ATM MALWARE
dfhjr
dfhjr
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
APPENDIX<br />
RSA ECAT SAMPLE ANALYSIS<br />
The following figure shows how the Yara rules match the sample analyzed. The RSA ECAT agent was deployed on Windows XP 32 bit<br />
(operating system used on the tested <strong>ATM</strong>s):<br />
Figure 12: ECAT <strong>ATM</strong> Malware Detected by Yara Signature<br />
YARA RULES<br />
rule Ploutus {<br />
strings:<br />
$s1 = "Confuser v1.9.0.0" wide ascii<br />
$s2 = "Ploutos.exe" wide ascii<br />
condition:<br />
all of them and<br />
// MZ signature at offset 0 and ...<br />
uint16(0) == 0x5A4D and<br />
// ... PE signature at offset stored in MZ header at 0x3C<br />
uint32(uint32(0x3C)) == 0x00004550<br />
}<br />
rule Tyupkin {<br />
strings:<br />
$s1 = "\\ulssm.exe" wide ascii nocase<br />
$s2 = "\\AptraDebug.lnk" wide ascii nocase<br />
$s3 = "AptraDebug" wide ascii nocase<br />
$s4 = "ulssm.Form1.resources" wide ascii nocase<br />
$s5 = "MSVCR80.dll" wide ascii nocase<br />
$s6 = "MSXFS.dll" wide ascii nocase<br />
condition:<br />
all of them and<br />
// MZ signature at offset 0 and ...<br />
uint16(0) == 0x5A4D and<br />
// ... PE signature at offset stored in MZ header at 0x3C<br />
uint32(uint32(0x3C)) == 0x00004550<br />
}<br />
rule Suceful {<br />
strings:<br />
$s1 = "vcl60.bpl" wide ascii nocase<br />
$s2 = "Project1.exe" wide ascii nocase<br />
$s3 = "SUCEFUL" wide ascii nocase<br />
$s4 = "msxfs.dll " wide ascii nocase