Windows XP ATM's Under Hacker Attacks in Europe - US Could Be Next!
June 4, 2009 by John Messina
(PhysOrg.com) -- There have been approximately 20 ATM's in Eastern Europe that have been compromised. These attacks are in the early stages of development and would probably gain momentum and even spread to US ATM machines.
A security outfit, TrustWave's SpiderLabs performed the analysis of malware found installed on compromised ATMs in the Eastern European region. The ATM's that were compromised ran Microsoft Windows XP. The malware captures magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on infected ATM.
The attacker can gain full control of the infected ATM through a customized user interface built into the malware. This is accomplished by inserting a controller card into the ATM's reader.
TrustWave's analyses don't believe the malware has networking functionality that would send data to other, remote locations over the Internet. The malware would output the harvested data through the ATM's receipt printer or write the data to a storage device inserted into the ATM's card reader.
TrustWave stated; "this malware is unlike any we have ever had experience with. It allows the attacker to gain complete control over the ATM to obtain track data, Pins and cash from each infected machine."
"We believe the current attack vector is an early version of the malware sample, and future attacks will add functionality such as propagation via the ATM network. If an attacker can gain access to one machine, the malware will evolve and propagate automatically to other systems."
A dropper file named isadmin.exe, is installed into the ATM and executed within the C:\WINDOWS directory of the compromised machine. The malware then proceeds to control the Protected Storage service that would handle the original lsass.exe executable file, located in the C:\WINDOWS\system32 directory, to point to the infected file.
The malware is designed to remain active in the event the ATM crashes and has to restart.
© 2009 PhysOrg.com
Feb 08, 2010
In former times, ATMs used to run OS/2. They never got hacked.
Is this the same group that leaves US military desktops connected to the internet without firewalls and then tells the world "We're under attack!"?
It really shows that whatever this banks IT security policy is for ATM systems is SEVERELY lacking.
Different banks will have different security.
In my thinking here, an ATM machine doesnt contact another ATM machine from another bank to get approval to take out cash (they connect back to their systems at the main bank datacenter who then will check against another bank if necessary and then reply back to the ATM on whether or not to spit out the funds), therefore, fundamentally, the trojan cannot spread via those means. This is most likely why the code does not include a replication mechanism, and possibly never will. The developers will have to figure out how to propagate into the banks actual backend network in order to do that, and from there, they can infect only that banks ATMs (but, the whole network of them). From there they also have a better potential of intruding another banks networks, again, depending on the other banks security.
The media is just trying to make this "scareware" to have a bunch of bs stories to tell about technologies they dont understand whatsoever.
Although the new Windows-based technology was implemented primarily to allow ATM firms to gain additional revenue through on-screen advertisments, it may also pose some interesting 'unforeseen' possibilities and consequences.
Suppose, for instance, an ATM firm wished to encroach upon the territories of a competitor. An employee of the firm could simply pose as a customer attempting to use one of the competitor's machines, while in reality employing a card for the purpose that had been cleverly re-programmed in such a manner as to inject a malware. The advent of the proposed new 'chip-and-pin' card readers could possibly make this even easier, as the chip on the card must be accessed by the machine directly.
The malware injected would not even have to be purposed towards skimming. All that would really be required would be a partial shutdown or corruption of the targeted machine; anything that would further erode the site owner's confidence in the competitor firm's ability to provide effective service and reliable machine operation. The sales representative of the attacking firm could then approach the victimised client with a "better deal" offer, and so gain that site's transaction revenues.
I think I'll stick with the older machines, thanks. They cost less to service, anyway.
They investigated them and found that ATMs can be compromised with specially designed card - exploit.
No, it isn't that frigging difficult. It's just that it doesn't fit in Microsoft's plan for world domination.
What matters most is not whether anyone pays any attention to full-motion advertisements displayed on ATM machines, but rathermore the fact that ATM firms are now able to garner additional revenue by selling that extra service.