Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


ATM Malware Surfaces as Hackers Target Banks in Eastern Europe



 By: Brian Prince
2009-06-04
Article Rating:starstarstarstarstar / 3


There are 9 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Trustwave uncovers malware on 20 ATM machines in Russia and Ukraine designed to allow hackers to swipe everything from cash to PIN codes. Officials at Trustwave advise merchants to take steps to ensure their ATM environment is secure.

Security researchers at Trustwave have uncovered an effort by cyber-thieves to use malware to infect and loot ATM machines in Eastern Europe .  

Trustwave, which focuses on security and compliance for the payment card industry, discovered the malware while investigating ATM breaches in Russia and Ukraine. According to the company, roughly 20 ATMs were infected with malware that captures magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on the compromised ATM. 

Picture you as a criminal walking up to an ATM machine and inserting a card into the machine thats not a real ATM card that has the code or essentially the string of numbers that essentially equals a trigger card within the malware, Nicholas Percoco, head of Trustwaves SpiderLabs, explained in an interview with eWEEK. So every card thats inserted, the malware monitors what numbers are being inserted into the system. If it gets the right number or the right set of numbers, it launches its interface to the ATM screen. 

Resource Library:

Each of the compromised ATMs studied by Trustwave ran Microsoft Windows XP. In order to install the malware, the attacker needs to have physical access to the machine. According to Trustwave, the malware is installed and activated through a dropper file by the name of isadmin.exe, a Borland Delphi RAD (Rapid Application Development ) executable. The dropper binary contains a Data Resource (RCDATA) named PACKAGEINFO that contains the actual malware. Executing the dropper file produces the malware file lsass.exe inside the C:\WINDOWS directory of the compromised system. 

Once the malware is extracted, the dropper manipulates the 'Protected Storage' Service to point toward the newly created malware. The service is also configured to automatically restart if it crashes, ensuring that the malware remains active, according to the Trustwave report.

This isnt targeting one ATM vendor; its targeting multiple ATM vendors, and the attacker could modify it to attack other ATM vendors if they want it to, Percoco said. 

Authorities in Eastern Europe were notified about the situation. But there is evidencewhich Percoco said the company would not disclosethat the scam is making its way over to other parts of the world, including the United States. If so, it wouldn't be the first time hackers have targeted ATM information.

He suggested merchants perform a full security review of their ATM environment and look for any gaps in physical security. For example, he said, is there an alert triggered when a machine is opened? 

The other piece is following security best practices on the system itself, having anti-virus installed on it, having (locked) down USB ports, making it very difficult  for someone to actuallyif they were to open up the machineto do anything to the operating system itself, he said.





  Reader Comments: ATM Malware Surfaces as Hackers Target Banks in Eastern Europe
>>> Post your comment now!
Hacking Threats
With today's technology and fast PCs available to anybody, hacking threats exist in any network. Extra measures have to be taken to protect...
Posted At: 10-27-09
By: Simon
Why to brag about it in the first place
I wonder why suddenly this topic is in the news and everyone is bragging about it. Wouldn't it be smarter, once the hack was uncovered, to keep quiet...
Posted At: 06-21-09
By: Koala
Not Windows' fault - this time
Once the hacker has physical access, NOTHING is going to be totally secure. Unless you're going to imbed the innards of the machine in a welded steel...
Posted At: 06-16-09
By: kLevkoff@panix.com
A user comment on this article
Don't see another O/S really making a difference. If you read carefully it says: " In order to install the malware, the attacker needs to have...
Posted At: 06-08-09
By: Anonymous
A user comment on this article
In Russia, its not a surprise that hackers have found loop holes in Microsoft windows XP. I am a student in Moscow and have myself used...
Posted At: 06-06-09
By: Anonymous
Windows and ATM
The ATM vendors should be using a hardened real-time operating system like VxWorks rather than Windows. It will require them to actually write an...
Posted At: 06-05-09
By: Tom
A user comment on this article
Some real turd comments here
Posted At: 06-05-09
By: Anonymous
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


xr80VӮc"uK-)XTF((ئH IVK?'%7oP/geD"$\:acqE1]zoHRLß2J. :AZ&!:,o)|ik9k>u3uF,wx u UGPL95ΜCٜjc6f21X - (zڀ'|5{ 2"&Inx"j|gvL~rD=ϱL-: ۗD9zvur\RJV3Ҧ\SْG]ss\jS/b@RhFbITpt2Xp~bꆞ?LIb.ܺn?5ocZZ;uwcי1֛VƛXXv'`>6M( O}ɠjAĥZr,˚59hewYnݝJXU+I\(Us^yxx>߉egby1(岪=BJg3Bz7uKU{#l}nzH _KtH W:M?)Nk_{}߮A",pHJ*)H ?5g/-2H|?fIu\Cf{&J ͒UdL:XȏKQc%odXՀ7'iP2\ L9X@.@ө!5۫VV68,5Mf_"d>L&Z p-AhZAL4&H)5?*`Ual&XJp;Qs#m̗/``(uu; .rqf1{A=fD/r.#}`o8y"V*̆-*k殗UuNWd]0e{Zw{\?o5nZMһ^iz-xHntRMMqsuS]uT˥j:)BBsU%w[PQxىt 2hbX1nБ6@54iSMg'}J s> 5ێ} XGxe uHyj. IhnvtH4-= R!PA=Sj *z 4n95@%ƶAMϛL=u%08{ɽ 5zYPfkwKP@bLGDE=PCh>u'6($@=>f )ai^3-mhZ1 .5:%qFmo;r-FaA7Eȥs-&BD(jH !Al~ [whtd+3~Gy5#!bXk"'9Xu{B#;X|,Pύfb!b -xkbd6g2KILIg]-&D7rBL/GwMᙚ.F;oZx Y7>гޅ>8آTQف*\#Qڄa'M=XtyiYW>P!as`|"=lmA$61|*UTJeˈ``ˁV.(7M.&XӞDJQ}G]&Cf+DŜU^oc$r%#tѡX>)(r8+(s/;Mex %7:trF@g}m190;S}`1gK: 3txkmJ-K #.j$1?0Yt/ÊTs9O*BYXGY SŖ៦ OhGA.CGMtAj?,@ ܠـnaҪR)4;A ֯јNzwH"0\tiYO)ąUj l<Z{ G]H+zu揘{5V{\Srj%kknxFPkW-"fdbDGs8bC5ɴ|3fo | :R~{ޜ9"zfnހWIlԊ)L6{[JϮVU07> YLZ\[t3ux8&soZ75_(6<R؀"h &Z>)[m!}5]9vܘyeCmۗYԽ@?늪c]}I2SYp³'tHμZMTi\v+bT sݿy ji==SML`ٜܶ WASD9^%Lɹ&wB6Zo3e~xVKi3'{u¿U."8&C78zGdD|zZ+>]lWalw۵\1W*AbT)HÖ1=M{6w5>NgA=x4*sHrCj^K>51tٸ1ui&llǶWe7M3 PTn7-Jp9M|Nt?$7@$JPCV:4A1p BnM4yH>rS5|dqa+ |/+\LgaCͼi-90B06J3ڝ5^$@N|G!Oyb~4q#̨z/Ɠ!hskg O=L)*J.eޓ9O.+,JrZ$PX;HHPY[ɷofB-lChp| ^/HHDBb=J-4n7<[>_b731114sعtxt~T+÷'K -$Px)WAxa{q6~h$K8_ϻW}i_~9?LG8^pkݫc {B.Z0D |gY\.0MC~WֿI㇛4>`-{Z_U>4 `i8~{B]ڮ m>RjS/ Fپ 2y?`AAn8͇xI{ٽNe%[wEs=BNn2HcO!z.[FSLtk7d83/gJuXc?$]/6b ){lpbA%jNj _hk%V&7%]?؍mHqn,$20 d:=< B.w"` $X*Xu2]_62seAvVSrP+bK "$Dٌ |ߚM_f~ bt4zUt"ڿWo!R ~_!c&8~P6=8mrh縍zRt/IQ?xHؾl}j?!IZ:ōW7 rE P1AR9mũͣޱckOCY(^H#y8Z4 hN!{E۹GK -],Rs$S qC eu$NJfk*C@$_ Iv(+6HdAz׍rc}gy; G:[ VH_8_`D HY)=ybBb%ƥh0%W߹MVN,@-N`04O#!WEVf 4ӨJZtwjuDڶ%#'8;AlG8ʬS#aZu+ ׅFfo͓W>0kh;xR̴}jПj 2]6^YMs6ͥ#ŠO8EwmE(WPEıTrkcg0̔mԚl+"ÈܵBpic?%W>i\[7qb`~%c$H~"RС{%|$j^o*\+3GAlkf3'䬉)ћN:|[[2е}s:~P:|{l; ݖicP!XSωɘNBAU5vln({jY9sJUOeSDŽW> @FboZPdƛ%ztA RGs[gȮ~G7LbRcJ?ߞ@/},Ys!#]dKwQȤ{=\*b_k,(R麏93]e-.^RR>\F%Uj,h h"sFm`"c;EE]ofM\xn1G?G5ȥN4.ƛ `!3Ȑ"+Q9MgH&2d[ *v4.߯;8)<A~A< v4*){3y8Z=[4RUCfMk-ô§u,'i_ÕWc'ޛU=9dG=Ge3:ΏdA4vvRs1aE!63'irpY z51% m ـl,{Y@Mi·/}l'zo>S GL>dHNOJP9:nA(4Ol yQBe% : 2c0yj ΒVev :-S+]0(R/vqCG}zgaXU?ZyYn/C3qL~ѶhÓ4SEW] “Kyc BYk%GpFJ^)F/iCL70& "01Y su#A%BA%wXilws42Pztn[@z}F=YL Gŵ2r.z\PˏWÓp3oެA#~ėg#2Y`BHv $:(Z^Ub|[(WF- ~@2끠bRerL (ghlE3|JyÐoN{-ҩR!db1+ꁀC_pHp8KaSo^k\*|ޱޙpaJRmp^ /N.HMO,¿ty:6AgrsK{n5XI`B8@ A(D@e·{{G潨$Rޕj/N5R|7 ]ɤh$Rt P'8C^ 1 u|@!I$i7 I$mQx?^Wrv%oa/T2= )?4%ERJPJݜ(fA֙U&"Ǽ&}:Nm;S'Ll]RtjCu;tjsE'5H"4p"Y 0hP7`-9r؉QZ}EUURK`HcSa_`Z%f-&.l7P?:ei渾A*_$YZR0{O-g[9 Ԥ ߛptH#(B EHX$o_%6@}O &c+azef fWq($8 1nnnnXR)ob[!5K)hTЗpԲ1u Bb+c@5 -M|H0P;9B|<+0[SLͯX쿁+jYHmjR $xq藁=Y,b)qYD8*Z-H}'*. 3g:|Y,}< =bS t\v԰}SdK$yɝl<:1AAߎx!-;Xx[#ܛCXHJAcO:yhxy׳`i%+AXͳ~y= :GM)_xv+(u5I%]SgfQ: l6$!wxApa--`I»Y oF/UB(5L%`B31~z?,^ Awq}njOmw3|<`g|P6CKJX4NP[;rշf Ò-˱sm94Wj5ǶK`qf;|Ԉk6xb H'z,nXN) pԟPM`+fJYO;ZY@o.mTqBiǡ}ߙf;_:J+MXjHɐ{vaPˆKv6r3T}RS3,OE[B *[̈́/|"Α{q6 ދp yc,]oà aPsvuXoa8FfER2oAݵy{wCA`W1;>NO eբ6,jziY֥S)W"MKeX5^?XMc( d$`h6 Fl`G(&s䭍bqX36I/Q b*X)}$dgccУ%:?<:tC Tg{4 O(|b^v/.uv |~)Rd (@}'$fx BӃb#OMcxOYV3@o䏥Yb+nT]3;".X4ֱ '*|d$ l7aG?S9E]я›6:)9΅P*>,7i 4rCZ#%1)%Ⱥ#ȗgc8RF59xw+~NHjc@ _^a$kpyAE& ;<|KflǝjJ׃A}NfNf^iwcT1TsUe=b;]C-5tIjbIALc2ķ}>i3a❼TA9-0j̑+ HX::WsxKaU8/[,Ϫ[+bWxk=yl_u[=,*bnm3]MpUXR9w|%C_/YZ)(T"GQoTrG/@CuK&{z^znoyR-͵a83|!3K&݂qab#>(BA1ehw}eb>[˜W5N]I5 oq w9p|2п{n/*~ۉ6G& >=@3iҩ Hu7uܥb7s>н^&3B`0OyX^M\6HGOiq(ok;s.ۥ]baIL"&0hEB5Ԏm0:b%pcwb~u.sYl'Zߙ <b`ֿ-Ÿ|ˈs!QUSGuL# TĔ#НB!MM;oP}7Y?d=ta \9\­|QߞĶru Zc___L*Uɧt Mp7+ ާ!7A6pw<|GZ|KB;{t ̊XLt47q6Ƚ=D&3؏0k;D΀yq%nX V[+$μOo-?(?-cWldfB$@Xx޺m>"=4ڗuۻlZxX2t嵉DpDXȝjZ`覶 q3^9$.+Rџy;s?wKY– \vf+e]C.7L>⧰;:LXQ4e.;ֺxsUsytcDTROaH9P-S["b\1Q?s3MǸZs X0!,^C.B'Qχ9I.2gJX|hDg`,1aں57U]1yG#n1rOKT-zKbqffYݸ5ϗpHM*b!ߠ96qU@y'DL]ڢAa{~µ!R&rs% 9-0SOf 1zq"Oc8tv&+ˬFCjx c\d9p:s#1%x{C0>cN~ڿLl@qǹĐ0(T $&Ѕ8h,.@"!9͉ >a]?'#~ϴRҡe{)_ Kfz'e|:NJ;IoIOI賓BN }"^3NI@?R;IIJ+J..ȟn|ȗk)o~nRO _?}}Jϐ9-9Sw i@){ ߦ wBNR!HoYNϯX8)L4^%iOi鰄:OIBz<+ =^`]k )x.3{ %j;k?;ϺBh\Jrp+̞W^imTzIAJ[/6JQ^/Z%+$h<'U48,1X!4fm@#dϽG!3 yYj36D|&߲*tO /AxlZen-V@v=sS [2d[ XJrX\m.|5I49$yz(3>t^˫aBЋ_zEǽȱ0.v '-$C%0.p;ѓ%?7._kf+$ Od~[_\g AL @;yA{ԃX%aZC跘ZNʀ_oð@=LNV"f;.0̆I+ܙuis3PKe-~L隅ӳyL׎mb ]GuMݏ: nC/T#}ttfL~n:TÓx_ty''#e='0MHkfAl!3Ҵ=v`路@Mx77G ?޳ GJ >ʎ$&@:@{ SN`>x((" 2kHH 2s{B|%mr;S2!馃%艬Ec߱iL :vpfFcV#{MA5#>lب}vפXsakeoM"mG4 ((z6AϐjH :VEͱJ{3~=GDπnuUDjβّ4=_׋aRVr.=n`n4z4WH-{X@ć俈x!$k0=~ zH}g,XoMD L[K|YKfv؋|%Kg ϽI^1Sh6vƾO3dA~XfxٳqӘ2L1А8RKA=0 Se`[a }ic%pg! X0y =ձ]w O 7G=Frx{Ok^-hQcL%^}HPVׁݝV X| 8O.hz|mρ XuC(߆ђ[P.?hFq:h I 9:/[  `쎈]y@eZ:H\*,yf 4 vsf6[tZNxȩHlyH6ϳj)+gt-(9x0{~6-ӛ~H׶Q _a[P~OY3KbA4\in2;6Ei#|@ =H oFЩ5`y+@04z-q얢u.nDl!aArӏefg{UM)S4l#2 XCڢF a_8i`=/xhe/{@360* A 1Xq^ @\ǘ m0q,rg],L?|Bc985a=E`0MV/|'ȲH`,ӊHv"V䜔KLΡnfqR! a#لM(K,BYWv!Z~C|撟 元> }{ ŧ$NS,07X +qXqө8Y%_.[+cd;s<^F}嘻T54[;?D%z_[A~BeFD4LDɷe&?CKxi㇛d5 {l%A0},ul_}gzC_ɕ/2Fo*@Q~oL%sz'5mEc,(3lW%\Rۃw΄^0Ŧ̎uJPQ&s.CKU՗\e)M}jS92k3k&lFR2cˤ_ty2b*