is infected, the malware is able
to record card- and user-supplied data for the inserted credit or debit card, including payment account details, IDs and PIN

passwords as they are entered. In addition, the malware is capable of suppressing the built-in alarms that are standard on every
ATM, and triggering the card-withholding mechanism. The figure below displays how RSA ECAT would score the malicious process as
suspect on an ATM infected with this strain of malware.
Figure 10: RSA ECAT Score on Backdoor.ATM.Suceful
RSA ECAT DETECTION: BACKDOOR.GREENDISPENSER
The Backdoor.GreenDispenser variant provides an attacker with the ability to walk up to an infected ATM and drain its cash
vault. When installed, the malware will create a mutex named “dispenserprgm” to avoid the risk of running duplicate
processes of the malware. The GreenDispenser variant can also display an “out of service” message on the ATM to ward off
legitimate users. However, attackers who enter the correct pin codes can use the machine to collect the cash and erase the
malware using a delete process, leaving little (if any) trace of how the ATM was robbed. The program used for this deletion
procedure is a legitimate Windows tool signed Sysinternal, called Sdelete.exe 7 . Custom IIOCs for RSA ECAT can be written to
look for the known mutex names, and the Yara Integration that was previously discussed can be used to improve detection.
Figure 11: RSA ECAT Score on GreenDispenser
CONCLUSION
ATM-focused malware is increasing in sophistication every year. Security monitoring and threat detection tools such as RSA Security
Analytics and RSA ECAT can help security and fraud teams identify attacks early; before sensitive data is accessed or money is
stolen. In these circumstances, not only is it critical to detect these advanced threats, but also minimize the time to detection.
Improved situational awareness can accelerate an organization’s incident response and reduce the overall exposure to fraud and data
loss. RSA Security Analytics and RSA ECAT provide organizations with the ability to discover and mitigate attacks before they
become major incidents.
7 Software available here: https://technet.microsoft.com/en-us/sysinternals/sdelete.aspx

APPENDIX
RSA ECAT SAMPLE ANALYSIS
The following figure shows how the Yara rules match the sample analyzed. The RSA ECAT agent was deployed on Windows XP 32 bit
(operating system used on the tested ATMs):
Figure 12: ECAT ATM Malware Detected by Yara Signature
YARA RULES
rule Ploutus {
strings:
$s1 = "Confuser v1.9.0.0" wide ascii
$s2 = "Ploutos.exe" wide ascii
condition:
all of them and
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}
rule Tyupkin {
strings:
$s1 = "\\ulssm.exe" wide ascii nocase
$s2 = "\\AptraDebug.lnk" wide ascii nocase
$s3 = "AptraDebug" wide ascii nocase
$s4 = "ulssm.Form1.resources" wide ascii nocase
$s5 = "MSVCR80.dll" wide ascii nocase
$s6 = "MSXFS.dll" wide ascii nocase
condition:
all of them and
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}
rule Suceful {
strings:
$s1 = "vcl60.bpl" wide ascii nocase
$s2 = "Project1.exe" wide ascii nocase
$s3 = "SUCEFUL" wide ascii nocase
$s4 = "msxfs.dll " wide ascii nocase

condition:
all of them and
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}
rule GreenDispenser {
strings:
$s1 = "dispenserprogm" wide ascii nocase
$s2 = "del.exe" wide ascii nocase
$s3 = "sdelete.pdb" wide ascii nocase
$s4 = "MSXFS.dll" wide ascii nocase
$s5 = "sdelete" wide ascii nocase
condition:
all of them and
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}
Table 2: Yara Rules

Content and liability disclaimer
This Research Paper is for general information purposes only, and should not be used as a substitute for consultation with
professional advisors. EMC has exercised reasonable care in the collecting, processing, and reporting of this information but has not
independently verified, validated, or audited the data to verify the accuracy or completeness of the information. EMC shall not be
responsible for any errors or omissions contained on this Research Paper, and reserves the right to make changes anytime without
notice. Mention of non-EMC products or services is provided for informational purposes only and constitutes neither an endorsement
nor a recommendation by EMC. All EMC and third-party information provided in this Research Paper is provided on an "as is" basis.
EMC DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, WITH REGARD TO ANY INFORMATION (INCLUDING ANY SOFTWARE,
PRODUCTS, OR SERVICES) PROVIDED IN THIS RESEARCH PAPER, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. Some jurisdictions do not allow the exclusion of implied
warranties, so the above exclusion may not apply to you.
In no event shall EMC be liable for any damages whatsoever, and in particular EMC shall not be liable for direct, special, indirect,
consequential, or incidental damages, or damages for lost profits, loss of revenue or loss of use, cost of replacement goods, loss or
damage to data arising out of the use or inability to use any EMC website, any EMC product or service. This includes damages arising
from use of or in reliance on the documents or information present on this Research Paper, even if EMC has been advised of the
possibility of such damages
Copyright © 2016 EMC Corporation. All Rights Reserved.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All
other products and/or services referenced are trademarks of their respective companies. Published in the USA. February, 2016