ATM Malware Surfaces as Hackers Target Banks in Eastern Europe

Trustwave uncovers malware on 20 ATM machines in Russia and Ukraine designed to allow hackers to swipe everything from cash to PIN codes. Officials at Trustwave advise merchants to take steps to ensure their ATM environment is secure.

Security researchers at Trustwave have uncovered an effort by cyber-thieves to use malware to infect and loot ATM machines in Eastern Europe .

Trustwave, which focuses on security and compliance for the payment card industry, discovered the malware while investigating ATM breaches in Russia and Ukraine. According to the company, roughly 20 ATMs were infected with malware that captures magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on the compromised ATM.

"Picture you as a criminal walking up to an ATM machine and inserting a card into the machine that's not a real ATM card ... that has the code or essentially the string of numbers that essentially equals a trigger card within the malware," Nicholas Percoco, head of Trustwave's SpiderLabs, explained in an interview with eWEEK. "So every card that's inserted, the malware monitors what numbers are being inserted into the system. If it gets the right number or the right set of numbers, it launches its interface to the ATM screen."

Each of the compromised ATMs studied by Trustwave ran Microsoft Windows XP. In order to install the malware, the attacker needs to have physical access to the machine. According to Trustwave, the malware is installed and activated through a dropper file by the name of isadmin.exe, a Borland Delphi RAD (Rapid Application Development ) executable. The dropper binary contains a Data Resource (RCDATA) named PACKAGEINFO that contains the actual malware. Executing the dropper file produces the malware file lsass.exe inside the C:\WINDOWS directory of the compromised system.

Once the malware is extracted, the dropper manipulates the 'Protected Storage' Service to point toward the newly created malware. The service is also configured to automatically restart if it crashes, ensuring that the malware remains active, according to the Trustwave report.

"This isn't targeting one ATM vendor; it's targeting multiple ATM vendors, and the attacker could modify it to attack other ATM vendors if they want it to," Percoco said.

Authorities in Eastern Europe were notified about the situation. But there is evidence-which Percoco said the company would not disclose-that the scam is making its way over to other parts of the world, including the United States. If so, it wouldn't be the first time hackers have targeted ATM information.

He suggested merchants perform a full security review of their ATM environment and look for any gaps in physical security. For example, he said, is there an alert triggered when a machine is opened?

"The other piece is following security best practices on the system itself, having anti-virus installed on it, having (locked) down USB ports, making it very difficult for someone to actually-if they were to open up the machine-to do anything to the operating system itself," he said.