Backdoor.Padpin is a Trojan horse that targets automated teller machines (ATM). The Trojan enables an attacker to use the ATM PIN pad to submit commands to the Trojan.
Once executed, the Trojan creates the following file, which can be placed in any folder on the compromised computer:
[PATH TO THREAT]\ulssm.exe
The Trojan then creates the following registry entries so that it runs every time Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ulssm.exe" = "[PATH TO THREAT]\ulssm.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"ulssm.exe" = "[PATH TO THREAT]\ulssm.exe"
The Trojan can delete itself if it fails to gain control of the PIN pad or dispenser.
The Trojan runs in the background until a specific code is entered on the ATM's PIN pad.
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
- Dispense money from the compromised ATM
- Select which cassette the ATM dispenses money from
- Display cassette information such as bills left, denomination and total amount per cassette
- Temporarily disable the local network to avoid triggering alarms when withdrawing money
- Extend the duration of the session in order to continue stealing money
- Delete the Trojan from the compromised ATM
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":