Windows XP ATM's Under Hacker Attacks in Europe - US Could Be Next!

June 4, 2009 by John Messina weblog
ATM Machine

( -- There have been approximately 20 ATM's in Eastern Europe that have been compromised. These attacks are in the early stages of development and would probably gain momentum and even spread to US ATM machines.

A security outfit, TrustWave's SpiderLabs performed the analysis of malware found installed on compromised ATMs in the Eastern European region. The ATM's that were compromised ran Microsoft Windows XP. The malware captures magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on infected ATM.

The attacker can gain full control of the infected ATM through a customized user interface built into the malware. This is accomplished by inserting a controller card into the ATM's reader.

TrustWave's analyses don't believe the malware has networking functionality that would send data to other, remote locations over the Internet. The malware would output the harvested data through the ATM's receipt printer or write the data to a storage device inserted into the ATM's .

TrustWave stated; "this malware is unlike any we have ever had experience with. It allows the attacker to gain complete control over the ATM to obtain track data, Pins and cash from each infected machine."

"We believe the current attack vector is an early version of the malware sample, and future attacks will add functionality such as propagation via the ATM network. If an attacker can gain access to one machine, the malware will evolve and propagate automatically to other systems."

A dropper file named isadmin.exe, is installed into the ATM and executed within the C:\WINDOWS directory of the compromised machine. The malware then proceeds to control the Protected Storage service that would handle the original lsass.exe executable file, located in the C:\WINDOWS\system32 directory, to point to the infected file.

The malware is designed to remain active in the event the ATM crashes and has to restart.

© 2009

Explore further: Hacking Citibank's Virtual Keyboard

Related Stories

Conficker Worm Prepares For A New Release On April 1

March 27, 2009

( -- The conficker worm created havoc last year when it infected over 10 million computers on a global scale. The unique design of the conficker worm allowed for this large scale attack to over 8 million business ...

2007 looks like year of 'malware'

September 18, 2007

The problem of malicious software or malware appears to be getting exponentially worse. So far this year, IBM Internet Security Systems (ISS) X-Force research and development team has identified more than 210,000 new malware ...

Grisoft Offers Free Rootkit Removal

April 11, 2007

Grisoft, makers of the popular AVG Antivirus, today released a free tool specifically aimed at eliminating malicious software that hides itself using rootkit techniques.

Recommended for you

When words, structured data are placed on single canvas

October 22, 2017

If "ugh" is your favorite word to describe entering, amending and correcting data on the rows and columns on spreadsheets you are not alone. Coda, a new name in the document business, feels it's time for a change. This is ...

Enhancing solar power with diatoms

October 20, 2017

Diatoms, a kind of algae that reproduces prodigiously, have been called "the jewels of the sea" for their ability to manipulate light. Now, researchers hope to harness that property to boost solar technology.


Adjust slider to filter visible comments by rank

Display comments: newest first

3.7 / 5 (3) Jun 04, 2009
upgrade to windows 7 lol
5 / 5 (3) Jun 04, 2009
time to use not windows for important financial transactions.
3 / 5 (4) Jun 04, 2009
time to use not windows for important financial transactions.

In former times, ATMs used to run OS/2. They never got hacked.
4.5 / 5 (2) Jun 04, 2009
oh please, they never got hacked my ass. of course they did. XP just is probably easier to hack. haha
4 / 5 (1) Jun 04, 2009
Why do these vendors provide writable card readers, and operator card access without having a physical mechanical key? Shouldn't you be required to gain physical access into the machine internals prior to accessing? Anyone can explain this?
5 / 5 (3) Jun 04, 2009
Ahahahahaha, too funny. Who got the payoff to sell WinXP for ATM's. lol This is the dumbest, most laughable situation I've heard all year.

Is this the same group that leaves US military desktops connected to the internet without firewalls and then tells the world "We're under attack!"?
1 / 5 (2) Jun 04, 2009
actually this is something can EASILY be dealt with using a software restriction policy, which is built into Windows XP....with the best method being to define the hashed algorithm most likely I think.
It really shows that whatever this banks IT security policy is for ATM systems is SEVERELY lacking.
Different banks will have different security.
In my thinking here, an ATM machine doesnt contact another ATM machine from another bank to get approval to take out cash (they connect back to their systems at the main bank datacenter who then will check against another bank if necessary and then reply back to the ATM on whether or not to spit out the funds), therefore, fundamentally, the trojan cannot spread via those means. This is most likely why the code does not include a replication mechanism, and possibly never will. The developers will have to figure out how to propagate into the banks actual backend network in order to do that, and from there, they can infect only that banks ATMs (but, the whole network of them). From there they also have a better potential of intruding another banks networks, again, depending on the other banks security.

The media is just trying to make this "scareware" to have a bunch of bs stories to tell about technologies they dont understand whatsoever.
not rated yet Jun 04, 2009
I don't know about the bank machines, but the stand-alone 'white label' ATM machines these days are running Windows CE, not XP. Furthermore, older pre-Windows models don't run any operating system at all; they are loaded instead with dedicated proprietary firmware that is launched from a ROM bootstrap routine at startup, and that firmware is not x86-based code. Older machines are inherently more secure for that reason, as well as the fact that they communicate through dialup modems instead of directly through the Internet.

Although the new Windows-based technology was implemented primarily to allow ATM firms to gain additional revenue through on-screen advertisments, it may also pose some interesting 'unforeseen' possibilities and consequences.

Suppose, for instance, an ATM firm wished to encroach upon the territories of a competitor. An employee of the firm could simply pose as a customer attempting to use one of the competitor's machines, while in reality employing a card for the purpose that had been cleverly re-programmed in such a manner as to inject a malware. The advent of the proposed new 'chip-and-pin' card readers could possibly make this even easier, as the chip on the card must be accessed by the machine directly.

The malware injected would not even have to be purposed towards skimming. All that would really be required would be a partial shutdown or corruption of the targeted machine; anything that would further erode the site owner's confidence in the competitor firm's ability to provide effective service and reliable machine operation. The sales representative of the attacking firm could then approach the victimised client with a "better deal" offer, and so gain that site's transaction revenues.

I think I'll stick with the older machines, thanks. They cost less to service, anyway.
5 / 5 (2) Jun 05, 2009
That's why they stole some ATMs.
They investigated them and found that ATMs can be compromised with specially designed card - exploit.
5 / 5 (2) Jun 05, 2009
Well, they got what they deserved for trusting M$.
not rated yet Jun 07, 2009
Since the use of MS is driven by the 'need' to display ads, one must ask a question: Has anyone on the planet ever paid any attention to an ad on an ATM?
not rated yet Jun 07, 2009
The Chinese know how to deal with this. Stop pandering to the marketing dichotomy between Windows and Linux. Develop special purpose chips, with custom operating systems, that don't allow common hacking techniques.

No, it isn't that frigging difficult. It's just that it doesn't fit in Microsoft's plan for world domination.
not rated yet Jun 08, 2009
Since the use of MS is driven by the 'need' to display ads, one must ask a question: Has anyone on the planet ever paid any attention to an ad on an ATM?

What matters most is not whether anyone pays any attention to full-motion advertisements displayed on ATM machines, but rathermore the fact that ATM firms are now able to garner additional revenue by selling that extra service.
not rated yet Jun 11, 2009
Only kiddie-hackers care what OS is on the target machine. Real hackers work in machine language.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.