Troyan Trojan.ProSto.1 promotes domestic technology

The events of the last several weeks, during which Visa and MasterCard suspended the processing of payments on plastic cards for a number of Russian banks has generated many discussions about the expediency of development of the national payment system R that do not depend on any foreign organizations. Apparently, a certain interest in this situation showed the attackers, specializing in the creation of malicious software for ATMs and payment terminals. So, the Trojan Trojan.ProSto.1 focused primarily on foreign Bank cardholders who use ATMs and payment terminals in Russia.
Troyan Trojan.ProSto.1 promotes domestic technology
Most modern banking cards in addition to the magnetic strip has a built-in chip with a rewritable memory allowing you to store a certain amount of information about the type of card, the requisites and the currency of the account of the client. So, in memory of the universal electronic cards (UEC), used in the Russian payment system R, you can record additional data – including banking application for remote payment transaction, the identity of the card holder (including digital signature) and an electronic wallet for payment of a fare in public transport.
Detected by specialists of the company «Doctor Web» Trojan Trojan.ProSto.1 capable of infecting ATMs are several manufacturers that are running 32-bit operating systems Microsoft Windows XP, Windows Embdedded and WEPOS (Windows Embedded POSReady). When the Trojan is not possess any modules to allow or infect other programs, so the mechanism of its distribution until now remains unexplored. When trying to connect to the infected device, a malicious program scans the system for the presence of previously issued intrusion avoid reinstallation. Then Trojan.ProSto.1 creates a copy of itself in the installation folder of the OS under the name taskmgr.exe and registers it as a system service, then the operating system is forced to reboot. The temporary folder is saved file a dynamic library that implements the functionality of the Trojan. After re-booting Windows in the system are two processes running taskmgr.exe, one of which is legal. When trying to upload a malicious process, the Trojan displays a dialog box with the error message:
In the case of a successful installation Trojan.ProSto.1 periodically queries the state of the ATM. If the reader with a banking card with an integrated chip, the Trojan executes a dynamic check values IIN the Issuer identification number) is a number, in which the encoded name of a payment system and card-issuing Bank. If the processing cards of international payment systems Visa or MasterCard card is issued by a Bank located outside the Russian Federation, Trojan.ProSto.1 generates a command to delete the contents of the chip, then extracts from the dynamic library stored in a binary image, decrypts it, and writes it to the memory card. Preference is given to the holders of Gold and Platinum. The image contains a banking application, Russian national payment system R, and a number of other data. Thus, holders of Bank cards of international standard unexpectedly become the users of the Russian national payment system with all the ensuing consequences – including the possibility of paying for public transport, Parking in Moscow, as well as the remote transfer of funds for utility bills, traffic fines and taxes to the Russian budget.
The security experts are inclined to believe that the spread of threats may be linked activists of the underground hacker organization «Cyberpatriot», advocated the development and widespread application of information technologies of the Russian production. From 1 April 2014 Trojan.ProSto.1 successfully detected and deleted by anti-virus for embedded systems Dr.Web ATM Shield.

Related Post

Samsung will embed the sensor smells in the smartp... Today on the open forum Samsung CIS Forum Samsung Electronics has shared interesting information about the upcoming innovations in its smartphones. In...
First damatically computer has collected almost a ... Single Board computer Raspberry Pi in due time became a sensation due to their cheapness, and now even more affordable solution - via the crowdfunding...
Apple has released a revised build of iOS 9.3 for ... Apple has released a revised build of iOS 9.3 for tablets iPad 2. It goes under the number 13E236 and had begun to spread among the users of iPad 2. T...
AUO creates a 5.7-inch AMOLED display with a resol... Not only Korean and Japanese IT-giants like Samsung, LG and Sharp today can boast of outstanding achievements in the field of creation of displays for...

Leave a Reply