When the ATM runs Windows, how safe is your money?

October 13, 2014 by Bill Buchanan, The Conversation
Roll up, roll up for your free money. Kaspersky Lab

How safe is Microsoft Windows? After all, the list of malware that has caused major headaches worldwide over the last 15 years is long – viruses, worms and Trojans have forced computers to shut down, knocked South Korea offline and even overloaded Google's servers.

Now, how safe do you feel knowing that cash machines across the world run Microsoft Windows?

An plot has been discovered, apparently spread across Russia, India, and China, whereby cash machines can be turned into a free money vending machine.

The hack requires re-starting the cash machine – essentially a Windows terminal – from a prepared CD that injects into the system to circumvent the security. At set times of the week, a unique code is generated and given to a "mule" who would approach the machine, enter the code, and withdraw up to 40 notes, anonymously and without trace.

From skimming to hacking

Attacks on ATMs (those more sophisticated than removing the cash machine and cutting into its safe) started around 10 years ago with card reader devices containing a tiny integrated camera and card reader. As a user withdraws cash, the device reads the account details from the card's magnetic stripe and videos the pin number entered into the keypad.

Earlier generations of ATM machines were often built around computer terminals running IBM's OS/2 operating system (which started life as a joint IBM-Microsoft venture, and which somewhat ironically spawned Microsoft's Windows NT, the grandparent of modern Windows, and IBM's OS/2 when that project collapsed). Due to its more esoteric and rare nature there are far fewer attacks for OS/2, but now it is standard builds of Windows, potentially vulnerable to all the usual malware and exploits, that run modern ATMs.

Hacking ATMs for profit. Credit: Bill Buchanan, Author provided

So it is not surprising that intruders have started to find ways inside the ATM's card processing and cash dispensing systems. Malware that can offer external control to an ATM have been reported for some years, allowing attackers to dispense cash, record and print out card details and PIN numbers.

Under the hood

This latest malware is Backdoor.MSIL.Tyupkin, which while running continuously will only listen for commands on a Sunday and Monday night. The criminal gangs operating the malware generate a random, unique, six-digit keycode that activates the program, which is given to the "mule" who is withdrawing the money.

Like previous efforts to crack into ATMs, the malware requires physical access to the ATM, typically by booting the ATM from a CD prepared to install the malware. At present the malware has been active on at least 50 ATMs in Russia and Eastern Europe, but also in the US, China and India.

The malware is the file ulssm.exe, which is copied into the c:windowssystem32 directory and which is protected and maintained on the system between reboots by modifying the Windows registry (a database of configuration settings) so that Windows automatically runs the program at startup. The program then interacts with the ATM through the Extension for Financial Services (XFS) library, MSXFS.dll. To avoid detection it will only allow access controller commands on Sunday and Monday evenings.

This shows an example of malware installing itself onto a system, updating the Windows registry to autorun when started (at 25:20), and then going into hiding.

Playing catch up

The threat of re-booting machines from CDs or bootable USB sticks in order to install malware and abusing Windows autorun feature to sustain the program in memory, is an exploit that has been common for over a decade. It seems few lessons have been learned in terms of securing physical access to the device, and also in the privileged rights that malware can gain. Even as companies focus on improving and securing the user interface, often the debugging and diagnostic side can provide further routes into a system.

Versions of Windows used in embedded control systems are now sufficiently secure, but as ATM manufacturers use standard installations of Windows they are opening themselves up to further problems – not least because it allows hackers the opportunity to simulate and craft their malware on well-known versions of the operating system.

However, at the core of this attack – as with those before it – is the need for physical access to the device, which implies an insider working in the bank. That means with monitoring of who has access to the , this can be prevented. The key lesson is that the ATM operating system is a weak link in the chain which needs to be closed.

Explore further: Windows XP ATM's Under Hacker Attacks in Europe - US Could Be Next!

Related Stories

iWorm hack shows Macs are vulnerable too

October 8, 2014

The computer operating systems and applications we use today have often evolved over many years, decades even, and contain tens or hundreds of millions of lines of code. Flaws in that code – and there will always be some ...

Kaspersky warns phone users of PC-infecting malware

February 5, 2013

(Phys.org)—Kaspersky Lab has a new warning for smartphone and tablet users. Yes, it's all about Android. No, it's not like anything you've been warned about before. Lab Expert Victor Chebyshev has discovered a new attack ...

ISPs need to do more to tackle major cyber-attack

June 17, 2014

Warnings about the impending cyber-attack have gone unheeded and more must be done to tackle the threat of an infection, according to the Institution of Engineering and Technology (IET).

Recommended for you

What can snakes teach us about engineering friction?

May 21, 2018

If you want to know how to make a sneaker with better traction, just ask a snake. That's the theory driving the research of Hisham Abdel-Aal, Ph.D., an associate teaching professor from Drexel University's College of Engineering ...

Flexible, highly efficient multimodal energy harvesting

May 21, 2018

A 10-fold increase in the ability to harvest mechanical and thermal energy over standard piezoelectric composites may be possible using a piezoelectric ceramic foam supported by a flexible polymer support, according to Penn ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

Eikka
not rated yet Oct 13, 2014
This is years old news.

Any operating system can be compromized if you have direct access to the hardware. If you can reboot from a CD or a USB stick, you get direct access to replace the entire operating system of the machine with a malicious version and then it doesn't matter if it's Unix, WIndows or Plan9.

If you can read and write to the hard drive, you can reprogram the machine to do anything you want regardless of the operating system on it. There's no real solution to the problem except make the hardware physically inaccessible.

But alas, corruption still exists and the "criminal gangs" are actually people inside the banks.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.