ATMs compromised with malware in Eastern Europe
Written by IT News on 10:46 PMAfter the March report from Sophos about a Trojan that infects Diebold ATMs and steal credit card data, a similar type of malware analysis (PDF) by researchers from the Wave Trust. The malicious program can infect Windows XP machines from multiple vendors and features complex functions.
The file is analyzed by the Wave Trust, a creation date of July 25, 2007, suggesting that this type of malware is very complicated for a while now. "It is [...] think this is a relatively early version of malware and later versions have seen significant additional functionality," the researchers advise.
Like the Trojan reported by Sophos, this threat was discovered in Eastern Europe and seems to focus on accounts with balances in the U.S. dollar, Russian ruble and Ukrainian Hryvnia. The analysis suggests that the malware has been developed by a person with a clear knowledge of the ATM software and professional coding skills and must be installed by bank insiders, such as those responsible with ATM maintenance.
The malware is installed in the folder C: \ Windows Lsass.exe and hijack "Protected Storage" service on the system reboots. It hooks into processes that handle transactions and messages to leave the track 2 data and the PIN number of credit cards for ATM. This information is stored in two separate text files and are encrypted using DES algorithm.
Several operations can be performed by introducing controller card in jeopardy ATM. There are two types of display cards, one that gives access to all functions and the other only for a function that allows printing of the recorded data via ATM receipt printer. The first is probably used by cybercriminals, while the limited controller card is the most likely hired for money mules.
Using the interface on the ATM screen as a full-access card is the analyzed version allows attackers to reset or delete the logs, to remove the malware, view statistics on business start-ATM system, the printing of a test message or Print all information collected.
A secondary menu is available for answers to a challenge question posed. From this menu cyber Crooksville can try to access information generally available only for ATM managers, such as how much money is currently in the machine. This can be useful, since the malware is able to output ATM cash dispensing unit’s cassette.
Scientists are still unable to determine the exact application of another function identified. The only comment that it "seems to be associated with memory card reader / writer functionality that can be used for harvested data directly to a map injected into a compromised ATM."
"Trust Wave collected several versions of this malware and that over time will develop. It will also be launched to encourage wider population of ATMs, as a proactive strategy for prevention and identification may be necessary to prevent future attacks," warns the company.
1 comments: Responses to “ ATMs compromised with malware in Eastern Europe ”
By balujan25 on January 24, 2010 at 8:56 PM
Thanks for share useful information. I like post. I am follow your blog.